search cancel

How does the mechanism for password capturing an endpoint password change and propagate it to global user, corporate user and other accounts work.


Article ID: 50280


Updated On:


CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



See this doc to learn how the data flow of a password change captured on an end-point and how it's propagated and synchronized to the global and corporate users and other endpoints.


Password Interception:

  1. You will need to install a Password Synchronization Agent ( aka PSync Agent ) on your endpoint. The PSync Agent is specific to each endpoint and is intercepting passwords changed on the endpoint.

    • CA have password sync mechanism for the following endpoint types: ADS, NT, UNIX, OS400, ACF2/TSS (LDS)

    • For any other endpoints it is up to customer to find a way to capture the change and build a tool to submit the change to the Provisioning Server as ldap

  2. If the PSYNC supports PWD Validitity Check then it will first send the operation to ask that to the Prov Server. The Prov Server will either determine on its own or ask IM to validate it.

    IM will then either determine on its own or ask SM. Regardless of who does the validation, the response is given back to the PSYNC. The communication between PSYNC and Prov Server is via LDAP.

  3. PSYNC can then send the PWD Change to the Provisioning Server to update the Acct pwd. The Provisioning Server will lookup the GU associated with the account and check if PSYNC is enabled for that GU. This essentially check if the 'Enable Password Synchronization' checked in their Password tab. It not, this password change will not propagate further.

  4. If it is then Provisioning Server will update the GU pwd (which will create an inbound notify event) and propagate to associated account while excluding the originator.

  5. To enable the password synchronization from the provisioning server to IDM you will need to enable the Inbound synchronization mechanism that allows different data including the global user's password to be sent down to IDM. You should learn how to enable this mechanism but in a nutshell you'll need to use the provisioning manager -> System -> Identity Manager

    set up and define the URL for Identity Manager . You also will need to go into the identity manager management console (/idmmanage) -> IME -> Provisioning Section and define your attribute mapping between the IDM corporate user and the provisioning global user. In this mapping you'll need to ensure that the password ( %PASSWORD% ) is mapped.

  6. The inbound event is processed by IM as it normally is which will cause the corporate user (IM user store) to have the pwd updated.


Component: IDMGR