RSA PIN attribute used with Global User passwords
search cancel

RSA PIN attribute used with Global User passwords

book

Article ID: 60968

calendar_today

Updated On: 10-20-2023

Products

CA Identity Manager

Issue/Introduction

RSA PIN is a separate attribute from the account password. RSA PIN should not overlap or integrate with the global user passwords or any other accounts passwords.

 

 

Environment

Release:
Component: IDMGR 12.x

Resolution

The RSA PIN allows users to authenticate using a manual token they obtain. The PIN allows users to sign on to applications such as corporate VPNs etc.. RSA (that is the endpoint) is handling the PIN via a Token object and resetting the PIN is done on the Token object. This endpoint (RSA) also has an account with a password that allows the user to connect to their RSA account.

Identity Manager Provisioning Server is able to perform Account and Token management and get/set both account password and token's PIN. However, Identity Manager Web application that is hosted on an application server is only capable of managing the endpoint account but not the Token object.

Therefore, Identity Manager will allow resetting the RSA account password and enable this password to propagate to the Global User and other endpoints if needed by setting up the rules for such behavior.

However, Identity Manager's web interface will not be able to provide a Self Service mechanism or administration interface to set up the PIN. To achieve such a behavior customers will be required to customize the system:

  • Define a custom attribute to hold the PIN on the user's object.
  • Develop a self service task in IDM that will set this attribute.
  • Enable IDM for outbound synchronization to flow this custom attribute to the Global User.
  • Develop a mechanism in the Provisioning Server to allow this attribute to be set against the connector's Token object.

However, please note that even with this mechanism in place the PIN is not a Password and not designed to be as such. You should not attempt to set the Global User's password based on the RSA PIN and/or propagate it over to other endpoint accounts passwords. The PIN is a numeric entity that's very specific for the manual token of a user. It shall not be related to the passwords (whether the RSA account password, the global user password or any other password).