Overview

The DirX Identity Web Center for Password Management is a licensed package that provides a separate Web application intended for password management only. It offers the following features:

  • Users can choose different passwords for different accounts.

  • Service desk users can change a user password after having verified the user’s challenge responses.

The overall principle is to use one master password that can be synchronized automatically to other target systems. The user can select these accounts. The other accounts can have different passwords. The administrator defines the password master systems. The master systems and the DirX Identity user must have the same password.

The master password can be changed by the user or by the service desk using the challenge/response feature.

Definition of password reset and password change:

  • Password reset – the system generates a new password, sends it to the user and the user must change the generated password on the next login.

  • Password change – the user defines a new password which is valid for the period specified by the password policy’s expiration duration.

Feature Comparison

The following table illustrates the enhanced features of Web Center for Password Management compared to the standard Web Center functionality:

Feature Web Center
(standard)		 Web Center for
Password Management

Forgot password - Set new password using authentication questions

Yes

Yes

Change password

Yes

Yes

Set authentication questions

Yes

Yes

Login with Active Directory domain account

No

Yes

Synchronize master password for all accounts

Yes

Yes

Set password for only a subset of accounts

No

Yes

Service desk can reset user (master) password

Yes

Yes

Service desk can reset user master and account password by verifying user’s responses to authentication challenges

No

Yes

As a pre-requisite, the end users and their accounts need to be known to DirX Identity and the system must be configured appropriately.

The following figure illustrates the activity flow in end user and service desk password management:

Users
Figure 1. Users, Accounts and Password Changes

As illustrated in the figure:

  • End users can change their passwords using Web Center:

    Standard Web Center sends the new password to the DirX Identity Messaging Service. The User Password Event Manager picks it up, changes it at the DirX Identity user entry, finds the user’s accounts and requests the appropriate Set Password workflows to update it at the corresponding target systems in real-time.

    The enhancement in Web Center for Password Management allows users to select a subset of their accounts for password change; the message with the new password is sent to the Account Password Manager workflow. It changes the password at the listed accounts and requests the appropriate Set Password workflows to update it at the corresponding target systems in real-time.

  • End users can change their passwords in an Active Directory domain instead of using the Web Center user interface:

    The DirX Identity Password Listener obtains the changed password from the Active Directory domain controller and sends it to the DirX Identity Messaging Service. The User Password Event Manager picks it up, finds the associated user entry in DirX Identity and updates the password there. Then it finds the user’s accounts - except for the Active Directory domain – and triggers the Set Password workflows for each corresponding target system. Note that in this case the new password is set for all accounts.

When end users change their passwords in an external LDAP server, they will not be synchronized to DirX Identity and thus both passwords will be different.

Related Documentation

The following documents provide additional details about the concepts and procedures referenced in this use case document:

  • DirX Identity Web Center Reference, chapters "Configuration" and "User Interface Configuration". To secure Web Center against attacks, see especially the chapter on Security.

  • DirX Identity User Interfaces Guide, especially the chapters on Web Center and Web Center for Password Management.

  • DirX Identity Installation Guide, especially chapters 3 (installation) and 4 (configuration) and the section "Installing the Windows Password Listener".

  • DirX Identity Connectivity Administration Guide, chapters/sections:

    • "Managing Connectivity Security"

    • "Managing Java-based Provisioning Workflows"

    • "Understanding Password Synchronization" in "Managing Passwords"

  • DirX Identity Tutorial, chapter "Joining Accounts to Users" in "Getting Started / Setting up a New Target System". This chapter describes – among other things – how to set up the Policy Execution workflow to run a consistency rule.

  • DirX Identity Provisioning Administration Guide, chapters:

    • "Managing Policies"

    • "Managing Target Systems"

  • DirX Identity Application Development Guide, sections:

    • "Active Directory" in "Using the Source Workflows / Understanding the Java-based Source Workflows"

    • "Scheduled Workflows" in "Understanding the Default Applications / Understanding Java-based Workflows / Java-based Workflow Architecture / Starting Java-based Workflows"

    • "Understanding the Java-based Workflows" in "Using the Target System (Provisioning) Workflows"

    • "Using Password Event Manager Workflow" in "Using the Maintenance Workflows / Understanding the Java-based Maintenance Workflows"

    • "User Password Expiration Notification Workflow" in "Using the Maintenance Workflows / Understanding the Java-based Maintenance Workflows"

    • "Policy Execution Workflow" in "Using the Maintenance Workflows / Understanding the Tcl-based Maintenance Workflows"