Udostępnij za pośrednictwem


Self-Service Password Reset to Non-Active Directory System

Background:
I often come across two types of questions in both internal and external channels

  1. How can I leverage SSPR and reset a password for a non-AD account (e.g. MSSQL, HR or .NET Passport)?
  2. How can I implement password filters but do so in FIM instead of AD?

For #1, PCNS together with FIM Synchronization Service and your custom MA might do the magic. The side effect is that both your AD and external system's password will be reset. So if you want to keep the passwords different or find it too much trouble to write your custom MA, then this option is out.

The official answer is NO because the SSPR client is closely tied together with the Active Directory Password Reset Activity and using the SSPR client to interact with any other Password Reset activity is not supported.

However, if you are an enthusiast and want to explore the unsupported territory by writing a custom External Password Reset Activity, you can reuse the ReadResourceActivity and XmlInteractiveActivity shipped with FIM to achieve that. High level implementation consists of the following steps:

  1. Add an XmlInteractiveActivity. This activity knows how to commuticate with this activity.
    1. Set EnableDefaultOperationValidation and ValidateSamlToken to true.
    2. Set EndpointAccessUserList to be the Guid of Anonymous User
    3. Set DocumentType to typeof(PWResetRequestData)
    4. Add a handler to XmlDocumentValidation in which you will implement your password reset logic. The user password can be obtained by ((PWResetRequestData)e.XmlDocument).NewPassword
  2. At this point, you don't have access to the Domain\Username of the user. To do so, add an ReadResourceActivity before the XmlInteractiveActivity.
    1. Set ActorId and ResourceId to the current user.
    2. Set EndpointAccessUserList to be Domain and AccountName
  3. Now your activity would have access to Domain\Username as well as the new password. Do whatever you want with them. Resulting activity will look like:

This sample is a mock activity that does not reset password to any system. It merely returns success/failure of your choice and you have to implement your password reset logic. It does not have any error handling or retry logic (You probably want to use the WhileActivity). However, it demonstrates how one might to go about addressing the two problems mention above.

Feel free to download the source code and play with it.

P.S. You have to click into this post to see the attachment.

WARNING:
THIS CUSTOM CREDENTIAL PROVIDER IS NOT SUPPORTED AND IS PROVIDED AS IS
WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED.

ExternalPasswordReset.zip

Comments

  • Anonymous
    January 01, 2003
    If you are talking about synchronizing passwords among different data source, PCNS is what you should be deploying

  • Anonymous
    January 01, 2003
    Thanks for sharing the tool. I believe that's for local accounts only. FIM is targeting at enterprise and resets AD password.

  • Anonymous
    July 07, 2010
    So you promote this product as a full-service Identity Management tool, and yet you don't have mechanisms to propagate password changes to connected data sources?  How ridiculous! I can imagine having to use the method you describe here for some obscure system, but why isn't there built-in password propagation for standard targets like Sun LDAP, eDirectory, etc?

  • Anonymous
    September 07, 2010
    Last time I forgot my password and tried everything i could do but failed, until I found this great tool Password Genius. It works great, and you can google it.