Chat now with support
Chat with Support

Password Manager 5.11.1 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Password Policies Enable S2FA for Administrators and Enable S2FA for HelpDesk Users Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Appendix D: Feature imparities between the legacy and the new Self-Service Sites Glossary

Workflow overview

To customize the behavior of Password Manager for AD LDS, configure workflows in the Password Manager Administration Site. Workflows have 2 types:

  • Self-service workflows customize the behavior of the Password Manager Self-Service Site. All configured and enabled self-service workflows are available as tasks on the Self-Service Site for Password Manager users.

  • Helpdesk workflows customize the behavior of the Password Manager Helpdesk Site. All configured and enabled Helpdesk workflows are available on the Helpdesk Site as helpdesk operator actions.

To modify the behavior of an existing workflow task, in the Home page of the Password Manager Administration Site, click the management policy workflow you want to configure, and click Workflow settings.

Workflow structure

A workflow consists of activities. You can configure each activity independently.

Workflow activities have 3 types:

  • Authentication provides authentication options, such as password-based authentication, Questions and Answers profiles, or phone-based authentication.

  • Actions are core components in workflows, including activities like unlocking accounts, editing Q&A profiles, or resetting passwords.

  • Notifications let you configure email notifications for users and administrators, and specify the conditions under which Password Manager for AD LDS will send these notifications.

You can also create custom activities. For more information, see Custom Activities.

Password Manager for AD LDS lists the available activities in the left pane of the Workflow Designer. To add an activity to a workflow, drag-and-drop it into the right pane of the Workflow Designer. To remove an activity, click Close on the activity box.

Password Manager for AD LDS displays the workflow structure in the right pane of the Workflow Designer, indicating the type and order of activities to perform in the workflow. To change the order of the activities, simply move them up or down.

Figure 1: Home > <management-policy> > <workflow> > Workflow Settings

Workflow state

Workflow states determine how Password Manager for AD LDS ran a workflow and which activities of the workflow it initiated. Workflows have 3 states:

  • Success is the state of the workflow if no errors occur when running a workflow. In this state, Password Manager for AD LDS performs all workflow activities, except the following:

    • Email user if workflow fails

    • Email administrator if workflow fails

    • Lock Q&A profile

    • Restart workflow if error occurs

  • Failure is the state of the workflow if an error occurs when running a workflow activity. If any errors occur during the workflow, Password Manager for AD LDS performs only the following activities:

    • Email user if workflow fails

    • Email administrator if workflow fails

    • Lock Q&A profile

    • Restart workflow if error occurs

      NOTE: The Restart workflow if error occurs activity resets the workflow state to Success and runs the workflow from the beginning.

  • Critical Error is the state of the workflow if a critical error occurs, for example locking a user account or a Q&A profile. If any critical errors occur when running the workflow, Password Manager for AD LDS performs only the following activities:

    • Email user if workflow fails

    • Email administrator if workflow fails

Workflow settings

For each workflow, you can set 2 options:

  • Language settings specify a custom name and description for the selected workflow on the Password Manager Self-Service Site or Helpdesk Site, either in the default language, or in additional languages.

  • Availability settings specify if the workflow must appear in the Password Manager Self-Service Site or in the Helpdesk Site.

NOTE: You can specify custom names and descriptions only for the languages for which localization is available in the Password Manager Self-Service Site and Helpdesk Site.

To set the language settings

  1. On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of a management policy you want to configure.

  2. On the page of the configured workflow, click Workflow settings.

  3. Under Workflow Settings > Languages, edit the workflow name and the workflow descriptions in the default language, then click OK.

  4. To edit the workflow name and the workflow description in other languages, click Add new language, select a language, then enter the workflow name and workflow descriptions in the selected language.

  5. To apply your changes, click OK.

To set the availability settings

  1. On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of a management policy you want to configure.

  2. On the page of the configured workflow, click Workflow settings.

  3. Under Workflow Settings > Availability > Enable the workflow, select the availability option of your workflow:

    • Always: The workflow is always enabled for users on the Password Manager Self-Service Site or for operators on the Helpdesk Site.

    • Never: The workflow is always disabled on the Password Manager Self-Service Site or Helpdesk Site.

    • Depending on the current user status: The availability of the configured workflow depends on the user status.

      The default criteria for enabling or disabling workflows on the Password Manager Self-Service Site are the following:

      • For unregistered users, only the Register workflow is enabled.

      • For registered users, the Forgot My Password and Manage My Passwords workflows are enabled.

      • Both for registered and unregistered users, the I Have a Passcode workflow is enabled only if a helpdesk user performs an Assign Passcode workflow for them.

      • For registered users with a locked account, only the Forgot My Password and Unlock My Account workflows are enabled.

      • For users with a locked Q&A profile, no workflows are enabled on the Password Manager Self-Service Site. Users must contact the helpdesk in this case.

      The default criteria for enabling or disabling workflows on the Password Manager Helpdesk Site are the following:

      • For unregistered users, the Reset Password, Unlock Account and Assign Passcode workflows are enabled.

      • For registered users with a locked Q&A profile, all Helpdesk workflows are enabled.

      IMPORTANT: If an unregistered user registers the first time, and enters an incorrect password beyond the specified limit, their profile will be locked. The user then must wait for the duration configured with the Reset lockout account setting.

  4. Under Show the workflow, specify the visibility of the configured workflow on the Password Manager Self-Service Site or Helpdesk Site for users:

    • Always: The workflow is always visible, regardless of whether it is enabled or disabled for the current user.

    • Never: The workflow is always hidden, regardless of whether it is enabled or disabled for the current user.

    • Only if the workflow is enabled: The workflow appears only if it is enabled for the current user.

  5. To apply your changes, click OK.

NOTE: Custom workflows appear on the Password Manager Self-Service Site for users even if the Enable the workflow setting is set to Depending on the current user status and the Show the workflow setting is set to Only if the workflow is enabled.

To force these settings for custom workflows

  1. Stop the Password Manager Service.

  2. Open the C:\ProgramData\One Identity\Password Manager\Shared.storage file.

  3. Replace the <DisabledReasons /> line with the following entry:

    <disabledReasons>
       <reason name="userRegistered" value="DisableIfFalse" />
    </disabledReasons>
  4. Save the file, then restart the Password Manager Service.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating