The One Identity Manager Password Capture Agent
The Password Capture Agent allows you to synchronize user passwords between Active Directory domains managed by One Identity Manager and other connected target systems. The Password Capture Agent tracks changes to user passwords in the source Active Directory domain and provides that information to the web service, which in turn synchronizes the changes with connected target systems by using the password templates you specified. To synchronize passwords, you must install the Password Capture Agent on each domain controller in the Active Directory domain you want to use, as a source for the password synchronization operations.
The following diagram shows how the password synchronization feature of One Identity Manager works.
Figure 1: How the password synchronization feature works
Automated password synchronization
If your enterprise environment has multiple target systems, each with its own password policy and dedicated user-authentication mechanism, you may face one or more of the following issues:
- Because users must remember multiple passwords, they may have difficulty managing them. Some users may even write down their passwords. As a result, passwords can be easily compromised.
- Each time users forget one or several of their numerous access passwords, they must ask administrators for password resets. This increases operational costs and causes a loss of productivity.
- There is no way to implement a single password policy for all target systems. This impacts productivity, as users log on to each target system separately to change their passwords.
With One Identity Manager, you can eliminate these issues and significantly simplify password management in an enterprise environment that includes multiple target systems.
One Identity Manager provides a cost-effective and efficient way to synchronize user passwords from an Active Directory domain to other target systems used in your organization. As a result, users can access other target systems using their Active Directory domain password. Whenever a user password is changed in the source Active Directory domain, this change is immediately and automatically propagated to other target systems, so each user password remains in sync within the data systems at all times.
You must connect One Identity Manager to the target systems in which you want to synchronize passwords.
Related Topics
- Steps to automate password synchronization
- Managing the Password Capture Agent
- Fine-tuning automated password synchronization
Steps to automate password synchronization
|
|
NOTE: The web service must be installed. For more information, see the One Identity Manager Installation Guide and the One Identity Manager Configuration Guide. |
To automatically synchronize passwords from a Active Directory domain to another target system
- Connect One Identity Manager to the Active Directory domain where you want to install the Password Capture Agent.
- Connect One Identity Manager to the target system where you want to synchronize user account passwords with those in the source Active Directory domain.
- Ensure that user accounts in the source Active Directory domain and the connected target system are properly mapped to employees in One Identity Manager.
For general information on how to assign employees to user accounts, see the One Identity Manager Target System Base Module Administration Guide. For more information on how to assign employees to Active Directory user accounts, see the One Identity Manager Administration Guide for Connecting to Active Directory.
- Install the Password Capture Agent on each domain controller in the Active Directory domain you want to have as a source for password synchronization operations.
The Password Capture Agent tracks changes to user passwords in the source Active Directory domain and provides this information to the web service, which in turn synchronizes passwords in the connected target system you specify.
After you have completed the above steps, the Password Capture Agent starts to automatically track user password changes in the source Active Directory domain and One Identity Manager synchronizes passwords in the connected target system.
If necessary, you can fine-tune password synchronization settings by completing these optional tasks:
-
Modify the default Password Capture Agent settings before installation.
-
Modify the default web service settings related to password synchronization.
-
Specify a custom certificate for encrypting the password synchronization traffic between the Password Capture Agent and the web service. By default, password synchronization traffic between the Password Capture Agent and the web service will be secured by transport layer security only.
Related Topics
- Managing the Password Capture Agent
- Configuring Password Capture Agent
- Specifying a custom certificate for encrypting password synchronization traffic
Managing the Password Capture Agent
The Password Capture Agent is required to track changes to user passwords in the Active Directory domain that you want to be the authoritative source for password synchronization operations. To synchronize passwords, you must install the One Identity Manager Password Capture Agent on each domain controller in the source Active Directory domain.
Whenever a password changes in the source Active Directory domain, the Password Capture Agent captures that change and sends the changed password securely to One Identity Manager. In turn, One Identity Manager uses the provided information to synchronize passwords in the connected target systems according to your settings.