Technology Transparent Password Synchronization
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+

Transparent password synchronization architecture

Transparent password synchronization, triggered by a native password change on a monitored system works as follows:

  1. User: decides to change his password(s) or has been asked to during the login process.

  2. User: enters his login ID, current password and desired value.

  3. Login server: validates password quality internally, then calls a Hitachi ID Password Manager library to further validate password quality.

  4. Password Manager library: contacts the Password Manager server; establishes an encrypted connection; forwards a request for password policy validation.

  5. Password Manager server: validates password quality; returns result. In the event of an attempted policy violation, Password Manager may send a message directly to the user by e-mail or a Windows pop-up message; may create an incident management system ticket and so on.

  6. Login server: updates the user's password field internally, calls the Password Manager library to notify it of the successful change. Note that a failure to meet the Password Manager policy will normally block the initial password change from happening.

  7. Password Manager library: contacts the Password Manager server; establishes an encrypted connection; forwards a request for password synchronization.

  8. Password Manager server: queues up the new password for synchronization.

  9. Password Manager server: resolves the single queued event to a list of passwords that must be set for this user (one per account).

  10. Password Manager server: administratively sets the user's passwords on each system to the new value.

  11. Password Manager server: in the event of failure, re-queues and retries; may send the user one or more e-mails to notify of the problem; may create a ticket on an incident management system to alert someone of a problem.

Password synchronization triggers are provided with Password Manager for Windows server or Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), z/OS and iSeries (AS/400).

This is implemented on the network with the following components:

figure

    Transparent synchronization architecture diagram (1)

Watch a Movie

Transparent password synchronization


Play movie

Content:

  • Illustrate the flow of a new password from a change initiated on Windows via Ctrl-Alt-Del, through an AD DC, to HiPM and finally to another application.

Key concepts:

  • Reducing the number of passwords users must remember.
  • Password synchronization without exposing a user to a new UI.
  • Intercepting password changes on AD DCs.
  • Propagating new passwords to multiple systems and applications.

Transparent password synchronization: realistic scenario with load balancing and feedback loops


Play movie

Content:

  • Illustrate the flow of a new password during password synchronization.
  • Highlight interactions with load balancers, multiple HiPM systems and multiple trigger systems.
  • Show how HiPM prevents feedback loops.

Key concepts:

  • Reducing the number of passwords users must remember.
  • Ensuring that password synchronization does not introduce feedback loops on the network.
  • Illustrate the advanced architecture to properly scale up a password synchronization system.