Skip to main content

Mapping User IDs - Hitachi ID Password Manager

Every enterprise identity management and access governance system, regardless of its features, must support login ID reconciliation. Users have login accounts and other records on various systems and these have to be attached to a single profile, in order to create a user-centric identity system. The process of attaching non-standard login IDs and other user identifiers to a single profile is called login ID reconciliation.

Hitachi ID Password Manager supports multiple options for login ID reconciliation, as follows:

  • Automatically, typically by matching consistent login IDs.

  • By matching other attributes such as an SSN or employee ID, where they are available.

  • By drawing on an external source of data -- for example, some organizations maintain a mapping table or spreadsheet.

  • Using a self-service reconciliation process.

When self-service login ID reconciliation is required, it works as follows:

  • Users are automatically invited to complete their profiles -- for example via an e-mail with an embedded URL.
  • Users sign into the registration system, using a primary login ID and password or other types of credentials.
  • Users are asked to type their additional ID/password pairs. Each provided ID/password pair is compared against an automatically maintained inventory of login IDs drawn from target systems, to find instances where the user-entered login ID appears on a system and does not yet belong to a known user profile. Password Manager then attempts to sign into that system with the user-entered password. If the login attempt succeeded, the user's profile is updated with the system ID and the user-entered login ID.

Self-service reconciliation is inexpensive (about 5 minutes per user), reliable, fully automated (users are reminded to register until they actually do) and very secure.

Both self-service and administrative login ID reconciliation are logged. Other forms of login ID reconciliation are typically batch oriented and can be configured with logging if required.

Note that attempts to reconcile login IDs by matching on attributes of user profiles on target systems are often costly and/or insecure, especially when combined with a password management system:

  • The only attribute that is commonly available on every system is a user's full name. This may be inconsistent across systems and in many large organizations multiple users share the same full name and sometimes the same location.

  • Failure to automatically correlate an account leads to manual, administrative reconciliation, which is expensive.

  • Incorrect ID mapping allows one user to set another user's password, which is a serious breach of security.

Where self-service login ID reconciliation is required, the process is both inexpensive (25,000 users spending 5 minutes each costs nothing, while one consultant spending weeks or months is expensive) and error-free (since IDs are claimed with a validated password). This process is, to the best of Hitachi ID Systems knowledge, unique.

Watch a Movie

Enrollment of non-standard login IDs

Play movie


  • A user has been invited to fill in a form with login IDs and passwords.
  • This animation starts after the user has been invited and has authenticated.
  • Multiple authentication steps - security questions, login IDs, biometrics, etc. are normally integrated into a single process.

Key concepts:

  • This process eliminates the need to "match" profile data on different systems (can be costly, unreliable).
  • Users don't need to know what a system is "officially" called, eliminating a common cause of misunderstanding between users and IT staff.
  • Users must "prove possession" by providing a correct password, making this process totally secure.

Read More:

  • Included Connectors:
    Systems on which Password Manager can manage passwords.
  • Integrations:
    Integrations between Password Manager and other parts of an IT infrastructure.
  • Supported User Interfaces:
    Supported Password Manager user interfaces: web browser, workstation login prompt, mobile phone and telephone call.
  • Helping Locked Out Users:
    Enabling users who forgot their primary password or locked themselves out of their PC to access self-service.
  • Helping Mobile Users:
    Assisting mobile users who forgot their primary password (cached on their PC) while away from the corporate network.
  • Network architecture:
    How users, existing systems and applications and Password Manager servers interact on the network.
  • Scalability:
    How Password Manager can scale to manage passwords across millions of login IDs.
  • Mapping User IDs:
    How Password Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
  • Language Support:
    Languages supported by the Password Manager user interface.
  • Single Sign-on Without a Password Wallet:
    Hitachi ID Login Manager can automatically sign users into their applications without having to store IDs and passwords in a "password wallet."
  • Password Manager server requirements:
    Sizing, configuration and number of servers on which to deploy Password Manager.
page top page top