Integrated password systems
Most organizations have an on-premises Active Directory domain, and this should always be the first integration.
Any additional systems and applications where a significant number of users have login credentials should be integrated. For example, many organizations operate a SAP ERP, SalesForce.com CRM or mainframe, and these should be integrated.
Some applications externalize their login process via federated access. This raises two possible integrations:
- If there is not already a federated access management system, use the SAML identity provider (IdP) included in Password Manager.
- Many applications support both logins using internal passwords and, separately federated login. For example, SalesForce.com maintains passwords for users and can simultaneously offload the login UI using SAML. In these dual-login scenarios, Password Manager should at a minimum manage passwords on the application in question.
Including and excluding users
All business users should be included in scope. Use group memberships, OU, account-disabled status and wildcard matches on user IDs and user names to exclude guest, administrator, service and machine accounts from Password Manager scope of management.