Using Active Directory
IBM® Security Access Manager for Enterprise Single Sign-On supports the configuration of multiple Active Directory domains. You can add a new Active Directory domain or edit the details of an existing Active Directory.
Additionally, the IMS Server can look up the directory for attributes of Windows workstations joined to the domain. IMS Server can use these attributes to select a machine group policy template to apply onto the computer.
Active Directory password synchronization
Active Directory passwords log on users to their Wallets and to single sign-on and log on users to their applications. When this policy is enabled, the ISAM ESSO password is synchronized with the Active Directory password. Users can always log on to the AccessAgent with their latest Active Directory credentials.
Password synchronization is applicable only to Active Directory deployments.
Password
synchronization is required for any of the following scenarios:
- Automatic sign up
- Self-service reset of Active Directory password through AccessAgent or AccessAssistant
- ESSO Credential Provider-less AccessAgent deployments to workstations
- Virtual Desktop Infrastructure (VDI) deployments
Password synchronization is suggested for these scenarios.
- Private desktop deployments
- Citrix or Terminal Server deployments involving thin clients
- Deployments without the Citrix SDK integration
IBM Security Access Manager for Enterprise Single Sign-On keeps its password in
sync with Active Directory whenever either of the password is changed or reset. Users must remember
their Active Directory password only, and can always use their latest Active Directory password to
logon to AccessAgent or AccessAssistant.
- When the user changes the ISAM ESSO password through AccessAgent change password feature
- AccessAgent changes the Active Directory password in the Active Directory and then changes the ISAM ESSO password.
- If the Active Directory password change request fails, AccessAgent does not change the ISAM ESSO password and does reject the request with an error message.
- When the user resets the ISAM ESSO password through AccessAgent reset password feature
- AccessAgent changes the Active Directory password in the Active Directory and then changes the ISAM ESSO password.
- If the Active Directory password change request fails, AccessAgent, does not reset the ISAM ESSO password and does reject the request with an error message.
- The reset password feature runs an Active Directory change password operation in the Active Directory with the old password stored in the user Wallet.
- When the user resets the ISAM ESSO password through AccessAssistant
- AccessAssistant relies on either the WebSphere® Application Server virtual member manager or the Identity Manager Active Directory Adapter to perform an administrative reset of the Active Directory password. The ISAM ESSO password is then updated to the same value.
- If AccessAssistant cannot reset the user Active Directory password, the reset password request fails and the ISAM ESSO password remains unchanged.
- If the user changes Active Directory password through Microsoft Credential Provider
- AccessAgent captures the new password and attempts to update the ISAM ESSO password immediately.
- If AccessAgent cannot to immediately update the ISAM ESSO password, the password becomes momentarily out-of-sync, and is resynced on the next online logon.
- If the Administrator resets the Active Directory password of the user
- AccessAgent resynchronize the ISAM ESSO password upon the next logon of the user to AccessAgent or AccessAssistant with the new Active Directory password.
- During this logon, IMS Server verifies the new Active Directory password against the Active Directory, then changes the ISAM ESSO password accordingly.
- If the IBM Security Access Manager for Enterprise Single Sign-On and Identity Manager integration is in place
- Resetting the ISAM ESSO password through Identity Manager resets the ISAM ESSO password, resets the Active Directory password, and updates the Active Directory password in the user Wallet. This feature can be enabled only if the "system-defined secret" feature is also enabled.
Using the IBM Security Identity Manager Active Directory (AD) adapter
The IBM Security Identity Manager AD adapter is
required if all of the following conditions exist:
- The Active Directory password synchronization is enabled
- The Active Directory domain controller does not support LDAPs
- AccessAssistant self-service password reset is used
If any of the conditions are not met, there is no need for a IBM Security Identity Manager AD adapter.