13.0:documentation:adm:uniform_password

Uniform password for new accounts

To ensure the same password for all new identity accounts created during synchronization, the systems on which we want to have the same password must be defined in the uniform password agenda.

That means: In the example above, we must ensure that systems S1 and S2 will be in the same active group of the uniform password.

This feature is active only during contract sync and for contracts where a identity state is changed:

  • from state: Created or No contract or Left
  • to state: Valid or Future contract.

This feature can be disabled by disabling the IdentityInitUniformPasswordProcessor initialization processor. This processor creates states of uniform password entities. Therefore, if you deactivate this processor, the entire uniform password feature will also be deactivated.

For use same uniform password on systems and in the IdM, you have to enable this feature by the checkbox "Change password through IdM" on the uniform password detail.

There is life cycle of this feature:

  • Contract synchronization is started with a new transaction ID.
  • After the synchronization of contracts, the recalculation of HR processes is started.
  • Newly created contracts will cause a change of identity status (for example from Created to Future contract). This change will be caught in the IdentityInitUniformPasswordProcessor processor, which will create a new entity state with the code IDENTITY_UNIFORM_PASSWORD (uniformPasswordManager.createEntityState(identity)). This status will be followed by the generated uniform password, which will be stored in confidential storage.
  • After the recalculation of HR processes is completed, the recalculation of automatic roles will start. Automatic roles will be assigned to contracts and account management will begin, starting the account creation process.
  • As part of the account creation, it will be detected that there is an entity state for the given identity with the code IDENTITY_UNIFORM_PASSWORD. In this case, the account will not generate a new password, but will use the password from the given entity state.
  • Once the account is created, the ProvisioningUniformPasswordNotificationProcessor will ensure that the system name is added to the entity state. This system name will then be used in the final notification.
  • After the end of the whole transaction (the end of all connected events), the LRT will be notified, ensuring the synchronization of the end. The LRT begins the uniform password end process (uniformPasswordManager.endUniformPasswordProcess(transactionId)). Ie. that it sends a notification (to the topic TOPIC_UNIFORM_PASSWORD_SET) to all identities for which an entity state has been created within the given transaction, about the generation of new accounts on the given systems and a uniform password.
  • After all notification is sent will be all entity states with code IDENTITY_UNIFORM_PASSWORD and created in given transaction deleted.
Support the use of the same transaction ID in dependent LRTs. This will allow HR and automatic recalculations to be used as dependent tasks.
The uniform password feature works only under one transaction ID. It means you have to use recalculation of HR processes and automatic roles directly on the contract sync (checkboxes). Using depending tasks is not supported yet.