Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Did you know? Saviynt has the ability to manage user passwords - Part1

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 29 2020 at 18:32 UTC





  1. What are the most common scenarios wherein Saviynt is requested to manage user passwords?
  1. Customer is looking to use Saviynt as their authentication source as well as password management solution for all users
  2. Customer is looking to use AD as their authentication source for all users and use Saviynt for managing the passwords
  3. Customer has enabled SSO solution like Okta, Ping as IDP provider which in turn uses AD as its authentication source. They want to use Saviynt to manage passwords as we have the ability to synchronize passwords to downstream connected applications (Reverse password Sync)
  4. Customer has password changes happening in the authentication source (like AD) and Saviynt is the password management solution to track the changes and flow them to other connected applications (Reverse password Sync)


  1. How can we change/reset user password in Saviynt?
  1. Self-Password Reset – Change password from User profile and Reset/Forgot Password from Login screen
  2. Helpdesk Password Reset – Manager/Helpdesk Reset password from Admin Function and Reset User Password in Change Password Tile

  1. Change Password API


  1. Can we set up password policy for user password resets?

Yes, we need to use User scope password policy


  1. Do we support the Saviynt initiated user change password to flow to user accounts in connected applications?

Yes, and its configurable


  1. Do we have the ability to send help desk reset password notification to the user?

Yes, it can be configured in password policy


  1. Do we have the ability to expire user passwords and notify when password expires?

Yes. This is configurable in the Password Policy in below config


Expire After: Configure the number of days after which user password should expire and pre-packaged controls will expire user password after configured number of days

Days to Notify Before Password Expire: Pre-packed controls will be rolled out that checks the config and send out notification based on days configured


  1. What are the other exciting additions to password policy?
  1. Audit for password policy
  2. Setting a previous password as a new password is disallowed if the password is changed using Forgot Password or Change Password as per the config below

  1. Static Blacklisting: Below configuration if set to ‘YES’ will look up for a text file with blacklisted words from path as configured in blacklistdictionaryPath.statickeywords in externalconfig.properties

  1. Dynamic blacklisting: We can set user and account attributes to be blacklisted for change and reset password scenarios


  1. What other exciting features are coming in future?

Step Up authentication - Users can choose a method of verification such as Email OTP, SMS OTP, or answer preconfigured security questions


Note: Look forward to more on this in upcoming Did you know series.





This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
6 REPLIES 6

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 29 2020 at 20:22 UTC

Can you give more information on Reverse Password Sync?


I don't think I can use the password column on a user row to provision password to a system. I could use a clear text column, or I could store an encrypted value, and then decrypt it in my connector. Using a custom attribute doesn't tie in with password changes in Saviynt though.


How does Reverse Password Sync work today in the product?


--Jim

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 29 2020 at 21:29 UTC

Hello Jim,


Please refer Freshdesk documentation here for Reverse Password Sync - https://saviynt.freshdesk.com/support/solutions/articles/43000547503-active-directory-ad-connector-g...

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 29 2020 at 21:35 UTC

Thanks, but that link talks about password sync from AD to SAV. I’m asking about your items above that indicate Reverse Password Sync, which is from SAV to any other source. That’s not covered in that link. Do you have any info on how that might actually work? — Jim
This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 29 2020 at 21:45 UTC

Hi Jim,


For passwords to be pushed from Saviynt to connected apps using reverse password sync, we need to mention the endpoint details in the json in endpoints attribute - Refer Configure Saviynt Connection in above freshdesk link.

Saviynt will pick up the endpoints and then create change password tasks for user accounts in connected applications and provisioning job will pick up the tasks and provision it to the target apps.



This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 29 2020 at 21:54 UTC

Okay, so you list the endpoints in the AD filter config. We are talking about password changes from AD only, right? This doesn’t support password changes that I perform in savyint on my SAV user then. Right? If it’s creating password change tasks for those endpoints is there anything I need to do in those endpoints connections config? How does the connector config know what password im about to send? I’m assuming SAV isn’t saving the password on the user record. It’s just generating the task? Do I have that right? —Jim
This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 31 2020 at 00:38 UTC

Jim,


We do support to change user account password when user password change is initiated in Saviynt. Change Password Task for the Endpoints configured in Point 4 would be created according to the password policy associated with the application. For provisioning the change password tasks to connected applications, we need to configure Change password json in the respective connector associated with the application

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.