Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Approach to enable password sync for more and more apps

vermark
Regular Contributor
Regular Contributor

‎09/19/2022 10:45 AM

Hi Team,
 
Right now we have three applications onboarded in Saviynt and these three are added under "endpoints" in SavPwFilter.json like below
 
vermark_1-1663609193402.png
Going forward we will be onboarding more and more applications in Saviynt and we want password sync should happen to those new applications.
 
What will be the best approach to enable the password sync for newly onboarded applications. If there is any other approach other than these two please let us know.
1. Finalize the list of all endpoints where password sync is needed and add those endpoints under “endpoints” in SavPwFilter.json. Deploy the password sync filter with all endpoints in SavPwFIlter.json on all the DCs and restart the DCs. This will be one time activity.
Challenge –
  1. In SavPwFilter.json we have more endpoints corresponds to those there is no application in Saviynt. Will it cause any issue?
  2. Is there a way to stop the password sync for selected endpoints(Ex- We have only three endpoints in Saviynt so it should create change password task for those three endpoints and should not create change password tasks for additional endpoints which are there in SavPwFilter.json)
2. Once a new application is onboarded in Saviynt, add that application under “endpoints” in SavPwFilter.json. Deploy the password sync filter and restart the DCs. This will be an ongoing activity and will require DC restart every time a new application is onboarded in Saviynt for which password sync is needed.
Challenge –
  1. Every time a new application is onboarded the password sync filter to be redeployed on all the DCs and all DCs to be rebooted.
0 Kudos
6 REPLIES 6

avinashchhetri
Saviynt Employee
Saviynt Employee

‎09/21/2022 08:14 AM - edited ‎09/21/2022 08:19 AM

Hello @vermark,

The Password Sync uses Saviynt API's to change the user and account password. This should be easy for you to Test/validate with Postman on your lower environments.

Please find my response to your questions:

In SavPwFilter.json we have more endpoints corresponds to those there is no application in Saviynt. Will it cause any issue?
avinash : I have not tried this personally but it should fail with an error that it could not find the endpoints in Saviynt.

Is there a way to stop the password sync for selected endpoints(Ex- We have only three endpoints in Saviynt so it should create change password task for those three endpoints and should not create change password tasks for additional endpoints which are there in SavPwFilter.json)
avinash : No, list of comma separated endpoints needs to be passed for WHICH you need the password changed

Every time a new application is onboarded the password sync filter to be redeployed on all the DCs and all DCs to be rebooted.
avinash : Yes the configurations are picked up once at startup, any changes needs a restart.

 

 

 

Regards,
Avinash Chhetri
0 Kudos

vermark
Regular Contributor
Regular Contributor
In response to avinashchhetri

‎09/22/2022 01:47 PM

Hi Avinash,

We have performed the testing from our end. Below are the test cases that we executed and their outcome-

Test Case 1:

We added three applications dummyapp1, dummyapp2, dummyapp3 in SavPwFIlter.json which currently does not exist in Saviynt and restarted the DC

After restart we reset the password for one user (user1) which was having account on applications SAP1, SAP2, SAP3, Oracle DB

Outcome

  1. We were able to login with new password in Saviynt
  2. No change password task was generated in Saviynt to propagate the new password to applications SAP1, SAP2, SAP3, Oracle DB which were assigned to user (user1)
  3. We got the below error message on DC

2022-09-22T16:42:36ℹ️796: curlInterface-ChangePassword:: Response status code: 412, Error Response:{"Status":"Failure","Error":"Endpoint(s) dummyapp1, dummyapp2, dummyapp3 not found","errorCode":"1","message":"Failure to update password"}

Test Case 2:

We onboarded the applications dummyapp1, dummyapp2, dummyapp3 in Saviynt(while they were already present in SavPwFilter.json) and reset the password for user (user1)

Outcome

  1. We were able to login with new password in Saviynt
  2. Change password task was generated for applications (SAP1, SAP2, SAP3, Oracle DB) on which user account is already created

Test Case 3:

 We assigned the application dummyapp1 for user user1 and reset the password

Outcome

  1. We were able to login with new password in Saviynt
  2. Change password task was generated for applications (SAP1, SAP2, SAP3, Oracle DB, dummyapp1) on which user account is already created. Note - All applications which were there in SavPwFilter.json are onboarded already in Saviynt as part of test case 2.

Summary

If we want to avoid the multiple DC restart, we should follow below approach. Please let us know if there is any other possibility.

  1. Identify all applications which require password sync
  2. Add all those applications in SavPwFilter.json and restart all the DCs
  3. Create endpoint and security system template for all applications identified in Step 1 before enabling password sync (password sync will we enabled when you activate the service account in Saviynt)
  4. Required changes on endpoint and security system can be made later as per requirement(just the template with same name as in SavPwFilter.json is required)
0 Kudos

avinashchhetri
Saviynt Employee
Saviynt Employee
In response to vermark

‎09/22/2022 02:32 PM

@vermark,

With your approach, how will you do a phased password sync implementation ?

E.g. If currently SAP1 and SAP2 needs the password synched and you put in an application LDAP (for future implementation which doesnt even exist), along with the two SAP instances, the whole sync process will fail isnt it. Have you tried this scenario ?

I would list out all the applications that needs a password sync, have them them implemented in phases as and when they are ready rather than doing one application at a time since every update needs a DC restart.

 

 

Regards,
Avinash Chhetri
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to avinashchhetri

‎09/22/2022 02:55 PM

From Design perspective from saviynt should have provided some flag to sync password or dedicated customproperty to avoid restart of DC. This will be easy and Manageable in saviynt end only 🙂 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

vermark
Regular Contributor
Regular Contributor
In response to avinashchhetri

‎09/22/2022 09:21 PM

If currently SAP1 and SAP2 needs the password synched and you put in an application LDAP (for future implementation which doesnt even exist), along with the two SAP instances, the whole sync process will fail isnt it. Have you tried this scenario ?

<Rakesh> - Yes, I have tested it as part of use case 2, For LDAP app there has to be an endpoint in Saviynt(just the template with same name as in SavPwFilter.json). We can fully setup the same LDAP endpoint in future as per business requirement. This way password sync is working and change password tasks are generating for SAP1 and SAP2. Do you see any challenge with this approach?

I would list out all the applications that needs a password sync, have them them implemented in phases as and when they are ready rather than doing one application at a time since every update needs a DC restart.

<Rakesh> Ask is to push all the changes on DC in one go and restart the DC. Even if we go phase wise all apps will be onboarded let say in 5 phases, we need to restart all DCs 5 times once after every phase release.

Please let us know what is the recommended approch that we need to follow.

0 Kudos

avinashchhetri
Saviynt Employee
Saviynt Employee
In response to vermark

‎09/23/2022 07:04 AM

@vermark ,

I would not suggest creating dummy security systems/endpoints in Saviynt knowing fully that they cannot be deleted (in the future).

If there is a limitation, the best way forward would be to discuss this with the stakeholders and come up with an approach that works best for all.

 

 

Regards,
Avinash Chhetri
0 Kudos
Copyright © 2024 Khoros, LLC