Skip to content

Managing Password Sync Groups

If you want a password to be the same across multiple direct connect sources, you can synchronize their passwords by combining the sources into a password sync group. For example, if your Salesforce, Workday, and Active Directory sources all use the same password, you can create a sync group for these sources. Whenever you change the password on one, the password will be automatically changed on all apps connected to those sources in the sync group.

Important

There are important distinctions between password sync groups and other ways of changing passwords. After admins configure sources, applications, and sync groups, users can use the Password Manager to change passwords.

  • Password groups are the sync groups defined by the admin and described below.
  • Multi-application sources show the access apps on that source that share the same password. Changing the password to the multi-application source will change the password for all access apps connected to that source.
  • You can also change the password for each standalone access application.

See the User Help for more information about how users can use the Password Manager.

Creating a Sync Group

To create a group of direct connect sources that share the same password, you will need:

  • At least two direct connect sources that are connected to Identity Security Cloud and configured for Password Management.

  • Each authentication source in a sync group must have at least one access application. Read how to add applications to a source.

  • At least one password policy.

    Important

    • Verify in advance that the policy enforces requirements that are applicable to all sources you want to sync. Otherwise, users might see errors when changing their password on apps belonging to a sync group.

    • You cannot use exceptions for sources in a sync group.

To create a sync group:

  1. Go to Admin > Password Mgmt > Sync Groups.

  2. Select + New.

  3. In Group Name, enter a name for the sync group.

    Sync group titled Password Sync Group 2. The password policy and associated sources are not set yet.

  4. Choose the password policy you want enforced for all sources in the sync group from the dropdown list.

  5. Select the check boxes next to the sources you want to include in the sync group. You can see the number of identities and apps related to each source.

    Note

    You must select at least two sources to synchronize.

  6. Select Save to create the sync group.

You can edit the policy and which sources are in the group from this page. You can also edit the source's password settings to add or remove the source from a sync group.

Adding a Source to a Sync Group

You can add a source to a sync group by editing the group you created or by editing the Password Settings of the source.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to add to a sync group.
  3. In the Additional Settings section, select Password Settings.
  4. Enable the Use Sync Group option.
  5. Choose the sync group from the Sync Group dropdown list.
  6. Select Save to save your settings.

When the password associated with the sync group is changed, this source's password will also be updated.

Removing a Source from a Sync Group

You can remove a source from a sync group by editing the group you created or by editing the Password Settings of the source.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to remove from a sync group.
  3. In the Additional Settings section, select Password Settings.
  4. Disable the Use Sync Group option.
  5. Choose the password policy to apply to this source. Refer to Managing Password Policies for more information.
  6. Select Save to save your settings.

This source will be removed from the sync group and the password will be enforced using the selected password policy.

Deleting a Sync Group

Before you delete a sync group, it's critical that you understand the implications of doing so:

  • The passwords related to the associated sources will become independent of each other, so that changing one will not impact the others.

  • Passwords for the apps connected to those sources will also become independent of each other.

  • The password policy assigned to the sync group becomes assigned directly to the associated sources. To change the password policy for a source, you must edit it directly.

To delete a sync group:

  1. Go to Admin > Password Mgmt > Sync Groups.

  2. Select the Delete icon in the password sync group.

  3. Select Continue to delete the sync group.

Troubleshooting Password Changes in Sync Groups

When a user updates a password for a shared password group, they are either changing the password on a source that multiple applications are linked to or on a password sync group with multiple associated sources.

See how to manage passwords.

If a password change fails, the user is notified by the App Password Changed email or the User Password Changed email. Failures are shown in the audit events in Search.

Best Practice

One way to minimize password change failures is to ensure your password policies for all sources in the sync group align.

If the errors support retries, password updates are retried up to six times over a 90-minute period.

Password changes take effect differently if there are multiple accounts on the source or if you are using pass-through authentication. Refer to the appropriate sections below to troubleshoot potential problems.

Changing Passwords with Multiple Accounts on a Source

If a multi-application source has multipleAccountPasswordSync set, all accounts on that source will accept the password change.

If the password change fails on the first account, password changes on the other accounts are still processed.

Changing Passwords with Pass-Through Authentication

If a user tries to use pass-through authentication to change an account password for a source in a sync group and the password change fails, Identity Security Cloud will not attempt to change the passwords for the other sources in the sync group.

Important

If you are not using pass-through authentication, it is still possible that some source passwords in the sync group may be updated while others fail. This can occur if password change fails at the same time as another source password change is attempted. Check the audit logs to verify all source passwords have been successfully changed.

Common Issues

Password updates may fail in the following situations:

Identity Security Cloud cannot communicate with the associated source.

Go to the sync group and select each source to test the connection. This problem may have occurred because the remote endpoint is temporarily offline, so you should check with the administrator of that source before making changes to the source's configuration.

The password policy assigned to the sync group does not match the password policy required by one of the sources.

If the problem is caused by a policy mismatch, this information is displayed in the error message associated with the failed update. You might need to change the password policy for the sync group to ensure that it complies with the requirements for all sources in the group.

The source has limitations on how often you can change your password within a specific time period.

For example, Active Directory may limit the number of times you can change your password in a day.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.