Skip to content

Managing Password Sync Groups

If you want a password to be the same across multiple direct connect sources, you can synchronize their passwords by combining the sources into a password sync group. For example, if your Salesforce, Workday, and Active Directory sources all use the same password, you can create a sync group for these sources. Whenever you change the password on one, the password will be automatically changed on all apps connected to those sources in the sync group.

Important

There are important distinctions between password sync groups and other ways of changing passwords. After admins configure sources, applications, and sync groups, users can use the Password Manager to change passwords.

  • Password groups are the sync groups defined by the admin and described below.
  • Multi-application sources show the apps on that source that share the same password. Changing the password to the multi-application source will change the password for all apps connected to that source.
  • You can also change the password for each standalone application.

See the User Help for more information about how users can use the Password Manager.

Creating a Sync Group

To create a group of direct connect sources that share the same password, you will need:

  • At least two direct connect sources that are connected to IdentityNow and configured for Password Management.

  • Each authentication source in a sync group must have at least one application. Read how to add applications to a source.

  • At least one password policy.

    Important

    • Verify in advance that the policy enforces requirements that are applicable to all sources you want to sync. Otherwise, users might see errors when changing their password on apps belonging to a sync group.

    • You cannot use exceptions for sources in a sync group.

To create a sync group:

  1. Go to Admin > Password Mgmt > Sync Groups.

  2. Select + New.

  3. In Group Name, enter a name for the sync group.

  4. Choose the password policy you want enforced for all sources in the sync group from the dropdown menu.

  5. Select the check boxes next to the sources you want to include in the sync group. You can see the number of identities and apps related to each source.

    Note

    You must select at least two sources to synchronize.

  6. Select Save to create the sync group.

After creating your password sync group, you can select the pencil icon to edit it.

Deleting a Sync Group

Before you delete a sync group, it's critical that you understand the implications of doing so:

  • The passwords related to the associated sources will become independent of each other, so that changing one will not impact the others.

  • Passwords for the apps connected to those sources will also become independent of each other.

  • The password policy assigned to the sync group becomes assigned directly to the associated sources. To change the password policy for a source, you must edit it directly.

To delete a sync group:

  1. Go to Admin > Password Mgmt > Sync Groups.

  2. Select the Delete icon in the password sync group.

  3. Select Continue to delete the sync group.

Troubleshooting Password Changes in Sync Groups

When a user updates a password for a shared password group, they are either changing the password on a source that multiple applications are linked to or on a password sync group with multiple associated sources.

See how to manage passwords in IdentityNow.

If a password change fails, the user is notified by the App Password Changed email or the User Password Changed email. Failures are shown in the audit events in Search.

Best Practice

One way to minimize password change failures is to ensure your password policies for all sources in the sync group align.

If the errors support retries, password updates are retried up to six times over a 90-minute period.

Password changes take effect differently if there are multiple accounts on the source or if you are using pass-through authentication. Refer to the appropriate sections below to troubleshoot potential problems.

Changing Passwords with Multiple Accounts on a Source

If a multi-application source has multipleAccountPasswordSync set, all accounts on that source will accept the password change.

If the password change fails on the first account, password changes on the other accounts are still processed.

Changing Passwords with Pass-Through Authentication

If a user tries to use pass-through authentication to change an account password for a source in a sync group and the password change fails, IdentityNow will not attempt to change the passwords for the other sources in the sync group.

Important

If you are not using pass-through authentication, it is still possible that some source passwords in the sync group may be updated while others fail. This can occur if password change fails at the same time as another source password change is attempted. Check the audit logs to verify all source passwords have been successfully changed.

Common Issues

Password updates may fail in the following situations:

IdentityNow cannot communicate with the associated source.

Go to the sync group and select each source to test the connection. This problem may have occurred because the remote endpoint is temporarily offline, so you should check with the administrator of that source before making changes to the source's configuration.

The password policy assigned to the sync group does not match the password policy required by one of the sources.

If the problem is caused by a policy mismatch, this information is displayed in the error message associated with the failed update. You might need to change the password policy for the sync group to ensure that it complies with the requirements for all sources in the group.

The source has limitations on how often you can change your password within a specific time period.

For example, Active Directory may limit the number of times you can change your password in a day.