Password Filter
Last updated
Last updated
Cymmetri.com
TABLE OF CONTENTS
The Cymmetri Architecture without the password filter utility allows for one-way synchronization of passwords from Cymmetri to other managed applications including Active Directory. Active Directory passwords may therefore be updated, once the user password is updated in Cymmetri. However, to keep both the Cymmetri database and Active Directory user passwords in synchronization, there is a need for Cymmetri database to receive password change notification from the Active Directory, when the password is directly updated in Active Directory.
Active Directory provides for the use of Password Filter which can intercept the request for password change and can make an API call to Cymmetri deployment to update the password in Cymmetri database as well.
Cymmetri Password Filter dll will be deployed in the Active directory environment and system variables (environment variables) are configured to allow the password filter to connect to the Cymmetri deployment.
Active Directory server needs to be restarted once the configuration is performed.
Once the user changes the password on a domain-connected computer using Ctrl+Alt+Delete utility OR if the Active Directory administrator resets the user's password using Active Directory tools, the password filter will be triggered.
The password filter DLL will receive the username and the plaintext password from the Active Directory, once the password change has been applied on the Active Directory.
The password filter DLL will encrypt the password using RSA encryption with a public key and will send the encrypted password and the username to the Cymmetri deployment using a REST API call over HTTPS.
The Cymmetri deployment receives the username and encrypted password, it decrypts the password using private key.
Once the password is decrypted, the Cymmetri deployment updates the password in Cymmetri database for the given user.
If the user is assigned multiple applications for provisioning, the action of updating user's password in Cymmetri database will trigger password update for the user in other provisioned applications. However, Active directory application will not receive this password update, to avoid loops.
CYMMETRI_APP_ID
<application-id-of-active-directory-in-Cymmetri>
CYMMETRI_CLIENT_TOKEN
Authorization: Bearer <token-from-api-client>
CYMMETRI_ENDPOINT_URL
https://<cymmetri-domain>/apiext/api/password/filter/updateUserPassword
CYMMETRI_PUBLIC_KEY_FILE
<path of public key file in Active Directory Server>