Password Filter

TABLE OF CONTENTS

Introduction

The Cymmetri Architecture without the password filter utility allows for one-way synchronization of passwords from Cymmetri to other managed applications including Active Directory. Active Directory passwords may therefore be updated, once the user password is updated in Cymmetri. However, to keep both the Cymmetri database and Active Directory user passwords in synchronization, there is a need for Cymmetri database to receive password change notification from the Active Directory, when the password is directly updated in Active Directory.

Active Directory provides for the use of Password Filter which can intercept the request for password change and can make an API call to Cymmetri deployment to update the password in Cymmetri database as well.

Flow Diagram

Flow Description

Cymmetri Password Filter dll will be deployed in the Active directory environment and system variables (environment variables) are configured to allow the password filter to connect to the Cymmetri deployment.
Active Directory server needs to be restarted once the configuration is performed.
Once the user changes the password on a domain-connected computer using Ctrl+Alt+Delete utility OR if the Active Directory administrator resets the user's password using Active Directory tools, the password filter will be triggered.
The password filter DLL will receive the username and the plaintext password from the Active Directory, once the password change has been applied on the Active Directory.
The password filter DLL will encrypt the password using RSA encryption with a public key and will send the encrypted password and the username to the Cymmetri deployment using a REST API call over HTTPS.
The Cymmetri deployment receives the username and encrypted password, it decrypts the password using private key.
Once the password is decrypted, the Cymmetri deployment updates the password in Cymmetri database for the given user.
If the user is assigned multiple applications for provisioning, the action of updating user's password in Cymmetri database will trigger password update for the user in other provisioned applications. However, Active directory application will not receive this password update, to avoid loops.

Configuration

Key	Value
CYMMETRI_APP_ID	<application-id-of-active-directory-in-Cymmetri>
CYMMETRI_CLIENT_TOKEN	Authorization: Bearer <token-from-api-client>
CYMMETRI_ENDPOINT_URL	https://<cymmetri-domain>/apiext/api/password/filter/updateUserPassword
CYMMETRI_PUBLIC_KEY_FILE	<path of public key file in Active Directory Server>

Key

Value

CYMMETRI_APP_ID

<application-id-of-active-directory-in-Cymmetri>

CYMMETRI_CLIENT_TOKEN

Authorization: Bearer <token-from-api-client>

CYMMETRI_ENDPOINT_URL

https://<cymmetri-domain>/apiext/api/password/filter/updateUserPassword

CYMMETRI_PUBLIC_KEY_FILE

Last updated 1 year ago