AD Passthrough Authentication and User Invitations

When an Identity Profile uses SailPoint account for authentication, part of the user invitation workflow includes setting their password for the first time. However, when AD is used for authentication, there seems to be no way of offering a first time password reset as part of the invitation workflow.

Has anyone else run into this or come up with a means to provide a first time password reset as part of the invitation process? Asking new users to follow a link on an invitation to confirm their contact details, and then routing them to a login screen with no idea what their password is doesn’t seem like a sensible workflow.

Updating the user invitation email template to take a user to the password reset page seems to be the only approach, but it requires that users request a second token to complete the password reset, even though they have just completed a process that includes a personalized token.

Any ideas are appreciated.

2 Likes

Hello @randall_holt,
Like you proposed, I usually update the user invitation email template to replace the invitation link by the link to the reset page.
That way, the user would:

  1. Set its password
  2. Authenticate with its new password
  3. Finalize the on-boarding process
    Therefore, there are no “2 personnalized” tokens in this case.
1 Like

Curious where the email is routed. If you’re sending it to their corporate AD account I don’t believe they’d be able to access it (i.e. they’re a net-new AD account without a password to log in yet). If you’re sending it to an “alternate” email, is this a supervisor, personal email, etc.?

1 Like

The challenge with this password reset workflow is guiding the user to understand that step #2 is important. Once they have set their initial password and are presented with the login window - they could just bail and never actually claim their account properly. It is also unfortunate that we cannot present the user with a unique token via initial email to claim their account, but rather have to send them to a generic password reset workflow and then have them essentially generate a token to validate their identity.
The UX experience isn’t ideal - which is what we’re trying to enhance here with this query.

1 Like