I am in an scenario where users have to reset passwords on different sources, depending their attribute profile.
For example, all users can have accounts in AD and a Web Service. But, depending on some identities attributes (for example employee type), when they reset password on ISC, password should be propagated to AD only, to Web Service only and to both.
For example, identities with employee type “Employees” must propagate password to AD and Web Service, but identities with employee type “Contractors” should propagate their password to Web Service source only.
That’s an interesting use case. I guess the simpler way to achieve this would be to create seperate sources for the employee type and have each one in it’s own password sync group.
If same source is in multiple sync groups there many be unnecessary password over write to the other systems in group.
I have been thinking over on this considering Applications, if we can manage this. But as long as Source is added in Sync Group, we cannot avoid this.
You can implement this requirement by creating multiple sources, but I don’t think it is worth to create just for Password sync, I wouldn’t go with that.
I would ask the end users to change password multiple times, since it is only 2 here, not a big deal.
If you still wish to change the password in AD as well along with WebServices, I would try to get one more additional API call to change AD password from WebServices source.