Generating a PAT through the API for another Identity

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
12

I assumed that was the case… please allow me to provide a bit of feedback on the steps I must go through for this process.

Note that we create identities for (AD) Service Accounts because we utilize ServiceNow and the IDN API to request and provision access for these accounts.

How I generate PATs for these accounts depends on whether or not I want to bypass SSO.

If I am logging in using SSO

  1. If we are to log in using SSO for these accounts, we have to set up 2FA for that user in Okta. This is not ideal from our perspective because we don’t typically own these accounts. I mentioned in another thread how the deprecation of strong auth limits our ability to selectively deploy MFA to users, and this is such a case

  2. If this is the first time this account is logged in, I’m required to set up security questions or alternate contact info for strong auth. Again, not ideal to do this for an account I do not own.

  3. Once logged in, I can go and generate a PAT for that user

If I was to bypass SSO

  1. First, I need to reset the password for that identity. This would be much more difficult if we had emails going directly to the user, but thankfully in our case, we have them all going to a single support mailbox. This would not be possible if we had emails going directly to users and the Service Account didn’t have a mailbox. Mail-enabled service accounts are in the minority in my org.

  2. Once a new password is set, I attempt to log in with the new credentials I’ve chosen. Last time I tried to do this, I could not log in and kept getting “Authentication Failed” error messages, leading to me becoming so frustrated I just generated application client creds.

  3. If this is the first time this account is logged in, I’m required to set up security questions or alternate contact info for strong auth. Again, not ideal to do this for an account I do not own.

  4. Once logged in, I can go and generate a PAT for that user

In my opinion, this involves far more steps than it should, and I would hope that it’s possible to allow admins to generate PATs for another user.