we are using sailPoint identityNow to support our certification processes. No provision. And we create a source for our OKTA, and use this source as authoritative source to drive SailPoint IDN identity creation and deletion. Of course, we have AD source for AD account access provisioning (group revoking).
Now we are enabling provisioning at our IdentityNow prod.
We created a source for our HR system, and an identity profile for this source.
When I setup the map in this identity profile, I got a prompt windows, saying: Changing the CSS Access Certification User Name mapping requires password resets for all users in this identity profile.
Before I click “OK” on this prompt, I want to understand
will this reset the password for all the users in this identity profile?
will this also reset the password of the users’ AD accounts in this identity profile?
This message ''Changing the CSS Access Certification User Name" mean your sailpoint product name ais “CSS Access Certification” and in your identity profile you have attribute called “'CSS Access Certification User Name (uid)”.
This attribute is very important and is used as login for user authentication.
If you change this attribute mapping,ISC/IDN will only reset internal password of all identitiesand no your users Active Directory account password. Active Directory accounts Password are not reseted
Be aware for this attribute mapping changing. For example if it is map with your HR source account ID attribute, this mapping changing can result by identity deletion and recreation.
not really resolved. I didn’t proceed when I got the prompt. However, the next day when I tried to do the same change, no prompt.
However, we get big problem when we enabled AD provision. A lot of AD accounts got password changed. This resulted in a serious incident. Currently we are still working with SailPoint support to investigate the root cause. Hope this is not the root cause.