Hi! I have a client that has another IDM solution, with AD, AS/400, 1 web service and abour 10 jdbc connectors. We are trying to convince them for replace with IDN, but I am not sure if IDN can cover their use.
There is a uniqur scenario implemented, the IDM self service portal let users to change their passwors, renable their accounts and also unlock accounts (that is because their aplications permits an admin user to disable account; in the other hand, apps block users if the user enters an erroneous password many times, like AD).
This is the only use of actual IDM, they have no audit events, certifications or provivion accounts or entitlements. They use it more like a self service kiosk, saving help desk work. Moreover, IDM only aggregate accounts, so they does not need to create account feature.
Can I make something similar with IDN?
1-aggregate accounts
2-log into IDN with challenge or MFA.
3-ask for enable accounts (disabled, for example, for vacation or medical license)
4-ask for unlock accounts, that perhaps went into this state because user logged bad more than N times
5-change password and propagate to all accounts
You can achieve the following using IDN:
1.You can aggregate accounts from different sources(solutions) like AD, web services, JDBC, etc. there is long list of solutions from which you can aggregate accounts in IDN.
2.For login, you can have native authentication, MFA, SSO, pass through.
3.Help desk user and org admin can enable, disable, lock and unlock accounts.
4.IDN also have lockout settings which include maximum number of attempts before IDN account get locked for specific period of time and you can try login after specific period of time. IDN also has self service for password reset and account unlock.
5.IDN has password sync group (Whenever you change the password on one, the password will be automatically changed on all sources part that are part of sync group).
Apart from this, there is a long list of features available on IDN, you can read the product documentation for more information on indept.
I understand that unlock is the IDN identity unlock. I mean unlocking accounts, besides enabling or disabling them. For example, I have an application that has a RDBMS model in which I have a user table, a field named status (1 or 0), which is the one the administrator sets, and other field lock, which turns 1 automatically after X failed login attempts.
I think we can unlock source accounts from IDN also. But I’m not sure automatically locking an user account after number of failed attempt would be possible or not. Following link might help you for managing accounts :
Assuming that you are using the JDBC connector, the feature does not seem to be listed.
Depending on your specific use case, I would suggest using attribute sync so the status attribute value is pushed from an IDN identity attribute. If workflows are available, NCD can also be configured to remediate out-of-band changes.