Password Expired. Notification to alternateEmail

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Team,

The identities have 2 different emails (workEmail / alternateEmail).
Currently,

  • the password reset / unlock to alternateEmail has been configured.

  • A Password Policy is configured and the reminder is enabled. But the Password email is going to expire or has expired is sent to workEmail, and they need it to be to alternateEmail. is it possible to change it?
    Thank you.

2

Hi @bblanco ,
In ISC we have two types of version templates which are : Version 1 and Version2.

In your it comes to version 2. As far as I’m aware ISC provide us to use the if and else condition for replyTo and subject field. So, mostly you can use the if else ladder to full fill your expected results.

Please find below link for your reference - Using Email Templates - SailPoint Identity Services

I hope it will help.

Regards,
Prashant

3

Hi @bblanco ,

Probably one of the ways is to use Workflow to send the reminder email to the alternateEmail instead of using with email templates, which provides a more flexible and managebale solution.

You can check the password last changed attribute on AD to trigger the workflow.

Thanks,
Shailee

4

I don’t want to modify the replyTo, because it’s correct.
I want to modify the TO:

Currently, the TO = workEmail and I want it to be TO=alternateEmail.

Is this possible?

5

Hi @bblanco,

As per the current state in ISC iff you don’t want to tweak emailTemplates then you should go with the workFlow triggering based on the password change attribute.

Rest also make sure the current process should be handled as well or else you might see multiple emails for the both attributes( workEmail / alternateEmail).

Regards,
Prashant

6

Hi @bblanco ,

Agree with @PrashantMishra, to achieve this, you will need to do 3 things:

  1. Disable current settings so that the multiple emails are not sent to the user. This can be achieved by adding #stop in Subject line of the “Password Expiration” email template. Using Email Templates - SailPoint Identity Services for reference
  2. Create an identity attribute:passwordReminder to store the password expiry reminder flag which is by default false. Write a transform to calculate this flag based on your password policy and password Expiry date. i.e. this flag turns to true when the user’s password expiry is within X days. Set the flag back to false once the password Expiry date is reached (This is to ensure that the notification is not sent after the expiry date has passed)
  3. Create a workflow with trigger as identity attribute changed, in this case passwordReminder from false to true. Send the Password Expiration email notification to their alternateEmail instead of workEmail.

Hope this helps.

Thanks,
Shailee

2 Likes
7

Hi @PrashantMishra, @shaileeM
Thank you very much.
The problem then is that the client currently has no Workflows in ISC.

8

Hi @bblanco ,

Ah I see.

Perhaps, just an idea -

  1. Create an identity attribute:passwordReminder to store the password expiry reminder flag which is by default false. Write a transform to calculate this flag based on your password policy and password Expiry date. i.e. this flag turns to true when the user’s password expiry is within X days. Set the flag back to false once the password Expiry date is reached (This is to ensure that the notification is not sent after the expiry date has passed)
  2. Create a new identity attribute to hold workEmail’s old value. Say: wEmail
  3. Use a transform on workEmail attribute such that replace its value with alternateEmail value when passwordReminder flags turns to true. Replace workEmail value with wEmail value when passwordReminder flags turns to false
  4. With this, when default “Password Expiration” Email template is triggered, it will be sent to workEmail attribute but will be received on alternate email of the user.

All the best! I think this might work, though I haven’t tested it myself.

Thanks,
Shailee

9

Hi @shaileeM,

Thanks for the idea.

I gave it a spin but the customer has multiple password policies and would have to take into account in changing the transform every time a new one is created.

Anyway, the customer has told me that he wants all notifications in the “personal” email, so I changed the attributes… the workemail will show his personal and the alternate email will show the professional.

Thank you anyway.

2 Likes
10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.