Reset password with a Service Provider configuration

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello Community!

This is our scenario with the Service Provider in SailPoint:

  1. EntraID gets automatically updated with data provided by Active Directory.
  2. We have setup the Service Provider with EntraID in our tenants via “Admin > Global > Security Settings > Service Provider”.
  3. We have NOT integrated EntraID as a Source in our tenants.
  4. We have integrated the Active Directory Source in our tenants.

We want to understand what happens in the following scenarios:

  1. A user logs in with its EntraID credentials and resets its “Active Directory” password via “Name (top-right corner) > Password Manager > Change Password”.
    – Does its EntraID password get updated too?
    – Does its SailPoint local password get updated too?

  2. An admin (User Level = Helpdesk or Admin) goes in “Admin > Identity Management > Identities”, selects a target Identity and clicks con “Actions > Reset Password”.
    – What password gets updated: the SailPoint local password, or the EntraID password or both?

  3. How an end-user (User Level = User) can autonomously reset its EntraID password via SailPoint?

  4. By creating a new “Password Sync Group” in “Admin > Password Mgmt > Password Sync Group”,
    – How an end-user (User Level = User) can autonomously reset its Group Password via SailPoint?
    – How an admin (User Level = Helpdesk or Admin) can autonomously reset its Group Password via SailPoint?

  5. Pass-Through Authentication
    – Is the Pass-Through Authentication needed to achieve any of the questions above?
    – Would you suggest to setup the Pass-Through Authentication instead of the “Service Provider” to achieve our requirements above?
    – When the Pass-Through Authentication would be more useful compared to the “Service Provider”?

2
  1. Password Manager changes only connected sources (e.g. AD), not Entra ID or your ISC login. Using the Password Manager - SailPoint Identity Security Cloud User Help
  2. Admin → Reset Password only resets the local ISC password.
  3. To let users reset their Azure AD password in ISC, either aggregate Entra ID as a source or enable Pass-Through Authentication (PTA).
  4. Password Sync Groups let one password change propagate to all linked sources. Password Management Overview - SailPoint Identity Services
  5. SAML/OIDC Service Provider settings handle SSO only; Use PTA if you cannot sync password hashes to the cloud or need strict enforcement of your AD password policies at sign-in and change-time .
    Configuring Pass-Through Authentication - SailPoint Identity Services
3

Hello @sanekkanti, thank you!

Let’s say we decide to enable the PTA (Pass-Through Authentication) towards EntraID but not to integrate it as a Source.

  1. Should the Service Provider with EntraID be disabled? Or can both of them be enabled at the same time?
  2. Will the Password Manager menu include EntraID automatically?
  3. In general, how would it be possible to reset EntraID password with PTA? Which menu should be used to reset the password?
  4. Would the “Admin → Reset Password” still affect only the local SailPoint password or would it be applied to EntraID too?

Thank you in advance!

4

  1. The Service Provider configuration under Global → Security Settings → Service Provider is purely for federated SSO. Enabling PTA on your identity profiles does not require you to turn off your SP, both can coexist side-by-side without conflict. PTA simply sits on top of your directory connection to proxy sign-ins and password changes; the SP settings remain untouched and continue to route users through your identity provider for SSO.
    Configuring Identity Security Cloud as a Service Provider - SailPoint Identity Services
    Configuring Pass-Through Authentication - SailPoint Identity Services

  2. The Password Manager menu (Admin → Password Manager) only lists sources or applications that have been expressly configured for password management, typically your on-prem AD, HR apps, etc. By default, Entra ID will not appear there unless you’ve: Aggregated it as a source, and Added it as a password-managed access application (or put it into a sync group) Otherwise the menu won’t show “Entra ID” as an item you can change.
    Password Management | SailPoint Developer Community

  3. Once you’ve enabled PTA on the appropriate identity profiles and enabled password management for that source, end users can change their network (Entra ID) password from within ISC by going to: Password Manager → find the Entra ID application or group → Change Password.
    The “Change Password” action is sent over PTA to update the Entra ID password. Configuring Pass-Through Authentication - SailPoint Identity Services
    Adding Access Applications to Password Management - SailPoint Identity Services

  4. It only resets the ISC password, it does not reset your users’ Entra ID password.
    Resetting a User's Password and Authentication Preferences - SailPoint Identity Services

5

In our environment, admin/helpdesk users may need to reset a user’s domain password (i.e. EntraID) for many reasons: the user forgot their password for example.

Is there a possibility for admin/helpdesk users to reset a user’s domain (i.e. EntraID) password via SailPoint?

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.