SCIM API : Is there a way to force reset password while creating Identities

Hi Team,
Am using SCIM API with IIQ 81P1 to create users(identities) within Sailpoint.
While i set an initial password in the payload for /Users endpoint, Is there any attribute we could utilise to force the user to reset password on their initial login.

Thanks

Try setting the “passwordExpiration” parameter in the payload. This parameter would contain a password expiration date/time which is in the past, in a milliseconds (Epoch time) format, such as: “1614790964034”. When the user logs into IdentityIQ and if the passwordExpiration value references a date/time in the past, then the user would be prompted to change their password.

1 Like

@paulo_urcid thanks for your response.

I tried with below payload
POST https:///identityiq/scim/v2/Users

{
"userName": "testuser",
"name": {
"familyName":"myfirstname",
"givenName":"mylastname",
"displayName":"myfirstname mylastname"},
"active": true,
"password": "xxxxxxxxxx",
"passwordExpiration": "1614790964034"
}

User creation was successful and i was able to logon as the user in IIQ console, but user was never prompted to reset the password

The iiq console doesn’t support prompting users to reset their passwords. I think this is only supported when logging in through the browser UI with local authentication

@paulo_urcid sorry i wasn’t clear. I meant tried login via Browser to
https:///identityiq
the user was able to login successfully and was not prompted to reset their password.

Perhaps this identity attribute is not supported through the SCIM API. It works if you set it through the UI by going to the Identity Warehouse > Select Identity > Attributes Tab > Change Password hyperlink, and then checking the box for “Require the user to change their password the next time that they log in”

@paulo_urcid , yes agreed going to UI and Identity Warehouse > Select Identity > Attributes Tab > Change Password hyperlink , and then checking the box for “ Require the user to change their password the next time that they log in ” does force the user to reset their password.

However we are trying to automate the user creation via SCIM API and looking at ways where we could add to the automation , when an initial password is set via the SCIM, we also force the user to change the initial password.

With the SCIM REST API, you can also launch a Workflow. One option would be to create a custom Workflow which receives all of the identity attributes in the JSON payload and creates the Identity object by using the Java API. You would call this SCIM endpoint instead of calling the /Users endpoint. This allows the Workflow to use the setPasswordExpiration(java.util.Date d) from the sailpoint.object.Identity class to set the password expiration to a date in the past, and force the user to change their password during the next login.

Another option is to create a custom REST endpoint by implementing an IdentityIQ Plugin which uses the same process as above to create the Identity object with an expired password. See: https://community.sailpoint.com/t5/Plugin-Documents/Plugin-Developer-Guide/m-p/79347

2 Likes

@paulo_urcid Thanks for the suggestion. We will look into the above options suggested.