I’m hoping someone has a good solution for this issue.
I have read through the password management documentation and it looks like what I’m trying to do is not possible, but I thought I’d ask here to see if anyone has some good ideas.
The problem: When a Joiner workflow is launched and a new identity is created, I want the new user to get an email or a text message to their personal email or phone number. The message will have a link to a password reset page where they will set their password for the first time. The user has never logged onto the Active Directory domain before, but when they reset their password, they are resetting their Active Directory password and it then syncs to their other synced applications.
So basically, I want to hire a new user and have THEM set their initial password in AD without any email containing an initial password, no one in the middle of the process that has to give them the password - the new user just gets a link to set their password, just like you would for any other online service.
I realize that we can set a password via PowerShell and email it to the new user, but I really don’t like that experience or the setup work that is required.
Map the personalEmail you receive from your authoritative source to the personalEmail attribute in the identity profile. In your workflow, you can get the identity that is being onboarded and use the Send Email action to send an email to their personalEmail. Something like this $.getIdentity.attributes.personalEmail can be used in the ‘Send Email Recipient Email Addresses’ field, which relies on the Get Identity action to provide the personalEmail.
The body of the email can contain the instructions the user will receive for how to reset their password or any additional information. The most important part will be for them to go to https://{yourTenant}.identitynow.com/passwordreset/default/reset-password to reset their password. This page relies on the user knowing/entering their username (uid from their Identity Profile) and proceeding with the password reset. You can supply this in the email body, or you can also can also modify this URL to be https://{yourTenant}.identitynow.com/passwordreset/default/reset-password?username=${uid} using templating context to reference the uid from the Get Identity action.
Once the user receives the email to their personal email address that contains the link to the password reset page and their username, they can then go through the Password Reset process you have configured for their identity profile. Since they can’t access any of their company accounts yet, the only options they will be able to use would be “By providing a verification link sent to alternate email”, this is the personalEmail we sent the initial email to, or “By providing a verification code sent to alternate phone” if you also receive their personal phone from the authoritative source and map it to their identity profile.
Completing the password reset process through ISC will update their Active Directory password (or whatever password is configured on the Identity Profile for PTA) so they can then log into their corporate systems.
Please let me know if this helps in your situation!
Quick follow-up question – does setting up Passthrough Authentication create any conflict with the SSO (Service Provider) configuration that we already have set up? In other words, if we enable Passthrough Authentication, does that only come into play when a user can’t do SSO? (So, in this case, the user is hitting ISC from an external source, so Passthrough would take over, but otherwise, once they do their initial password reset and try to log in to ISC on the corporate network, it would then automatically use SSO?)