Generated new Client ID and Secret using Global > Admin > Security > API Management
Called Query password info API with following body { "userName": "C100032AA", "sourceName": "IdentityNow" }
and received the below response as described in the API documentation { "identityId": "667c881f9d6e4af0ab346e92357e98ef", "sourceId": "ID OF IdentityNow SOURCE IN MY DEMO TENANT", "publicKeyId": "****************", "publicKey": "********************", "accounts": [ { "accountId": "C100032AA", "accountName": "C100032AA" } ], "policies": [ "passwordMinAlpha is 1", "passwordMinLength is 8", "passwordMinNumeric is 1" ] }
Encrypted the password string using the Java code provided under Set Identity Password API documentation
Called Set Identity Password API using the same PAT as used in Step. 2 above, with following body { "identityId": "667c881f9d6e4af0ab346e92357e98ef", "encryptedPassword": "OUTPUT OF JAVA FROM PREVIOUS STEP", "publicKeyId": "PUBLIC KEY ID FROM QUERY PASSWORD INFO API", "accountId": "C100032AA", "sourceId": "ID OF IdentityNow SOURCE IN MY DEMO TENANT" }
And got this response
I have updated my OP with the response showing the accounts[]. I am trying to set the password for the identity itself, not an account from any other source
The set-password api (your step 4) mentionned, that you should use your own PAT to set the password and not the client credential API used to query te password-info
I have tested also in the demo tenant and I think maybe the password management feature is not enable there (but not sure if that is the reason). It would be great to may be tested on environment were the password management is enabled.
I am trying to set the password for the identity in ISC, and my assumption is that password reset should be allowed without Password Management. I do have Password Management enabled in my demo tenant though.
Right @iamnithesh , Password reset work from the UI so it should be worked also with the API without the password management feature enabled.
Regarding your 403 forbidden error check again your PAT or review the content of sended access token if scopes is all, I’m pretty sure that may be another one is used or a scope is not correct.
The set identity password does work for me. The key thing to note is that i have used api authority token with full scope as the PAT is not support for password resets and it will definitely give you 403 error.
Another thing that I had to do is , i was not able to get the source id directly from source list so i had to inspect the accounts and from their i could find out the id of identityNow source. So eventually I used below body for set identity password with endpoint /beta/set-password.
{
"identityId": "600XXXXXXXXXXXXXX",
"encryptedPassword": "ENCRYPTED PASSWORD",
"publicKeyId": "PUBLIC KEY ID (this is id and not the key itself) ",
"accountId": "Vkg01",
"sourceId": "IdentityNow source id"
}
It does work for me, so may be you can try once again and if still does not work, we can connect on chat.
EDIT : I also tried to login with the reset password and the loging in also works for me.
I got this error when i tried to reset the password for identityNow Admin source instead of IdentityNow source. So I think you can try to check if the identity does have a valid account in the source.
@vguleria regarding your statement : “The key thing to note is that i have used api authority token with full scope as the PAT is not support for password resets and it will definitely give you 403 error.”
Here what the documentation of password reset mentionned :
I have encrypted the password via the provided java code by using the public key returned in the query infor password request but in the password request body I sent the public key id (returned in the below request) .
Hi @baoussounda
Yes, that is correct. We can reset our own password using PAT but generally we require this functionality for org_admins to reset the password of others. Hence, In my opinion it is better to have a dedicated API token for this. But in my view it is a gap where org_admins can generate an api token using using their own PAT but can not reset the password for other users using PAT with scope all.
Ideally, I think ORG_ADMIN should be able to reset the password with PAT instead of creating another API token.
Thank you so much for helping me out here. Issue was with the API URL (and I feel so stupid now) and once it was fixed everything worked fine for me!!!
Now I am confused with whose post to be marked as solution. I am marking @vguleria ‘s post as solution as this snippet actually helped me locate the issue