Set Identity Password via API

I am trying to set a user’s ISC password using Set Identity Password API

Here are the steps I followed:

  1. Generated new Client ID and Secret using Global > Admin > Security > API Management

  2. Called Query password info API with following body
    {
    "userName": "C100032AA",
    "sourceName": "IdentityNow"
    }
    and received the below response as described in the API documentation
    {
    "identityId": "667c881f9d6e4af0ab346e92357e98ef",
    "sourceId": "ID OF IdentityNow SOURCE IN MY DEMO TENANT",
    "publicKeyId": "****************",
    "publicKey": "********************",
    "accounts": [
    {
    "accountId": "C100032AA",
    "accountName": "C100032AA"
    }
    ],
    "policies": [
    "passwordMinAlpha is 1",
    "passwordMinLength is 8",
    "passwordMinNumeric is 1"
    ]
    }

  3. Encrypted the password string using the Java code provided under Set Identity Password API documentation

  4. Called Set Identity Password API using the same PAT as used in Step. 2 above, with following body
    {
    "identityId": "667c881f9d6e4af0ab346e92357e98ef",
    "encryptedPassword": "OUTPUT OF JAVA FROM PREVIOUS STEP",
    "publicKeyId": "PUBLIC KEY ID FROM QUERY PASSWORD INFO API",
    "accountId": "C100032AA",
    "sourceId": "ID OF IdentityNow SOURCE IN MY DEMO TENANT"
    }
    And got this response


    There is no mention of “user name” that could I find in any of the documents, and I am not sure what am I missing.

    I tried the same API with my own PAT and got 403 error.
    (PAT I used here is created with ORG_ADMIN identity and has scopes.all enabled)

Any inputs will be highly appreciated.

***********************************************************************************

Here is an old post where the same config seems to have worked

The documentation doesn’t mention username as a required parameter.

You can check if the returned accounts[] objects and validate if the accountId and source capability are correct.

Thanks @iamkiran

I have updated my OP with the response showing the accounts[]. I am trying to set the password for the identity itself, not an account from any other source

Sure @iamnithesh

If it solves the issue please mark it as a solutions

Hi @iamnithesh

I have tried the same thing but have a different error message than you :

And can see the events in ISC :

The set-password api (your step 4) mentionned, that you should use your own PAT to set the password and not the client credential API used to query te password-info

I have tested also in the demo tenant and I think maybe the password management feature is not enable there (but not sure if that is the reason). It would be great to may be tested on environment were the password management is enabled.

Thanks @baoussounda

I tried Set Identity Password API with my own PAT and getting 403 error. PAT I am using is created with ORG_ADMIN identity and has scopes.all enabled

I am trying to set the password for the identity in ISC, and my assumption is that password reset should be allowed without Password Management. I do have Password Management enabled in my demo tenant though.

Right @iamnithesh , Password reset work from the UI so it should be worked also with the API without the password management feature enabled.

Regarding your 403 forbidden error check again your PAT or review the content of sended access token if scopes is all, I’m pretty sure that may be another one is used or a scope is not correct.

Hi @iamnithesh

The set identity password does work for me. The key thing to note is that i have used api authority token with full scope as the PAT is not support for password resets and it will definitely give you 403 error.

Another thing that I had to do is , i was not able to get the source id directly from source list so i had to inspect the accounts and from their i could find out the id of identityNow source. So eventually I used below body for set identity password with endpoint /beta/set-password.

{

  "identityId": "600XXXXXXXXXXXXXX",

  "encryptedPassword": "ENCRYPTED PASSWORD",

  "publicKeyId": "PUBLIC KEY ID (this is id and not the key itself) ",

  "accountId": "Vkg01",

  "sourceId": "IdentityNow source id"

}

It does work for me, so may be you can try once again and if still does not work, we can connect on chat.

EDIT : I also tried to login with the reset password and the loging in also works for me.

Thank You
Regards

Vikas.

Hi @baoussounda

I got this error when i tried to reset the password for identityNow Admin source instead of IdentityNow source. So I think you can try to check if the identity does have a valid account in the source.

Thank You.
Regards

Vikas.

Hi @vguleria

I have tried it in IdentityNow source :

Hi @baoussounda

Can you please check if the identityNow source has PASSWORD feature available in it. By default it should be there but just to double check.

Thank You.

@vguleria regarding your statement : “The key thing to note is that i have used api authority token with full scope as the PAT is not support for password resets and it will definitely give you 403 error.”

Here what the documentation of password reset mentionned :

It seems like the PAT can be used only for your own reset and the API token with API authority scope for password reset of any users.

I have tried with PAT and it works.

As you mentionned in the set password request, we should you use the publickeyId and not the public key itself.

I have encrypted the password via the provided java code by using the public key returned in the query infor password request but in the password request body I sent the public key id (returned in the below request) .

You were right, thanks for your input !

Hi @baoussounda
Yes, that is correct. We can reset our own password using PAT but generally we require this functionality for org_admins to reset the password of others. Hence, In my opinion it is better to have a dedicated API token for this. But in my view it is a gap where org_admins can generate an api token using using their own PAT but can not reset the password for other users using PAT with scope all.
Ideally, I think ORG_ADMIN should be able to reset the password with PAT instead of creating another API token.

Thank You.
Regards

Vikas.

@vguleria | @baoussounda

Thank you so much for helping me out here. Issue was with the API URL (and I feel so stupid now) and once it was fixed everything worked fine for me!!!

Now I am confused with whose post to be marked as solution. I am marking @vguleria ‘s post as solution as this snippet actually helped me locate the issue

You both have been awesome!!