Skip to main content

Set Identity's Password

POST 
/set-password

This API is used to set a password for an identity.

An identity can change their own password (as well as any of their accounts' passwords) if they use a token generated by their ISC user, such as a personal access token or "authorization_code" derived OAuth token.

A token with API authority can be used to change any identity's password or the password of any of the identity's accounts. "API authority" refers to a token that only has the "client_credentials" grant type.

Note: If you want to set an identity's source account password, you must enable PASSWORD as one of the source's features. You can use the PATCH Source endpoint to add the PASSWORD feature.

You can use this endpoint to generate an encryptedPassword (RSA encrypted using publicKey). To do so, follow these steps:

  1. Use Query Password Info to get the following information: identityId, sourceId, publicKeyId, publicKey, accounts, and policies.

  2. Choose an account from the previous response that you will provide as an accountId in your request to set an encrypted password.

  3. Use Set Identity's Password and provide the information you got from your earlier query. Then add this code to your request to get the encrypted password:

import javax.crypto.Cipher;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java util.Base64;

String encrypt(String publicKey, String toEncrypt) throws Exception {
  byte[] publicKeyBytes = Base64.getDecoder().decode(publicKey);
  byte[] encryptedBytes = encryptRsa(publicKeyBytes, toEncrypt.getBytes("UTF-8"));
  return Base64.getEncoder().encodeToString(encryptedBytes);
}

private byte[] encryptRsa(byte[] publicKeyBytes, byte[] toEncryptBytes) throws Exception {
  PublicKey key = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(publicKeyBytes));
  String transformation = "RSA/ECB/PKCS1Padding";
  Cipher cipher = Cipher.getInstance(transformation);
  cipher.init(1, key);
  return cipher.doFinal(toEncryptBytes);
}

In this example, toEncrypt refers to the plain text password you are setting and then encrypting, and the publicKey refers to the publicKey you got from the first request you sent.

You can then use Get Password Change Request Status to check the password change request status. To do so, you must provide the requestId from your earlier request to set the password.

Request

Body

required
    identityId string

    The identity ID that requested the password change

    encryptedPassword string

    The RSA encrypted password

    publicKeyId string

    The encryption key ID

    accountId string

    Account ID of the account This is specified per account schema in the source configuration. It is used to distinguish accounts. More info can be found here https://community.sailpoint.com/t5/IdentityNow-Connectors/How-do-I-designate-an-account-attribute-as-the-Account-ID-for-a/ta-p/80350

    sourceId string

    The ID of the source for which identity is requesting the password change

Responses

Reference to the password change.

Schema
    requestId stringnullable

    The password change request ID

    state string

    Possible values: [IN_PROGRESS, FINISHED, FAILED]

    Password change state

Loading...