Password sync
Using this feature, you can synchronize:
- Passwords via the real-time password synchronizer.
- Passwords via custom scripts.
Password Synchronizer
Under Password Synchronizer, you can
- Automate password synchronization with users' linked accounts after the performed self-service action (password reset or password change) is reflected in AD.
- Automate the unlocking of accounts for users' linked accounts after the performed unlock action is reflected in AD.
- Force password synchronization with the users' linked accounts. They cannot deselect any of their linked accounts during password synchronization.
- Enable users to exempt their AD account from password synchronization.
Example: Say users want to maintain separate passwords for their Windows and non-Windows accounts; with this option, the administrator can enable users to deselect AD from the list of accounts available for password synchronization. They will be able to reset the passwords of their non-Windows account (Google apps accounts, Microsoft 365 accounts, etc.) without affecting their Windows password.
- Allow users to select the required linked accounts for password synchronization by having the accounts deselected by default while performing self-service actions (password reset, account unlock, and password change).
- Check the box next to Hide the Application tab when automatic account-linking option is enabled to remove the application tab from the user's self-service portal when the user has no access to any enterprise application for SSO and account linking is enabled for password synchronization.
Post Action
Under Post Action, you can:
- Synchronize users' passwords with other providers by running a custom script.
- Synchronize account lockout statuses with other providers by running a custom script.
Important security considerations
The steps mentioned below must be adhered to while implementing custom scripts:
- The script file must be placed inside the [Installation_Directory]/Scripts. References to subfolders are not allowed.
- The script command must only contain the filename and arguments.
- The first argument must be a filename with its extension. Only VBScript (.vbs) and PowerShell script (.ps1) are allowed.
- The use of '..' is restricted in the script command.
- Arguments passed to the script will be encoded in Base64 to prevent command injection attacks.
Decoding Arguments
Insufficient input validation of command line commands allows a threat actor to execute arbitrary commands on the host operating system. To protect users from these attacks, all arguments to the script will be encoded in Base64. These arguments should be decoded in the script before they are executed.
Note: To facilitate the above, the scripts folder comes with two files - sample-base64.vbs and sample-base64.ps1. These files contain sample code to decode from Base64.
Decoding Base64 in VBScript:
A helper file present in [Installation Directory]/Scripts/utils/Base64Decoder.vbs contains the Base64Decode function. You can utilize this function in your scripts to decode Base64 value.
- Import the Base64Decoder.vbs file into your script.
- Pass the encoded value to the Base64Decode function. The function will decode the value and return the UTF-8 string.
Decoding Base64 in VBScript
Include("utils\Base64Decoder.vbs")
For Each arg In WScript.Arguments
Dim decodedArg
decodedArg = Base64Decode(arg)
f.WriteLine("Before decoding: " + arg)
f.WriteLine("After decoding: " + decodedArg)
Next
Decoding Base64 in PowerShell script:
- Pass the encoded string to the [System.Convert]::FromBase64String function. This will return the decoded value as a byte array.
- Pass the byte array to the [System.Text.Encoding]::UTF-8.GetString function. This will convert the byte array into an UTF-8 string.
Decoding Base64 in PowerShell script
foreach ($arg in $args) {
$decodedArg = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($arg))
Add-Content -Path sample-base64-test.txt -Value "Before decoding: $arg"
Add-Content -Path sample-base64-test.txt -Value "After decoding: $decodedArg"
}