Systems with single password

System with single password, in CzechIdM also know as Uniform password, very simplifies standard user login and change password trough every systems that is managed by CzechIdM application. Combination with password synchronization can standard users change password only on their local workstation and everything else, like validation and provisioning password to new systems, will be processed by CzechIdM application.

Passwords can be synchronize and then distributed to all connected system that are defined in uniform password system.

Pictures below shows different password change forms in CzechIdM where isn't configured uniform password system (left side) and CzechIdM where is uniform password configured (right side). In the right side is only two options that is defined by Administrator in Uniform system agenda. The labels can be easy to understand for standard user that want change only password and don't know anything about some inner systems in company.

Password synchronization from Active Directory can be used as simple example for best combination password synchronization and uniform system.

On the left side is shown process in IdM that use password synchronization and uniform password:

  • The process that synchronizes password is highlighted with green color. Process sends password to IdM,
  • process in IdM including password synchronization itself and uniform password behavior is highlighted with blue color. The process receives password request from the system and prepare new password request and distributes the request to all other systems including IdM itself,
  • process highlighted with orange color is password provisioning to connected system in IdM..

For example if user has these accounts on the systems:

In IdM exists these systems:

  • First Active Directory,
  • Second Active Directory,
  • Open Ldap,
  • Card System,
  • Table system.

In our example user wants change password and has accounts only in these systems: First Active Directory, Open Ldap, Card System.

User initialize password change on his own workstation and feature password synchronization send the password to IdM. In IdM will be password validation for password policies for each system where has user his account. In our case will be password validation only trough password policies from these systems: First Active Directory, Open Ldap, Card System.

Even the definition of uniform password define more systems the password will be validated only password policies for user's account set.

Same behavior as validation has also password change itself. Password will be changed for each system where has user his account.

On standard password change is allowed select option that change password through IdM: . This option is also available in uniform password. The option is set by checkbox Change password through IdM on uniform password detail.

Change password through IdM has some advantages over other systems:

  • checks of old passwords for match,
  • block login after exceeding the limit of unsuccessful login attempts.
If administrator wants validate passwords for match in history records, they must set CzechIdM as one of connected systems by checkbox.
Passwords in IdM are never stored as plaintext. For stored is used Bcrypt cipher.
  • by kopro