How to Administer Password Synchronization
You can administer Password Synchronization through either the MMC Snap-In or the command line.
The MMC Snap-In displays a list of adapters and their properties. You can right-click an adapter and use the menu to perform the following commands:
Create adapters
Set properties
Update
Delete
Enable
Disable
Add applications to an adapter
Delete applications from an adapter
Reset notification
Add an adapter to an adapter group
Delete an adapter from an adapter group
You can also use the SSOPS command line utility to administer your password synchronization. Most of commands in this section are intended for use by an administrator only.
For many commands, the command output is displayed on the screen in two columns. As certain screen settings may cause truncation of data, for best results you should change the screen buffer size/Windows size to 120 characters.
The SSOPS commands are listed in the following table. Procedures and further explanation are located throughout the rest of this topic.
Command | Function |
---|---|
-list | Lists existing adapters |
-display | Displays adapter information |
-create | Creates new adapter(s) |
-setprops | Sets properties for adapter |
-update | Updates existing adapter(s) |
-delete | Deletes an existing adapter |
-enable | Enables adapter |
-disable | Disables adapter |
-addapp | Adds application for adapter |
-deleteapp | Deletes application for adapter |
-reset | Resets notification or damping queues |
-addtogroup | Adds adapter to adapter group |
-deletefromgroup | Deletes adapter from adapter group |
To list existing adapters
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -list and press Enter.
Adapters and descriptions will be listed. (E) denotes that the adapter is enabled, (D) denotes that it is disabled.
To display adapter information
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -display <adapter name> and press Enter.
The screen output will display information for the specified adapter.
In addition to name, type, description, computer, and accounts, the following information is displayed.
Adapter Flag Details Adapter enabled Determines whether or not the adapter is enabled.
Flag: SSO_FLAG_ENABLED
Attribute Name: enableApp
Default: NoAllow local accounts Determines whether or not the App Admin or App Users accounts can be local accounts.
Flag: SSO_FLAG_APP_ALLOW_LOCAL
Attribute Name: allowLocalAccounts
Default: NoReceive password changes from adapter Determines whether or not the adapter is allowed to receive external password changes.
Flag: SSO_FLAG_PARTIAL_SYNC_FROM_EXTERNAL_TO_DB
Attribute Name: syncFromAdapter
Default: NoVerify old password Determines whether the adapter will verify the old password when an external password change is received. If this flag is set then with an external password change the external adapter must supply the old external password as well as the new external password. The old external password is then compared with the existing external password in the SSO database for that external account. If they match, the password change is accepted. If they do not match, the password change is rejected.
Flag: SSO_FLAG_SYNC_VERIFY_EXTERNAL_CREDS
Attribute Name: verifyOldPassword
Default: YesChange Windows password Determines whether or not the Windows password will also be changed when an external password change is received (full sync). ENTSSO always uses the old Windows password stored in the SSO database to change the Windows password to the new value (Windows requires both the old and new password to change a users password), so this must be initialized before the Windows password change can succeed. If password sync is configured for a particular mapping, then when the external credentials are set via administrative tools (ssomanage or ssoclient -setcredentials) the Windows password stored in the SSO database will also be set.Flag: SSO_FLAG_FULL_SYNC_FROM_EXTERNAL_TO_WINDOWS
Attribute Name: changeWindowsPassword
Default: NoSend Windows password changes to adapter Determines whether or not Windows password changes will be sent to the external adapter.
Flag: SSO_FLAG_FULL_SYNC_FROM_WINDOWS_TO_EXTERNAL
Attribute Name: syncToAdapter
Default: NoSend old password to adapter If Yes, the old password value (from the SSO database) will also be sent to the external adapter as well as the new password value. Some external systems might require both the old and new password values to change the password.
Flag: SSO_FLAG_SYNC_PROVIDE_OLD_EXTERNAL_CREDS
Attribute Name: sendOldPassword
Default: NoAllow mapping conflicts Determines whether or not the adapter will allow mapping conflicts.
A mapping conflict occurs when mappings are not unique. In a single SSO Individual application, mappings are always one-to-one: one Windows account is mapped to exactly one external account and vice versa.
However, it is possible to assign more than one application to an adapter. Thus, it is possible to have a mapping in one application that conflicts with a mapping in the other.
This purpose of this flag is to prevent this from occurring. It is more secure to not allow mapping conflicts unless there is a specific, well understood requirement for this behavior.
Flag: SSO_FLAG_SYNC_ALLOW_MAPPING_CONFLICTS
Attribute Name: allowMappingConflicts
Default: NoAdapter Description Details Notification retry count Default is 1. Notification retry delay (in mins) Default is 5. Maximum pending notifications Default is 8. Store notifications (when offline) True/False. Server name Server name. Port number Port number. Applications for this adapter List of applications currently assigned to the adapter.
To create new adapters
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -create <adapter file> and press Enter.
The screen output will display information for the newly created adapter.
To set properties for an adapter
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -setprops <adapter name> and press Enter.
The screen output will display the properties for the specified adapter. You can edit them if necessary, but new values are not validated.
To update existing adapters
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -update <adapter file> and press Enter.
Use this command to update the settings and flags for a specified adapter. Do not use this command to set properties; use instead the -setprops command.
To delete an existing adapter
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -delete <adapter name> and press Enter.
The specified adapter will be deleted.
To enable an adapter
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -enable <adapter name> and press Enter.
The specified adapter will be enabled.
To disable an adapter
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -disable <adapter name> and press Enter.
The specified adapter will be disabled.
To add an application to an adapter
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -addapp <adapter name> <application name> and press Enter.
The specified SSO application will be assigned to the specified adapter. This means that the passwords for the mappings in that application will now be synchronized using this adapter.
While multiple applications can be assigned to one adapter, any given application can only be assigned to one adapter.
To delete an application from an adapter
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -deleteapp <application name> and press Enter.
The specified SSO application will be removed from an adapter. (Since an application can only be assigned to one adapter, it is not necessary to specify the adapter name.)
To reset notification
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -reset <adapter name | all | damping> and press Enter.
This command clears the damping table and/or notification queues for a single adapter or all adapters, as specified. The damping table stores a 10-minute history of password changes. Before the Enterprise SSO system accepts or sends a password change, it checks the damping table to see if it has performed the same change recently. If it has, the new change is discarded.
To add an adapter to an adapter group
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -addtogroup <adapter name> <adapter group> and press Enter.
This command adds the specified adapter to the specified adapter group. While an adapter can belong to only one adapter group, an adapter group can contain multiple adapters.
To delete an adapter from an adapter group
On the Start menu, click Run.
In the Run dialog box, type cmd, and then click OK.
At the command line, go to the Enterprise Single Sign-On installation directory. The default is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssops -deletefromgroup <adapter name> <adapter group> and press Enter.
This command deletes the specified adapter from the specified adapter group.