Hello,
We have implemented IDM since july 2013.
For password policy, we have both SSO and password synchronization for about 5000 users without using Active Directory with IDM
We are facing big issues with password policy processes.
- Although end users have access to SSO, they prefer using SAPLOGON client
- Password provisionning works only from IDM to SAP, meaning that in case you change a password from a sap backend, then a used has more than one password.
Let's take an example: a CRM user conects to a https url to view the client catalog, he jumps to IDM because of SSO with SAML2 redirection.
then he arrives at IDM authentification page. Now, he needs to change his password (expiration after n days). then he changes he password in IDM homepage.
Now, local UME has a different password from IDM, because this change password information cannot reach IDM database.
So, let's say that IDM make it possible to synchronize SAP passwords.: if you use an IDM password reset task that everybody could access.... In reality there is no way to apply it, because you cannot ask your 5000 end users "not to change your password when a popup is asking for it" but go to specific url.
I guess other companies have implemented password synchronization without AD, and I would really appreciate your feedbacks and how you make it possible.
Esther