The Self-Service Password Reset has got to be one of the most used features of RES ONE Identity Director (previously RES ONE Service Store/RES IT Store). It allows a user to reset his/her Active Directory user account password without assistance from the IT organization. This is possible on a 24/7 basis, so even in the evening or the weekends the user can use this service.
While this is very useful service, you should think about the security implications. Since the user apparently cannot login the RES ONE Identity Director site he/she should be to open the site from an untrusted network like the internet. But this would imply that everyone with internet-access can change the password of a user account as long as the username is known. So how to verify that the user requesting the service is actually the user in question?
Picture the following setting: A rainy Sunday afternoon. You need to prepare some presentation slides for a sales pitch the following day. You are working from home and are logged in on the company’s virtual desktop (running Citrix XenDesktop). Everything is fine and you are almost done. Suddenly the screen freezes, everything is locked and you are unable to continue your preparation. You disconnect your session and try a reconnect, which is not successful.
Sadly the support desk is only available during business hours.
What should you do? A. Cry B. Scream C. Start all over again on your local machine D. All of the above
Now this is a pretty specific setting, but a customer sometimes had similar issues. Users are working in the weekend and need to contact an administrator just to logoff their session. How can you solve this with RES ONE Service Store?
Everyone is familiar with the single sign on (SSO) principle (assumption, yes, I know). You log in to your machine and are authenticated. Now when you log in to a subsequent application (regular or web-based) single sign on functionality (if the application in question supports it) provides the credentials of your desktop session automatically to the application. This ensures a smooth experience for the user and a higher level of productivity.
While most software is able to directly use accounts from Microsoft Active Directory or another directory service, IT Store is a bit different. It uses its own list of users which in turn can originate from a couple of different sources.
These sources are CSV files, ODBC data source and Microsoft Active Directory. IT Store uses the information from the source and creates the users while using this information. While this is called synchronization in the IT Store, it really has more in common with a database query (but be honest, synchronization sounds way cooler). Continue reading →