Password synchronizer

ADSelfService Plus' password sync feature helps synchronize users' AD passwords across their enterprise systems and apps in real time, as well as unlock the users' linked accounts.

When users change their passwords using the self-service portal, the new password can be automatically synced to their respective linked accounts. You can fine-tune this setting by either enforcing password synchronization for all the users' connected apps, or letting the user choose which apps to sync passwords for. Learn more

Note: Password resets or changes, and account unlocks by users done via ADSelfService Plus can be synced across their connected applications using these settings. However, if a user changes their AD password from their machine's native GUI (Ctrl+Alt+Del) screen, or an admin changes a user's password using the ADUC console on a domain controller (DC), the password sync agent must be installed on all the DCs in the domain to synchronize that password to ADSelfService Plus, and subsequently synchronize the password across the user's connected apps. It also unlocks the users' linked apps.

Password synchronization can be achieved using,

1. The real-time password synchronizer.
2. Custom scripts.

Password sync settings

Log into the ADSelfService Plus portal with admin credentials and navigate to Configuration > Self-Service > Policy Configuration > Advanced > Password Sync.

• Synchronize only when the reset/change password operation is successful in Active Directory: This option automates the synchronization of passwords with users' linked accounts once their self-service action (password reset or password change) is completed and reflected in AD.
• Synchronize only when the unlock operation is successful in Active Directory: This option automates the process of unlocking accounts for the users' linked accounts once the unlock action is updated in AD.
• Unlock linked accounts automatically when the reset operation is successful: This feature automatically unlocks users' linked accounts for which the password is reset successfully.
• Force reset/password change/unlock operations across all linked accounts: Choosing this will enforce password synchronization across all the users' connected apps or unlock all the users' linked accounts. Users will not be able to choose specific accounts during self-service actions.
• Allow users to deselect Active Directory during reset/password change/unlock operations: Selecting this will enable users to exempt their AD account from password synchronization.

Example: Suppose users want to maintain separate passwords for their Windows and non-Windows accounts. By selecting this option, the administrator can enable users to deselect AD from the list of accounts available for password synchronization. They will be able to reset the passwords of their non-Windows account (Google apps accounts, Microsoft 365 accounts, etc.) without affecting their Windows password.

• Keep all linked accounts deselected by default during reset/unlock/password change operations: This option allows users to select the linked accounts for which to synchronize passwords, by keeping the password synchronization option deselected by default for all the users' linked accounts during self-service actions such as password resets, account unlocks, and password changes.
• Hide the Application tab when the automatic account-linking option is enabled: Enabling this option will hide the Application tab in the user's self-service portal. This is done when the user has no access to any enterprise application for SSO, and account-linking is automatically enforced for password synchronization.

Password sync using post-action scripts

• Run custom script to synchronize password with other providers: You can use this option to synchronize users' passwords with other providers by running a custom script.
• Run custom script to synchronize account lockout status with other providers: You can use this option to synchronize account lockout statuses with other providers by running a custom script.

Note:You will need to upload your script file to the [ADSelfServicePlus_InstallationDirectory]/Scripts folder. Upon selecting either of the options under Post Action, a text box for the Script Command pops up, where you must mention the filename and the arguments to be passed to the script. The arguments will be encoded in Base64.

Important security considerations

The steps mentioned below must be adhered to while implementing custom scripts:

• The script file must be placed inside the [Installation_Directory]/Scripts. References to subfolders are not allowed.
• The script command must only contain the filename and arguments.
• The first argument must be a filename with its extension. Only VBScript (.vbs) and PowerShell script (.ps1) are allowed.
• The use of '..' is restricted in the script command.
• Arguments passed to the script will be encoded in Base64 to prevent command injection attacks.

Decoding Arguments

Insufficient input validation of command line commands allows a threat actor to execute arbitrary commands on the host operating system. To protect users from these attacks, all arguments to the script will be encoded in Base64. These arguments should be decoded in the script before they are executed.

Note: facilitate the above, the scripts folder comes with two files - sample-base64.vbs and sample-base64.ps1. These files contain sample code to decode from Base64.

Decoding Base64 in VBScript:

A helper file present in [Installation Directory]/Scripts/utils/Base64Decoder.vbs contains the Base64Decode function. You can utilize this function in your scripts to decode Base64 value.

• Import the Base64Decoder.vbs file into your script.
• Pass the encoded value to the Base64Decode function. The function will decode the value and return the UTF-8 string.

Include("utils\Base64Decoder.vbs")
For Each arg In WScript.Arguments
   	Dim decodedArg
   	decodedArg = Base64Decode(arg)
   	f.WriteLine("Before decoding: " + arg)
   	f.WriteLine("After decoding: " + decodedArg)
Next

Decoding Base64 in PowerShell script:

• Pass the encoded string to the [System.Convert]::FromBase64String function. This will return the decoded value as a byte array.
• Pass the byte array to the [System.Text.Encoding]::UTF-8.GetString function. This will convert the byte array into an UTF-8 string.

foreach ($arg in $args) {
	$decodedArg = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($arg))
   	Add-Content -Path sample-base64-test.txt -Value "Before decoding: $arg"
	Add-Content -Path sample-base64-test.txt -Value "After decoding: $decodedArg"
}