Hi

We are doing integration between SAP IdM 7.2 and EP version 7.3 with ADLDS as back end. As of now we established connection with ADLDS and done with provisioning/deprovisoning/Modify flow.

1. Foreseeing few challenges during password management for EP :

Currently we have it like below

Retention time PW in ADLDS : 90 days (After that password gets expired as per domain policy)

Retention time PW in EP: less than 90 days (so that when EP knows about the user last pw change, it will force the user to change before it get triggered in ADLDS)

This is because password expiration in EP and ADLDS are not in sync.

Few solutions are discussed in this link

So is it a good idea to have password reset link in login page of portal ? As of now we are considering EP as the master for password expiry but after integration i think it will be ADLDS say by considering below scenario.

For a new user provisioned to ADLDS the password becomes productive so that user can logon to EP straight away. Now his 'Date of Last Password Change' will be empty so his password will never get expired in EP (assumption). So going forward ADLDS password expiry would be considered as master. May be we can have some job to send account expiry notification to the end user by reading corresponding values from ADLDS.

2. There is as Java LDAP connector available. I understand that it is basically used for non-LDAP role or groups assignments. I wonder why a repository constant called 'BACKEND_REPOSITORYNAME' actually present. Is it used anywhere in the standard provisioning framework ? We have IdM 7.2 SP7 . I don't find relation anywhere.

It is also discussed in the link

Matt has pointed it to landscape guide https://scn.sap.com/docs/DOC-26538. but now it updated with new links. I had a quick look at it but not sure what is the logic behind that constant ?

Thanks,

Karthik