Each enterprise identity management and access governance system, irrespective of its features, must support login ID reconciliation. Users have login accounts and other records on a number of systems and these have to be attached to a single profile, in order to create a user-centric identity system. The process of attaching non-standard login IDs and other user identifiers to a profile is called login ID reconciliation.
Xpress Password supports multiple options for login ID reconciliation, as follows:
- Automatically, typically by matching consistent login IDs.
- By matching other attributes such as an SSN or employee ID, where they are available.
- Using a self-service reconciliation process.
When self-service login ID reconciliation is required, it works as follows:
- Users are automatically invited to finish their profiles – for example via an e-mail with an embedded URL.
- Users log into the registration system, using a main login ID and passcode or other types of credentials.
- Users are asked to type their target application ID/password pairs. Each provided ID/password pair is compared against an automatically maintained inventory of login IDs drawn from target systems, to find instances where the user-entered login ID appears on a system and does not yet belong to a known user profile. Xpress Password then attempts to sign into that system with the user-entered password. If the login attempt succeeded, the user’s profile is updated with the system ID and the user-entered login ID.
Self-service reconciliation is not costly (about 5 minutes per user), dependable, fully automated (users are reminded to enroll until they really do) and very safe.
Note that attempts to reconcile login IDs by matching attributes of user profiles to target systems are frequently costly and/or insecure, specially when combined with a passcode management system
- The only attribute that is commonly available on every system is a user’s full name. This may be inconsistent across systems and in many large organizations multiple users share the same full name and sometimes the same location.
- Failure to automatically correlate an account leads to manual, administrative reconciliation, which is expensive.
- Incorrect ID mapping allows one user to set another user’s passcode, which is a serious breach of security.
Where self-service login ID reconciliation is required, the process is both inexpensive (25,000 users spending 5 minutes each costs nothing, while one consultant spending weeks or months is expensive) and error-free (since IDs are claimed with a validated password).