Reaching out to see how folks are handling distribution of first-time passwords. Our current process is not the best. The manager receives the email and has to distribute it to the new hire either via phone or email. I was wondering if someone had a more elegant solution.
We built a custom "Account Claiming" application that sits on top of our OUD instance. A new hire must claim their own account by entering 4 pieces of data about themselves (first, last, DOB, last 4 of NID/SSN) that came from our HR system. (The DOB/NID in OUD is secured to only the directory administers since it is PII). The user then is presented with their UPN and UID, and proceeds to set up their own password and security challenge questions and MFA choices. From there we sync the password from OUD to AD and Azure AD and the user is sent to Azure to complete their SSPR/MFA set up. We have had great success with it since it's original launch in 2005.
This is awesome, thanks so much for the fast reply! Is OUD your directory? I'm not familiar with that acronym. I'm guessing the HR system syncs with your OUD (either directly or via IDN/IIQ) and that the OUD is the authoritative source for your IDN/IIQ instance?
Oracle Universal Directory (which was our primary LDAP until we shifted to AD for the enterprise). We do not put any private data into AD since too many employees have access to read it.
Our HR system is authoritative for all human records in iDN. IDN then creates the AD and OUD record as birthright.
We use similar approach, <character><NID><special char> and we set the password a day before start date. If the user doesn't change the password in 3 days, we reset it. After which, they have to reach to the help desk to reset their password (the user will be forced to reset their password at next login).
Thank you for the reply! It sounds like you have an algorithm for creating the password for the identity. I just want to make sure I'm understanding. I think we are looking for more of a "claiming" approach.