Default password when using SSO and UDM to create user accounts

Scott Stauffer · ‎11-17-2011

When a new user logs into RequestCenter (using Single Sign On through our portal) the first time, the User Discovery Module (UDM) automatically creates the user's profile in RequestCenter and sets their password to be the same as their login name.

This means that anyone who has the RequestCenter backdoor URL can login as anyone they want as long as they know the person's login name (in our case, this is their employee number).

Is there a more secure alternative available that would make the password's unique for each user?

Thanks,
Scott
RequestCenter version 2006.06

Emir AmEx (9.1) · ‎11-17-2011

I thought you can have a CNFparamater with a default password, and that will be written instead, I could be wrong though

Tylor Hagerman · ‎11-17-2011

I've thought about this very same issue. The best idea I could come up with is to apply web server level security (username/password) to the backdoor login page. You could also hardcode the password value to something difficult to guess, but then all "backdoor" passwords would be the same.

Christopher Kappert · ‎11-17-2011

Any other solutions to this? The ability to log on as someone else is a big security concern.

Leslie Tierstein · ‎11-17-2011

RC2008.3, Service Pack 4, released Friday,Oct 23, includes a new Administration setting that lets you limit backdoor URL access to only those people with the Site Adminstrator role.

Emir E · ‎11-17-2011

The ability to log in as someone else is often they only way to see error messages these users are getting. Maybe it would be a good idea go give the admin a right to switch to an user and to see their requests, etc ....