In January 2023, the Identity and Access Management (IAM) team will begin its first cycle of System Integration Testing (SIT) testing for our Identity Lifecycle Management Project. To support testing we will be switching over to SailPoint as our identity management solution in the IAM Quality Assurance (QA) environment on Thursday, December 15, 2022.

We are sending this message to a large number of individuals as it is difficult for us to know everyone who may relying on our QA environment. If you are working with applications that authenticate against the QA versions of Shibboleth (“shib-qa”), Active Directory (“QAD”), or QA applications such as SAP QA, or Google QA, you may be impacted by this change.

What is changing?
SailPoint will manage access provisioning in IAM QA using an individual’s affiliation. The affiliation designation is determined by the appropriate system(s) of record for an individual (SAP, SIS, and Affiliate DB.) For example, if a person designated as an active employee in SAP QA, they will continue to retain their account and access. If a person is designated as an inactive employee in SAP QA with no other active affiliations, the account will be disabled.

Account provisioning and password changes in QA will no longer be using Weblogin or MIM and will instead use SailPoint. This will impact how accounts are established and maintained for all applications that use shib-qa or QAD. New accounts will be provisioned using the new SailPoint account claim process. *If your application is using shib-test (www-test), it is not impacted by this change.

How will I know if I have been impacted?
The most likely scenario is that you will be unable to log into your account in QA and will receive an authentication failed message. If you have simply forgotten your password, the ‘forgot password’ link in shib-qa will re-direct you to SailPoint instead of the more familiar weblogin interface. SailPoint will provide you with a self-service option to change the password. As part of self-service password reset, an identity validation step will require the use of Duo (no need for human interaction!)

Overview
Passwords may need to be reset for a multitude of reasons, especially for immediate/urgent security issues. SailPoint provides a self-service portal that allows clients to change their password at any time using the appropriate identity verification methods.

Prerequisites
To complete this process, you will need a Kerberos account.

Procedure

At the BU login page, click on "Forgot Password/ Forgot Login" on the bottom left:

1. Using  select the second option listed (“Reset Forgotten Password”) and click “Next”. 

Next you will see the SailPoint self-service homepage:

2. SailPoint will prompt for two pieces of input: BU login name (or web account name) and date of birth. Once completed, select “Next”. 

3. SailPoint will redirect to the password reset page. The list of criteria are on the password reset screen easily available and SailPoint will give an error message if a password does not comply with the password policy, advising you to select a new or more complex password. 

Once a new password has been chosen, select “Submit”. 

4. SailPoint will display a confirmation notice, advising the account owner that their password request has been submitted and that they will receive an email once their request is completed. 

 Overview 

Affiliate accounts are generated for most non-compensated staff members and all guests of the university using the ServiceNow affiliate form (bu.edu/help/tech/requests >> Affiliates). Once SailPoint receives the account creation request, the affiliate receives an email with instructions on how to proceed through account claim. The affiliate will need to navigate through the process of obtaining a pin code to verify their identity and subsequently selecting a password to complete the claiming of their account. 

Pre-Requisites 

Affiliates must have a compensated Faculty or Staff member submit an affiliate request on their behalf in order to begin the process of generating an account (and thus, account claim). 

Procedure 

1. An email will be sent by SailPoint when the affiliate account is ready to be claimed. An example of the email sent to the affiliate is: 

 Below the login name, there will be a URL that the affiliate will navigate to in order to claim their affiliate account. 

2. Clicking the link provided in the email will direct you to the homepage seen below: 

To begin the claim process, select the first option (“Claim New/Existing Account”) and click “Next”. 

3. SailPoint will ask for input for two questions – personal email address and date of birth. This information MUST match what was submitted by the sponsor upon the submission of the affiliate form. 

Once you have entered the personal email address and date of birth, select “Next”. 

 

4. Upon the completion of Step 2, an automated email will be sent to the personal email address for the affiliate. This email will contain a one-time pin code that the affiliate will need to enter into the SailPoint webpage. 

Note: The one-time pin code, as noted on the confirmation screen, is only valid for 30 minutes. The affiliate account can be claimed at anytime but each individual pin only lasts for one use, maximum 30 minutes after the pin was sent. SOP,2022-12-09 Page 3 of 4 Template 1.1 

An example of the email containing the one-time pin can be seen below: 

Once the pin is entered on the SailPoint page, select “Next”. 

5. SailPoint will direct affiliates to a page where a new password must be chosen. The list of criteria are on the password reset screen easily available to the affiliate and SailPoint will give an error message to the affiliate if their password does not comply with the password policy, advising them to select a new or more complex password. 

Once a password has been entered, select “Complete”. 

6. Upon setting a password successfully, SailPoint will display a message letting the affiliate know that their request has been submitted. A secondary email will be sent once it is confirmed that the affiliate is able to use their account (after SailPoint finishes provisioning).