Creating the User Used to Connect to Active Directory
An Active Directory user with permissions to view users for which Active Directory passwords will be synchronized must be created so that the external ID information needed to specify an IIJ ID user can be retrieved from Active Directory.
If also using Directory Sync, the same Active Directory user can be used with both programs. Configure access control as necessary for these Active Directory users.
Creating the IIJ ID User Used to Connect to the IIJ ID Service
Create an IIJ ID user used to send password change requests to the IIJ ID Service. This user must be granted administrator privileges.
Refer to "Adding Users" for more information on creating IIJ ID users and granting administrator privileges.
Do not delete or disable the IIJ ID Service user created for this purpose. If this user is deleted or disabled, the access token will be revoked. If this user is accidentally deleted or disabled, restore or reactivate the user and then reissue another access token.
If also using Directory Sync, the same IIJ ID user can be used with both programs.
Obtaining an Access Token for the Created IIJ ID User
- Log in to IIJ ID Console (https://www.auth.iij.jp/console/) as the user created as described in "Creating the IIJ ID User Used to Connect to the IIJ ID Service."
- Click the "Access Token Management" in "My Menu."
- Click "Issue Access Token."
Enter the "Access token name" and "Expiration date" and then click "Issue."
Configure expiration dates as appropriate in accordance with the usage of access tokens.
The access token appears. Register the access token and then click "Close."
Exercise caution regarding the handling of these access tokens.
- Access tokens can only be viewed right after they have been issued.
- If you forget the access token, you must revoke the access token and then issue a new one. Password Sync must be updated with the access token.
Disabling Ability to Change/Reset IIJ ID User Passwords via Methods Other Than Password Sync
- Log in to IIJ ID Console (https://www.auth.iij.jp/console/) as an administrator.
- Click "System" and then "System Information."
- For the "Restrictions on users to whom external ID was set," select the "Do not allow password changes on the console page" radio button and then click "Update."