Preparation

Creating the User Used to Connect to Active Directory

An Active Directory user with permissions to view users for which Active Directory passwords will be synchronized must be created so that the external ID information needed to specify an IIJ ID user can be retrieved from Active Directory.

[ Reference ]

If also using Directory Sync, the same Active Directory user can be used with both programs. Configure access control as necessary for these Active Directory users.

Creating the IIJ ID User Used to Connect to the IIJ ID Service

Create an IIJ ID user used to send password change requests to the IIJ ID Service. This user must be granted administrator privileges.

Refer to "Adding Users" for more information on creating IIJ ID users and granting administrator privileges.

[ Note ]

Do not delete or disable the IIJ ID Service user created for this purpose. If this user is deleted or disabled, the access token will be revoked. If this user is accidentally deleted or disabled, restore or reactivate the user and then reissue another access token.

[ Reference ]

If also using Directory Sync, the same IIJ ID user can be used with both programs.

Obtaining an Access Token for the Created IIJ ID User
  1. Log in to IIJ ID Console (https://www.auth.iij.jp/console/) as the user created as described in "Creating the IIJ ID User Used to Connect to the IIJ ID Service."
  2. Click "Access Token Management" in "My Menu."
  3. Click "Issue Access Token."
  4. Configure "Access token name," "Resource server to use," "Granted scopes," and "Expiration date," and then click "Issue."

    [ Reference ]

    Configure expiration dates as appropriate in accordance with the usage of access tokens.

    OptionDescription
    Access token nameEnter the name of an access token.
    Resource server to useSelect "IIJ ID Service API."
    Granted scopesSelect the following two scopes:
    • escim_read_users
    • escim_write_users
    Expiration dateEnter the expiration date of an access token.
    Expired tokens are revoked and not displayed in the access token list.
  5. The access token appears. Copy and keep the access token and then click "Close."

    [ Note ]

    Exercise caution regarding the handling of these access tokens.

    [ Reference ]

    • Access tokens can only be viewed right after they have been issued.
    • If you forget the access token, you must revoke the access token and then issue a new one. Password Sync must be updated with the access token.

Disabling Ability to Change/Reset IIJ ID User Passwords via Methods Other Than Password Sync
  1. Log in to IIJ ID Console (https://www.auth.iij.jp/console/) as an administrator.
  2. Click "System" and then "System Information."
  3. Under "Restrictions on users to whom external ID was set," select "Do not allow password changes on the console page" and then click "Update."