Hi! In Juniper SA it is possible to "enable password management" for realms that use LDAP for authentication. However, if you use certificates for authentication and LDAP only for authorization then it is not possible to enable password management.
In this implementation the user's domain username is got from the certificate UPN field and then the access levels are determined based on the AD group memberships. This means that the AD account is still the key factor in the authentication, and therefore it would be good to be able to warn the user about the password getting old, and to be able to change the password in the SA portal.
Is it possible to somehow use the password management in SA even if the certificate is used for the authentication?
Hmm - the only thing that you might try would be to enable a secondary auth server and then pass the userID from the cert. However this would still require them to at least enter in their AD password. But it might work.
Thanks Kevin for the suggestion. However, when the secondary auth server is added the Enable password management option is still not visible anywhere, so it doesn't work. Apparently it is hard-wired to the primary authentication method.
Password management is not available when using certificate server as primary authentication server.
You can raise an enhancemet request for the same