Home/Products/Password Synchronization

Password Synchronization

SSO doesn't reach
every system.
Password Sync does.

Modern enterprises run SAP, IBM AS400, Oracle, SSH servers, SQL databases, cloud platforms and CLI tools side by side. SSO covers some. Federated identity covers others. The rest — including your most business-critical legacy systems — sit in a credential silo. MyPass Password Sync closes that gap: one change in AD, every system updated instantly.

Book a Demo Get in Touch
83%
Reduction in forgotten passwords per user per year
Real-time
Propagation — fires on AD change event, no polling
15+
Supported target platforms out of the box
Zero
Extra steps for the end user

The Federation Gap

SSO is great. It just doesn't cover everything.

Single Sign-On solves identity for cloud and modern apps. But the systems that run your factory floor, your ERP, your mainframe, your UNIX servers — they weren't built for SAML or OAuth. They need credentials. And they don't sync themselves.

Where SSO stops
Systems left outside the federation
  • SAP ECC / S/4HANA with local user stores
  • IBM AS400 / iSeries (IBM i) — separate profile database
  • IBM z/OS mainframes (RACF, ACF2, Top Secret)
  • Oracle E-Business Suite database accounts
  • SSH / Linux servers — local PAM accounts
  • SQL Server, MySQL, PostgreSQL database logins
  • Geographically isolated systems with no reliable WAN to IdP
  • Air-gapped or restricted-network environments
  • CLI tooling with embedded credentials
What Password Sync covers
One change propagates everywhere
  • AD password change captured at domain controller — before encryption
  • Forwarded securely via MyPass Gateway to all registered targets
  • Each target system receives credential in its own native format
  • No user intervention, no helpdesk ticket, no waiting
  • Works across WAN, VPN, isolated networks via Gateway relay
  • Geographically distributed — Gateway deployed per region or subnet
  • Retry and queue logic handles offline systems — syncs when they return
  • Ability to select which systems to sync password updates to via SSPR

How It Works

Captured before encryption. Delivered natively.

Different systems store passwords in different encrypted formats — which is why you can't just copy a hash. Password Sync captures the credential at the moment of change, before encryption, and delivers it to each target in the format that system expects.

User Changes Password
In AD, via SSPR portal, or on the Windows login screen
DC Interceptor Fires
MyPass domain controller extension captures the credential in clear text before AD encryption — the only window it's available in portable form
Gateway Routes
Forwarded encrypted to the MyPass Gateway. Gateway resolves target systems for this user and dispatches per-platform credential updates
All Systems Updated
SAP, Oracle, IBM, SSH, SQL — each system receives the update in its own native format. Full audit log written. Robert can log in everywhere immediately.

Supported Platforms

Every system in your estate

Covers the legacy stack that SSO can't touch — from mainframes to database logins to cloud consoles.

Directory
Active Directory
Primary sync source and target. DC interceptor captures changes event-driven — no polling.
Directory
Microsoft Entra ID
Azure AD / Entra ID supported as source or target. Hybrid AD environments fully covered.
ERP
SAP ECC & S/4HANA
Dialog and system users. No ABAP development required. Supports Kernel 4.6E onwards and UME/JAVA. Large environments supported with selective scope.
Mainframe
IBM AS400 / iSeries
IBM i profile database updated via Gateway connector. No manual intervention, no scheduled job — real-time on change event.
Mainframe
IBM z/OS
RACF, ACF2, and Top Secret security managers. Updates mainframe user credentials without requiring operator action.
ERP / Database
Oracle E-Business Suite
Oracle 11g through 19c. Sync to Oracle application user accounts and database logins simultaneously.
Unix / Linux
SSH / Linux PAM
Updates local PAM accounts across Linux, AIX, and Unix servers. Removes the last local password island from your estate.
Database
SQL Server & MySQL
Sync database login credentials alongside application accounts. Removes the need for service accounts with static passwords.
Cloud
Cloud Platforms
Google Workspace, AWS IAM, and other cloud platforms where federation is not in place — or not yet deployed.
Custom
Custom & CLI Systems
Script-based connector for bespoke applications, CLI tooling, and systems without a native integration. Build once, sync like everything else.
LDAP
Generic LDAP
Any LDAP-compatible directory service. Useful for in-house identity stores and niche enterprise applications.
Notes / Collaboration
HCL Domino / Notes
Lotus Notes / Domino environments still in production. Password Sync keeps Domino credentials aligned without manual admin.
And many more. The list above is just the start — Password Sync also covers CLI, SSH, ODBC, LDAP, and custom credential providers. If a system holds a password, it can be synced. The options are limitless.

Sync Scope

Selective reset or global sweep — your call

Not every scenario calls for a full org-wide credential rotation. Password Sync gives you precise control over who, what, and when — and you decide whether that scope is fixed by the administrator or chosen interactively by the user at reset time.

Selective Sync
Targeted credential updates for specific users, groups, or systems
When you need surgical precision — not a full sweep.
  • Reset one user's SAP credentials after a role change without touching AD
  • Sync a specific department's credentials to a new system post-migration
  • Update service account passwords on a single target system only
  • Re-sync a specific user after a failed propagation event
  • Onboard a new system and back-fill existing user credentials selectively
  • Development team password reset scoped to dev environment only — production untouched
Global Reset
Organisation-wide credential rotation across all connected systems
For compliance, incident response, or bulk environment management.
  • Force-reset all user passwords across every connected system simultaneously
  • Post-breach credential rotation — push new passwords to every platform at once
  • Large SAP landscape resets — ECC, S/4HANA, BW, Solution Manager all in one operation
  • Staging and UAT environment credential alignment before release cycles
  • Annual security policy enforcement — rotate all credentials on schedule
  • Merger / acquisition onboarding — align newly absorbed systems to corporate policy immediately
User-driven or admin-controlled. Scope doesn't have to be fixed in policy. Through self-service SSPR, a user can authenticate and choose exactly which targets to reset — say, only their Oracle DB1 login — leaving every other system untouched. Or remove the choice entirely and enforce the reset org-wide. The control is yours.

Better Together

Combine with SSPR to close the loop completely

Password Sync handles propagation when users change credentials in AD. Pair it with MyPass Advanced SSPR and Robert never needs to call the helpdesk at all — he resets it himself via the portal, and every downstream system updates automatically.

One self-service action. Zero calls. Every system — SAP, Oracle, IBM, SSH — in sync within seconds.

  • SSPR-triggered sync — Self-service reset in the portal propagates to all connected systems simultaneously
  • Single enrollment — Users register MFA once, gain self-service access to all connected platforms
  • Shared gateway — SSPR and Sync run through the same on-premise MyPass Gateway — one deployment, two capabilities
  • Levels of assurance carry through — SSPR assurance tier determines which systems a self-service reset can propagate to
Explore Advanced SSPR
SSPR + Sync reset flow
1. User resets via MyPass
2. Synced to connected directories
Active Directory
SAP
Oracle
IBM LDAP
All systems updatedIN SYNC

FAQ

Common questions

SSO covers modern, SAML/OAuth-capable applications. Password Sync covers everything else — the SAP systems, IBM mainframes, Oracle databases, SSH servers, and legacy applications that were never built to federate. Most enterprises need both. They solve different parts of the credential problem.
This is the only technically viable method for cross-platform sync — it's the same window that AD itself uses before writing the hash. The credential is captured for a fraction of a second, encrypted immediately, and transmitted to the MyPass Gateway over a secured channel. It is never written to disk or stored in clear text at any point. The same approach is used by all enterprise password sync solutions.
MyPass Gateway queues the sync event. When the target system comes back online, the queued change is dispatched automatically. Administrators receive alerts for any queued or failed sync events so nothing goes unnoticed. The user and helpdesk are not responsible for managing the retry — the system handles it.
Yes. Sync scope is fully configurable per user, group, or OU. You can define that Finance users sync to SAP and Oracle but not to Linux servers, while IT admins sync everywhere. Development teams can have resets scoped to dev/UAT environments with production excluded. This is particularly useful in large SAP landscapes where environment isolation is critical.
Yes. MyPass Gateway can be deployed per region, per subnet, or per isolated network segment. Systems that cannot route directly to a central AD or IdP — remote sites, geo-isolated datacentres, systems behind firewalls — are served by a local Gateway instance that receives sync events from the central server. Each Gateway handles local system updates independently.
Target systems must be able to accept the password that AD allows. If AD permits 12-character passwords with symbols and a target system only accepts 8 characters or no symbols, the sync will fail for users who use those characters. MyPass can enforce password policy constraints at the point of change to prevent sync failures before they happen.
Both ABAP and Java-based SAP systems are supported — including HANA, ERP (ECC), NetWeaver, S/4HANA, CRM, SCM, SRM, and Solution Manager, across modules such as FICO, GRC, and HRMS. Dialog and system users are covered, with no ABAP development required (Kernel 4.6E onwards and UME/JAVA). Large landscapes can be synced with selective scope.
An Active Directory deployment is typically live in under two weeks. More complex integrations — password synchronisation to IBM mainframes or large SAP landscapes — usually take around three months from start to finish, depending on scope and the number of target systems.

Ashwin's SAP should already know.

Stop managing credential silos manually. Book a demo and see how Password Sync closes the federation gap — across your entire enterprise stack, in real time.

Book a Demo Contact Sales