Configuring Password Policies

When you initially deploy your IdentityNow site, a default password policy is configured for your IdentityNow password. If your organization has the Password Management feature, this policy also applies automatically to all your sources that are configured to use Password Management.

You can edit the default policy, but you can also create new policies and associate them with one or more individual sources.

NOTE: To apply a password policy to an application, see How do I know which password policy applies to an app? for instructions.

See the following sections for more information:

 

Password Policy Enforcement

 

There are two types of password policy enforcement in IdentityNow:

  • "Upstream" - Enforcement is based on the password policies an administrator configures in IdentityNow. As an end-user enters the password, the upstream password policy is checked and user friendly messages are shown in the user interface.

  • "Downstream" - Enforcement is based on the target source system itself. More complex things can be enforced here, such as password history.  Any error messages coming from this system are relayed to IdentityNow and delivered unaltered to end users.
    Error messages from the AD source are an exception. IdentityNow translates AD error messages to make them user friendly.

 

Password Policies without Password Management

 

All IdentityNow sites start with one password policy available out of the box which is labeled in user interface as Default. If you do not have the Password Management service, the default policy is the only policy you can define.

It applies to the password your users use to sign in to IdentityNow. This might include:

  • The unique password defined in IdentityNow by the user

  • The password that is set in your directory server and used for pass-through authentication in IdentityNow

 

Password Expiration Settings

 

For the default password policy, if you do not have Password Management, the Password Expiration panel is available as follows:

  • If none of your authentication sources support expiration settings, this panel is disabled.

  • If all of your authentication sources support expiration settings, this panel is enabled and is applicable to all passwords from those sources.

  • If some but not all of your authentication sources support expiration settings, this panel is enabled but the settings are only applicable to passwords from supported sources. For example, you might have one identity profile that uses Active Directory as an authentication source and another that uses the IdentityNow password. You can still define expiration settings for the default policy but related notifications and system behavior will only apply to users who have Active Directory as their authentication source.

CAUTION: To send a notification to your user when their password expires, the user must have registered with IdentityNow and have an Active status in the Identity List.

 

Creating a Password Policy

 

You can define the requirements for a new policy and apply it to any number of sources that are configured for password management.

 

Complete the following steps:

1. In the Admin interface, click Password Mgmt > Password Policies.

2. Click New.

3. In the Password Policy window, enter a name in the Policy Name field.

pp+new.png

 

4. In Password Requirements, make selections for any or all of the available settings based on the requirements of the related source and your organization's security policies.

NOTES:

  • This policy must match the password requirements on the source itself for users to be able to successfully change their password in IdentityNow.

  • The expiration settings for a password policy can only be edited if it is connected to at least one Active Directory source.

 

password requirement options.png

5. Optionally configure your password policy to require strong authentication for users changing their passwords. This option applies to:

  • All sources using this policy
  • Apps in a password sync group using your policy
  • Apps using a source in this policy as their account source
  • Launchers that change the password for your sources in this policy.

 

6. Click Save. You should see a success message at the top of the page.

After creating a password policy, you can associate it with a source.

 

Understanding How the Policy Applies to Password Changes

 

The policy you define must match the password requirements on the source itself for users to be able to successfully change their password in IdentityNow.

Password changes made within IdentityNow are always evaluated by SailPoint first. If the password meets the requirements of the IdentityNow password policy, the changed password is then sent to and processed by the source system, which might have its own set of policy requirements. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.

If it passes both policies, the password is changed on the source system and IdentityNow. If a password change is made on another system first and pushed to other systems by IdentityNow, it will be evaluated by that system first.

Password changes might fail if they don't match both sets of policies.

 

NOTE:

 

Multiple Password Policies on a Source

 

In some cases, customers might need to have different password policies for different types of users of a single system. You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

In cases where multiple password policies are applied, the expiration periods are inherited from the primary policy.

 

Prerequisite:

  • All policies (primary and exceptions) must be defined in advance

 

Complete the following steps:

1. Set a primary password policy on the source.

 

2. Click Add Exceptions to configure exceptions to your password policy.

multi-policy.png

 

3. Define how exceptions are determined under Filter on Identity Attribute:

  • Filter on Identity Attribute - Contains a drop-down list with all identity attributes in IdentityNow. Select the one you want to filter on.

  • Equals - Indicates the operation the filter performs. Currently the filters only use the Equals operation which requires an exact match.

  • (Value) - Requires the contents of the identity attribute you're filtering on. This much be an exact match for the filter to work.

For example, if you want to filter on grade level, you would choose Grade as the identity attribute and specify a valid value to filter on. In the image above, valid values might be K through 12.

 

4. Set the policy for each exception.

 

Best Practice: Put the strictest password policies at the top. For example, if you are applying password policies by department, and Accounting has a very strict policy while HR has a less strict policy. If a user is in both Accounting and HR, you want the stricter Accounting policy to apply to them.

 

Managing Password Policies

 

You have the ability to review and make changes to the policies defined in your system.

Complete the following steps:

 

1. In the Admin interface, go to Password Mgmt > Policies.

2. Review the password policies defined for your organization. This page includes the following:

  • A count of the total password policies defined in your organization

  • The option to create a new policy

  • The option to specify exceptions to the primary password policy

  • The ability to edit any policy by clicking the Edit icon

NOTE: You can edit both the default password policy and any additional password policies in IdentityNow, but the policy name for the default policy is not editable.

NOTE: Flat file sources are no longer associated with Default password policies. Newly added flat file sources will not appear under Default Associated Sources. However, you may notice that older flat file sources are still listed there.

  • The option to require strong authentication for password resets

  • Under Associated Sources, a list of sources each policy applies to

  • A count of each app that uses the source's password policy

  • A Delete icon to delete any policy other than the default one

  • Clickable sources that take you directly to each source's Password Settings page so that you can change the policy assigned to that source

You can also synchronize sources so that both the policies and the passwords themselves are shared. See How do I create a password sync group? for instructions.

 

Editing Password Policies

 

You can edit both the default password policy and any additional password policies in IdentityNow.

 

Complete the following steps:

1. In the Admin interface, go to Password Mgmt > Policies.

You will see a list of your password policies and their associated sources.

2. Scroll until you find the password policy you want to edit.

3. Click the Edit icon.

pp edit default.png


4. Adjust the settings as needed, including expiration settings or password dictionary settings if needed.

NOTE: The policy name for the default policy is not editable.


password requirement options.png


5. If you'd like to require your users to use strong authentication before updating the passwords controlled by this policy, select an option under Strong Authentication Required for Password Update. See Can I require strong authentication when users change their passwords? for details.

6. Click Save.


 

Defining Password Expiration Settings

 

If your IT organization requires users to reset their Active Directory passwords at a regular interval, you can remind users of that requirement from within IdentityNow.

When you configure password expiration settings in IdentityNow, the system can send your users email reminders when their password is about to expire. IdentityNow determines when to start sending the emails based on the value of the Password Last Changed field. IdentityNow polls the value of that attribute every five minutes.

In addition, if you have configured  pass-through authentication for any identity profiles, you can prevent your users from signing in when their passwords have expired.

In cases where multiple password policies are applied, the expiration periods are inherited from the primary policy.

CAUTION: To send a notification to your user when their password expires, the user must have registered with IdentityNow and have an Active status in the Identity List.

 

Prerequisites:

NOTES:

    • While it is possible to set an expiration period for password polices associated with other sources, IdentityNow cannot enforce the expiration date for those sources.

    • The system only generates reminder emails and only for supported source types.

  • Optional: Configure the Password Expiration​ email template

 

Complete the following steps:

1. In the Admin interface, go to Password Mgmt > Policies.

2. Click a policy you want to define expiration settings for.

3. In the Password Expiration panel, click Enable.

pwd expire.png

 

Non-default password policies that do not have an AD direct connect source do not display this panel. In the default password policy, this panel cannot be edited unless the policy has an AD direct connect source.

4. In Expiration Period, set the number of calendar days until the password expires.

 

5. In Reminder Starting, set the number of calendar days prior to expiration that a notification reminder is sent to the user. A reminder is sent each day in that period until the user resets their password. You can manually type values into both drop-down lists in this panel or you can select one of the default values from the list.

NOTES:

  • The reminder is sent every day until the user resets their password

  • The reminder is generated based on the value of the Password Last Changed field which is set in Active Directory.

These settings apply to the apps that use Directory Password for SSO, based on the policy assigned to the directory password source. Refer to How do I know which password policy applies to an app? for more information.

 

Related Documentation:

Labels (1)
Version history
Revision #:
9 of 9
Last update:
‎Feb 08, 2021 10:59 AM
Updated by: