Skip to content

Configuring Advanced Password Management Options

In addition to creating password policies and sync groups, you can also configure more complex password options such using a password dictionary, adding and resetting application passwords, using URLs to access Password Management features, and more.

Configuring a Password Dictionary

The password dictionary is a list of words and characters that users are prevented from including in their passwords. See the password dictionary requirements below and follow the directions to create, upload, and enable your own.

Meeting Password Dictionary Requirements

Your list of prohibited words and characters must meet the following requirements to ensure the password dictionary is handled correctly by the SailPoint API:

  • It must be in .txt format.

  • All characters must be UTF-8 characters.

  • Each line must contain a single word or character with no spaces or whitespace characters.

  • It must contain at least one line other than the locale string.

  • Each line should be no more than 128 characters long.

  • The file must not exceed 2,500 lines.

Consider the following when creating and reviewing your list:

  • Lines that start with a # will be treated as comments.

  • All words in this password dictionary are treated as case-insensitive, so adding the word "password" will also disallow the words "PASSWORD", "Password", and "PassWord".

  • The password dictionary uses substring matching, so adding the word "spring" to your list of prohibited words will also disallow "Spring124", "345SprinG", and "8spring".

Creating a Dictionary

  1. Create a text file where you will add the entries for your password dictionary.

  2. If your password dictionary is not in English, add a locale string to the top line:

    • locale:<languageCode>_<countryCode>

    • where <languageCode> is the 2-letter ISO 639-1 Code for the language.

    • where <countryCode> is the 2-letter ISO 3166-1 Code for the country.

    For example, to set your password dictionary to use the Mexico locale for the Spanish language traditionally used in Mexico, you'd enter: locale:es_MX

    If you don't add a locale string, the password dictionary will automatically use the US English locale string: locale:en_US

    Note

    Using multiple locale strings is not supported.

  3. Under the locale string, add a list of words and characters you want to prohibit.

  4. Review your .txt file to ensure it meets the file requirements.

Uploading a Password Dictionary

After you have created your password dictionary and reviewed it, upload the .txt file to SailPoint using the Update Password Dictionary API.

Uploading a new file always overwrites the previous dictionary file.

Tip

If the API can't process your .txt file, try opening the file in a different editor and saving it.

If you need to download your password dictionary later to make updates, you can use the Get Password Dictionary API.

Enabling a Password Dictionary in a Password Policy

After you have created and uploaded a password dictionary, you can specify which password policies will check new passwords against the list you provided.

  1. Go to Admin > Password Mgmt > Policies.

  2. Select the edit icon beside the name of the policy you want to edit.

  3. In the Password Requirements section, select the checkbox for Prevent use of words in this site's password dictionary.

  4. Select Save to update the policy to use the password dictionary.

Adding and Resetting Application Passwords

Add an application to Password Management so that users can change their source passwords, including their passwords on your corporate network. They can select their username in the top right and choose Password Manager to manage passwords for sync groups, multi-application sources, and access applications.

Start by adding access applications to password management.

Enabling Desktop Password Reset

As an Identity Security Cloud Admin, you can enable users to change their Identity Security Cloud password from the Windows sign-in screen using SailPoint Desktop Password Reset. This is especially useful if the user also needs to reset their workstation password because they've forgotten it.

If Desktop Password Reset is configured, users can select the Forgot Password option from the login screen to see the Identity Security Cloud password reset page. After authenticating, users can change their password, allowing them to unlock their account and log in normally. If they have multiple accounts, only their primary authentication account password is reset unless the accounts are on sources in a password sync group.

To install and configure this utility, refer to Desktop Password Reset.

Important

Identity profiles for all users that will be using this utility must be set to use Active Directory pass-through authentication.

Accessing Password Management via URL

You can provide access to URL landing pages where users can reset passwords, unlock accounts, and recover forgotten usernames. This is helpful if you want your users to access the Identity Security Cloud sign-in help pages directly.

You can direct users to the following URLs for sign-in help page access:

  • Unlock Account - https:‍//<tenant_name>.identitynow.com/passwordreset/default/unlock-account

  • Reset Password - https:‍//<tenant_name>.identitynow.com/passwordreset/default/reset-password

  • Forgot Username - https:‍//<tenant_name>.identitynow.com/passwordreset/default/forgot-username

Note

FedRAMP customers will use https:‍//<tenant_name\>.saas.sailpointfedramp.com/ for the URLs.

You can auto-populate the username fields for the unlock account, reset password, and forgot username pages by adding the following query string to the URL:

?username=<username>

Examples:

https:‍//<tenant_name>.identitynow.com/passwordreset/default/unlock-account?username=<username>

https:/<tenant_name>.identitynow.com/passwordreset/default/reset-password?<query_param>&?username=<username>&<query_param>

By default, users that complete sign-in help processes from a URL are prompted to close the page. If you would like your users to be prompted to log in to Identity Security Cloud after completing the process, add the following query string to the URL: ?returnToLogin=true

Examples: 1

  • https:‍//<tenant_name>.identitynow.com/passwordreset/default/unlock-account?returnToLogin=true

  • https:‍//<tenant_name>.identitynow.com/passwordreset/default/reset-password?<query_param>&returnToLogin=true&<query_param>

Changing Passwords with the Password Interceptor

Password Interceptor captures, or intercepts, when a user changes the password on a source linked to Active Directory (AD) and propagates that change to the accounts and access applications associated with the source in Identity Security Cloud.

For example, a user might reset their password on their workstation or on an app linked to AD. Password Interceptor will change the password for all accounts the user has on the source, as well as all access apps connected to that source. If the source is part of a password synchronization group, Password Interceptor will change all of the associated passwords in that group except for AD.

If you use pass-through authentication, this will also change their Identity Security Cloud password.

Caution

Password interception must be initiated after AD is updated in order to change the passwords for all sources in the sync group. For example, if the sync group contains AD, Oracle, and Google Apps, the password interception will change the password for Oracle and Google Apps but not AD.

You can also add a proxy server on your virtual appliances to limit the number of outbound connections the password interceptor uses to communicate with Identity Security Cloud.

Learn how to configure Password Interceptor.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.