Skip to content

Configuring Advanced Password Management Options

In addition to creating password policies and sync groups, you can also configure more complex password options such using a password dictionary, adding and resetting application passwords, using URLs to access Password Management features, and more.

Configuring a Password Dictionary

The password dictionary is a list of words and characters that users are prevented from including in their passwords. See the password dictionary requirements below and follow the directions to create, upload, and enable your own.

Meeting Password Dictionary Requirements

Your list of prohibited words and characters must meet the following requirements to ensure the password dictionary is handled correctly by the SailPoint API:

  • It must be in .txt format.

  • All characters must be UTF-8 characters.

  • Each line must contain a single word or character with no spaces or whitespace characters.

  • It must contain at least one line other than the locale string.

  • Each line should be no more than 128 characters long.

  • The file must not exceed 2,500 lines.

Consider the following when creating and reviewing your list:

  • Lines that start with a # will be treated as comments.

  • All words in this password dictionary are treated as case-insensitive, so adding the word "password" will also disallow the words "PASSWORD", "Password", and "PassWord".

  • The password dictionary uses substring matching, so adding the word "spring" to your list of prohibited words will also disallow "Spring124", "345SprinG", and "8spring".

Creating a Dictionary

  1. Create a text file where you will add the entries for your password dictionary.

  2. If your password dictionary is not in English, add a locale string to the top line:

    • locale:<languageCode>_<countryCode>

    • where <languageCode> is the 2-letter ISO 639-1 Code for the language.

    • where <countryCode> is the 2-letter ISO 3166-1 Code for the country.

    For example, to set your password dictionary to use the Mexico locale for the Spanish language traditionally used in Mexico, you'd enter: locale:es_MX

    If you don't add a locale string, the password dictionary will automatically use the US English locale string: locale:en_US

    Note

    Using multiple locale strings is not supported.

  3. Under the locale string, add a list of words and characters you want to prohibit.

  4. Review your .txt file to ensure it meets the file requirements.

Uploading a Password Dictionary

After you have created your password dictionary and reviewed it, upload the .txt file to SailPoint using the Update Password Dictionary API.

Uploading a new file always overwrites the previous dictionary file.

Tip

If the API can't process your .txt file, try opening the file in a different editor and saving it.

If you need to download your password dictionary later to make updates, you can use the Get Password Dictionary API.

Enabling a Password Dictionary in a Password Policy

After you have created and uploaded a password dictionary, you can specify which password policies will check new passwords against the list you provided.

  1. Go to Admin > Password Mgmt > Policies.

  2. Select the edit icon beside the name of the policy you want to edit.

  3. In the Password Requirements section, select the checkbox for Prevent use of words in this site's password dictionary.

  4. Select Save to update the policy to use the password dictionary.

Adding and Resetting Application Passwords

You can add an application to your users' Password Manager page that allows them to change their source passwords, including their passwords, on your corporate network. They can select their username in the top right and choose Password Manager to manage passwords for sync groups, multi-application sources, and applications.

Tip

To allow users to change their corporate network passwords, choose an Authentication Source that supports Password Management. Select Identity Management > Identity Profiles. Select the identity profile you want to edit, and choose a Password Management-enabled source under Sign-in Method. View the list of sources to identify if Password Management is enabled for your source.

  1. Go to Admin > Applications.

  2. Select the app you want to edit or select + New.

  3. Under App Accounts Created By, select Admin (IT).

  4. Under Account Source, select Specific Users From Source or All Users From Source.

  5. Choose the source you enabled Password Management on from the Select Source dropdown menu.

  6. In the upper-right corner, set Enable For Users to ON and select Save.

  7. Users with accounts on this source will see and can manage their passwords for this source using Password Manager:

    Password applications with the option to change their individual passwords.

    • If any identity profiles are configured to use this source with pass-through authentication, changing their password in Password Manager also changes their SailPoint password.
    • If this source is part of a password sync group, when a user changes the password for this source using the application password update, the password for all other sources and apps in the sync group will be changed as well.

    Important

    In order to use sync groups, each authentication source in the sync group must have at least one application.

Users with accounts on the selected source can see this app in Password Manager and can use it to change the passwords on that source.

Enabling Desktop Password Reset

As an IdentityNow Admin, you can enable users to change their IdentityNow password from the Windows sign-in screen using SailPoint Desktop Password Reset. This is especially useful if the user also needs to reset their workstation password because they've forgotten it.

If Desktop Password Reset is configured, users can select the Forgot Password option from the login screen to see the IdentityNow password reset page. After authenticating, users can change their password, allowing them to unlock their account and log in normally.

To install and configure this utility, refer to Desktop Password Reset.

Important

Identity profiles for all users that will be using this utility must be set to use Active Directory pass-through authentication.

Accessing Password Management via URL

You can provide access to URL landing pages where users can reset passwords, unlock accounts, and recover forgotten usernames. This is helpful if you want your users to access the IdentityNow sign-in help pages directly.

You can direct users to the following URLs for sign-in help page access:

  • Unlock Account - https:‍//<tenant_name>.identitynow.com/passwordreset/default/unlock-account

  • Reset Password - https:‍//<tenant_name>.identitynow.com/passwordreset/default/reset-password

  • Forgot Username - https:‍//<tenant_name>.identitynow.com/passwordreset/default/forgot-username

Note

FedRAMP customers will use https:‍//<tenant_name\>.saas.sailpointfedramp.com/ for the URLs.

You can auto-populate the username fields for the unlock account, reset password, and forgot username pages by adding the following query string to the URL:

?username=<username>

Examples:

https:‍//.identitynow.com/passwordreset/default/unlock-account?username=<username>

https://.identitynow.com/passwordreset/default/reset-password?<query_param>&?username=<username>&<query_param>

By default, users that complete sign-in help processes from a URL are prompted to close the page. If you would like your users to be prompted to log in to IdentityNow after completing the process, add the following query string to the URL: ?returnToLogin=true

Examples:

  • https:‍//.identitynow.com/passwordreset/default/unlock-account?returnToLogin=true

  • https:‍//.identitynow.com/passwordreset/default/reset-password?<query_param>&returnToLogin=true&<query_param>

Changing Passwords with the Password Interceptor

Password Interceptor captures, or intercepts, when a user changes the password on a supported source. This password change is then propagated to change the related source within IdentityNow. This is available for Active Directory and IBM i.

For example, a user might reset their password on their workstation or on an app that is linked to Active Directory, which will change the password for both the source and all apps connected to that source. If you have pass-through authentication, this will also change their IdentityNow password. If that source is in a sync group, Password Interceptor will change all of the associated passwords in that group except for AD and IBM i.

Caution

Password interception must be initiated after AD or IBM i are updated in order to change the passwords for all sources in the sync group. For example, if the sync group contains AD, Oracle, and Google Apps, the password interception will change the password for Oracle and Google Apps but not AD.

You can also add a proxy server on your virtual appliances to limit the number of outbound connections the password interceptor uses to communicate with IdentityNow.

Learn how to configure Password Interceptor.