Skip to content

Managing Password Policies

IdentityNow comes with a default policy that you can modify and use to manage passwords for your IdentityNow org. If you haven't purchased Password Management, you can only edit the default policy.

Password Management allows you to create custom password policies to define the parameters for passwords. In these custom policies, you can specify multiple settings, including minimum password length, inclusion of special characters, patterns to be disallowed, and more.

Note

If you want users to be able to change their network and IdentityNow password simultaneously, you will need to configure pass-through authentication. Ensure that the password policy does not conflict with your source's policy configurations.

Evaluating and Enforcing Password Changes

Password changes made within IdentityNow are always evaluated by SailPoint first. If the password meets the requirements of the IdentityNow password policy, the changed password is then sent to and processed by the source system, which might have its own set of policy requirements. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.

If a password change is made on another system first and pushed to other systems by IdentityNow, it will be evaluated by that system first.

If the password change passes both policies, the password is changed on the source system and IdentityNow.

Troubleshooting Password Changes

Users Still Receiving Expired Password Notifications After Changing Passwords

If users are still receiving expired password notifications after they have changed their password outside of IdentityNow, aggregate to your password source to resolve the problem. SailPoint recommends aggregating daily to your password source for optimal password notifications. See how to schedule aggregations for direct connect sources.

Password change for an app is retrying or has failed

If a user changes their password for an app that is configured for Password Management, the change might not succeed on the first attempt. Some resolutions include:

  • If the problem​ appears to be caused by connectivity problems with the source, IdentityNow makes a number of attempts to send the new password to the source.

  • If the app is connected to a source that requires IQService,​ verify that the related instance of IQService is running.

  • Ensure that the related source is running as expected.

If the password change fails, either immediately or after retrying:

Creating a Password Policy

You can define the requirements for a new policy and apply it to any number of sources that are configured for Password Management.

  1. In the Admin menu, select Password Mgmt > Password Policies.

  2. Select +New.

  3. Name your policy in the Policy Name field.

  4. In Password Requirements, set the password parameters from the available settings. Make sure these settings meet the requirements of the related source and your organization's security policy so that users are able to change their password in IdentityNow.

    Note

    If you have a password dictionary, you can select the option to prevent users from including words it contains.

  5. In Password Expiration, optionally enable and set a password expiration for the policy. The expiration settings can only be edited if the policy is connected to at least one Active Directory source.

  6. You can optionally require authentication for password updates initiated by:

    • All Users
    • Off Network Users
    • Users in Untrusted Geographies

    Note

    To use this option, the applicable groups above must be defined as part of restricting or limiting location access to IdentityNow. Access restrictions are global.

    When enabled, this option applies to:

    • All sources using this policy.

    • Apps associated with a password sync group using this policy.

    • Apps using a source with this policy as their account source.

  7. Select Save to create your password policy.

After creating a password policy, you can associate it with a source.

Reviewing Password Policies

After you've used Password Management to create a password policy, you can review, edit, and delete it. To access existing policies in the Admin interface, select Password Mgmt > Policies.

Here you can see all of the sources associated with each password policy, along with the number of apps that use the source's password policy. Select the pencil icon to edit the policy or the X icon to delete it.

Note

You cannot delete the default policy, nor can you edit its name.

Select a source name to redirect to the Password Settings options where you can change the source's associated policy. You can also synchronize sources so that both the policies and the passwords are shared.

Reviewing Password Policies on an App

To see what password policy and password source an application is using, go to Admin and select the app you want to check. The Configuration tab will show you the policy and source for that app.

Associating a Password Policy with a Source

All sources configured for Password Management will use the default policy unless you explicitly associate the source with a different policy. You can edit the default policy or create new policies and associate them with one or more individual sources. Flat file sources are not compatible with Password Management.

Important

The policy you define must match the password requirements on the source itself for users to be able to change their password in IdentityNow.

After you edit the default policy or create new policies, you can associate them with one or more direct connect sources.

To associate a policy with a source:

  1. In the Admin interface, select Connections > Sources.

  2. Select the source.

  3. Select Import Data > Password Settings.

    Note

    This option is only visible for certain direct connect sources that support Password Management. See the list of supported connectors to see if your source supports Password Management.

  4. In the Password Policy dropdown list, select the new password policy. If the selected policy has an expiration period or a reminder starting date, they will display here automatically.

    Note

    This field is not editable if the source belongs to a password sync group.

  5. Select Save.

Associating Multiple Password Policies to a Source

You may need to have different password policies for different types of users of a single system. For example, you may want HR and Accounting users to have different password policies on the same source. To associate multiple password policies with a source, you can use exceptions and filtering.

Important

You must create and predefine the policies before they can be used as a primary or exception condition.

Sources defined in password sync groups do not support multiple password policies.

Adding Exceptions and Filtering to a Source

You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

You may need to have different password policies for different types of users of a single system. You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

While each password policy can have multiple exceptions with multiple conditions, expiration periods are inherited from the primary policy and cannot be adjusted.

Important

You cannot use exceptions with password sync groups. Putting a source in a sync group overrides individual password policy configurations, so exception policies specified for those sources are ignored.

To add an exception to a policy:

  1. In the Admin interface, select Connections > Sources and choose a source.

  2. Select Import Data > Password Settings and select Add Exceptions. These are evaluated in the order you set.

    Best Practice

    List the strictest exception policy first. IdentityNow looks at each policy exception in the order they are listed in the UI to determine which policy parameters to apply to each user. For example, when applying password policies by department, Accounting may have a very strict policy, whereas HR has a less strict policy. If a user is in both Accounting and HR, select the stricter Accounting policy to apply to them first. Use the up and down arrows to change the order in which it is applied.

  3. Choose the predefined password policy you want to add exceptions to and select the Filter on Identity Attribute dropdown to see a list of all IdentityNow identity attributes.

  4. Select the identity attribute and enter the condition to filter on in the blank value field.

  5. To add multiple conditions to each policy exception, select + Add Condition.

  6. To add multiple policy exceptions to a source, select + Add Exception.

  7. When you are done, select Save.

Defining Password Expiration Settings

If users need to reset their Active Directory passwords at regular intervals, you can set expiration settings and reminders from within IdentityNow.

To set expiration options, the password policy (default or custom) must be connected to an AD direct connection source. While it is possible to set an expiration period for password polices associated with other sources, IdentityNow cannot enforce the expiration date for those sources.

In cases where multiple policies are applied, the expiration period is inherited from the primary policy and other expiration settings are ignored.

The expiration settings only determine the reminder messages, but if you have configured pass-through authentication for any identity profiles, you can prevent those users from signing in when their passwords have expired. This is because having an expired password in AD automatically prevents authentication to IdentityNow.

Setting a Password Expiration for a Policy

  1. In the Admin interface select Password Mgmt > Policies.

  2. Select the pencil icon for the policy you want to edit.

  3. In the Password Expiration panel, select Enable.

  4. Set the Expiration Period for the number of days you want a password to be usable before expiring.

  5. Set the Reminder Starting to the number of days prior to expiration to begin sending an email/SMS to users impacted by the policy. A reminder is sent each day within that time period until the user resets their password.

    Important

    To send a notification to users when their password expires, the user must be registered as an active user in IdentityNow.

    IdentityNow checks the last time the password was changed in Active Directory to determine when to send a reminder.

To find this value for yourself:

  1. Select Identities > Identity List.

  2. Select the name of the user.

  3. Select Accounts and choose the Active Directory account.

  4. The Password Last Changed timestamp is displayed at the top of the page under Password Details.

You can customize the contents of the email message that users receive using the Password Expiration email template.