Skip to content

Managing Password Policies

IdentityNow comes with a default policy that you can modify to define the password requirements your users must meet to log in to IdentityNow, such as requiring a minimum password length, including special characters, and disallowing certain patterns.

If you have licensed Password Management, you can create additional password policies beyond the default one to manage passwords for supported sources in your org.

Note

To allow users to change their network and IdentityNow password simultaneously, you must configure pass-through authentication. Ensure your password policy does not conflict with the source's native policy requirements.

Evaluating and Enforcing Password Changes

Password changes made within IdentityNow are evaluated by SailPoint before being sent to the source system.

If the password meets the requirements of the IdentityNow password policy attached to your source, the changed password is sent to the source system, which may have its own set of policy requirements beyond those defined in IdentityNow. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.

If the password change passes both policies, the password is changed on the source system.

If the password change fails, the user is notified through the App Password Changed email or the User Password Changed email. The password failure is included in your audit events in Search.

Creating a Password Policy

You can define the requirements for a new policy and apply it to sources configured for Password Management.

  1. Go to Admin > Password Mgmt > Password Policies.

  2. Select +New.

  3. Enter a name for your policy in the Policy Name field.

  4. In Password Requirements, set the password parameters to meet the security requirements of your organization and the related source so users can change their password from IdentityNow.

    If you have a password dictionary, you can enable it here.

  5. If the policy is connected to an Active Directory source, you can choose to enable and set a password expiration date, as well as when users should receive reminders to change their passwords.

  6. You can require authentication for password updates for all users, off-network users, or users based on location.

    Note

    Authentication restrictions apply to:

    • Sources using this policy.

    • Apps associated with a password sync group using this policy.

    • Apps using a source with this policy as their account source.

    • All users with accounts on these sources.

  7. Select Save to create your password policy.

After creating a password policy, you can associate it with a source.

Associating a Password Policy with a Source

All sources configured for Password Management will use the default policy unless you explicitly associate the source with a different policy. You can edit the default policy or create new policies and associate them with sources. Flat file sources are not compatible with Password Management.

Important

The policy you define must not conflict with the password requirements on the source itself for users to be able to change their password in IdentityNow.

After you edit the default policy or create new policies, you can associate them with direct connect sources.

To associate a policy with a source:

  1. Go to Admin > Connections > Sources.

  2. Select the source.

  3. Select Import Data > Password Settings.

    Note

    This option is only available for certain direct connect sources that support Password Management. View the list of supported connectors to view if your source supports Password Management.

  4. In the Password Policy dropdown list, select the new password policy. If the selected policy has an expiration period or a reminder starting date, they will display here automatically.

    Note

    This field is not editable if the source belongs to a password sync group.

  5. Select Save.

Note

To allow users to reset their password on a source from IdentityNow, you must create an application for the source.

Associating Multiple Password Policies to a Source

You may need to have different password policies for different types of users of a single system. For example, you may want HR and Accounting users to have different password policies on the same source. To associate multiple password policies with a source, you can use exceptions and filtering.

Important

  • You must create and predefine the policies before they can be used as a primary or exception policy.

  • Sources defined in password sync groups do not support multiple password policies.

Adding Exceptions and Filtering to a Source

You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

You may need to have different password policies for different types of users of a single system. You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

Caution

You cannot use exceptions with password sync groups. Putting a source in a sync group overrides individual password policy configurations, so exception policies specified for those sources are ignored.

To add an exception to a policy:

  1. Go to Admin > Connections > Sources and choose a source.

  2. Select Import Data > Password Settings and select Add Exceptions. Use the arrows to order your policy exceptions.

    IdentityNow looks at each policy exception in the order they are listed in the UI to determine which policy parameters to apply to each user. The first policy the identity matches is applied.

    Best Practice

    List the strictest exception policy first. For example, if you have a policy for the Accounting department and a policy for Director-level job codes, list the stricter one first to impose the strongest password requirements for a Director in Accounting.

  3. Choose the predefined password policy you want to add exceptions to and select the Filter on Identity Attribute dropdown to view a list of all IdentityNow identity attributes.

    Password policy settings with an exception to Filter on the country Identity Attribute to exclude the United States.

  4. Select the identity attribute and enter the condition to filter on in the blank value field.

  5. To add multiple exception conditions to a policy, select + Add Condition. An identity only needs to match one of the conditions to have the exception policy applied.

  6. To add multiple policy exceptions to a source, select + Add Exception.

  7. When you are done, select Save.

Reviewing Password Policies

You can review, edit, and delete password policies by going to Admin > Password Mgmt > Policies.

Here you can view all the sources associated with each password policy, along with the number of apps that use the source's password policy. Select the edit icon  to edit the policy or the X icon to delete it.

Note

You cannot delete the default policy, nor can you edit its name.

Select a source name to redirect to the Password Settings options where you can change the source's associated policy. You can also synchronize sources so that both the policies and the passwords are shared.

Reviewing Password Policies on an App

To view what password policy and password source an application is using, go to Admin > Applications and select the app you want to check. The Configuration tab will show you the policy and source for that app. Refer to Configuring an App for Password Management for more information.

Defining Password Expiration Settings

If users need to reset their Active Directory passwords at regular intervals, you can set expiration settings and reminders from within IdentityNow using a password policy (default or custom) connected to an AD direct connection source.

While a password policy can have multiple exceptions with multiple conditions, expiration periods are inherited from the primary policy and other expiration settings are ignored.

The expiration settings only determine the reminder messages, but if you have configured pass-through authentication for any identity profiles, you can prevent those users from signing in when their passwords have expired. This is because having an expired password in AD automatically prevents authentication to IdentityNow.

Setting a Password Expiration for a Policy

If the policy is connected to an Active Directory source, you can choose how long a password is usable before it expires, as well as when users will receive reminders to change their password.

  1. Go to Admin > Password Mgmt > Policies. Select a policy associated with an Active Directory source.

  2. Select the edit icon  for the policy you want to edit.

  3. In the Password Expiration panel, select Enable.

  4. Set the Expiration Period for the number of days the password will be valid in Active Directory before it expires.

  5. Set the Reminder Starting to the number of days prior to expiration to begin sending an email/SMS to users impacted by the policy. A reminder is sent each day within that time until the user resets their password.

    Important

    To send a notification to users when their password expires, the user must be registered as an active user in IdentityNow. IdentityNow checks the last time the password was changed in ActiveDirectory to determine when to send a reminder.

To find this value for yourself:

  1. Go to Admin > Identities > Identity List.

  2. Select the name of the identity to view its details.

  3. Select Accounts and choose the Active Directory account.

The Password Last Changed timestamp is displayed at the top of the page under Password Details.

Password details with the Password Last Changed timestamp. 

You can customize the contents of the email message that users receive using the Password Expiration email template.

Troubleshooting Password Changes

Users receiving expired password notifications after changing passwords

If users are still receiving expired password notifications after they have changed their password outside of IdentityNow, aggregate to your password source.

Best Practice

Schedule daily aggregations to your password source to keep password data current.

Password change for an app is retrying or has failed

If a user changes their password for an app that is configured for Password Management, the change might not succeed on the first attempt. Some resolutions include:

  • If there are connectivity problems with the source that return a retryable error, IdentityNow automatically retries the password change up to 3 times, at intervals of 5 seconds, 1 minute, and 3 minutes.

  • If the app is connected to a source that requires IQService,​ verify that the related instance of IQService is running.

  • Ensure that the related source is running as expected.