Managing Password Policies
IdentityNow comes with a default policy that you can modify to define the password requirements your users must meet to log in to IdentityNow, such as requiring a minimum password length, including special characters, and disallowing certain patterns.
If you have licensed Password Management, you can create additional password policies beyond the default one to manage passwords for supported sources in your org.
Note
To allow users to change their network and IdentityNow password simultaneously, you must configure pass-through authentication. Ensure your password policy does not conflict with the source's native policy requirements.
Password Requirement Options
You can set the following password requirements when creating or editing a password policy.
Expand to view requirement descriptions and examples
Requirement Title | Description | Default Value | Example Value | Valid Password | Invalid Password |
---|---|---|---|---|---|
Maximum length | The maximum number of characters allowed. | None | 12 | password | passwordpassword |
Minimum length | The minimum number of characters allowed. | 8 | 8 | password | pass |
Minimum letters | The minimum number of letters. | 1 | 2 | password, a123Z, BR650 | p12345 |
Minimum uppercase | The minimum number of uppercase letters. | 0 | 2 | PAssword, PASSWORD | password, Password |
Minimum lowercase | The minimum number of lowercase letters. | 0 | 2 | PASSWOrd, password | PASSWORD |
Minimum digits | The minimum number of digits. | 1 | 2 | password12 | password1 |
Minimum special characters | The minimum number of special characters that are not letters or digits. Note: Passwords cannot include a colon (:). |
0 | 2 (Acceptable special characters: ~!@#$%^*()/_+-`-={}\|][;?,.&><'" and spaces) |
p@$sword | p@ssword, p@ssword1 |
Minimum character types | The number of categories required (uppercase, lowercase, digits, and special characters) described above. Best practice: Set each category to 1 and then set Minimum character types to be equal to the number of categories you configured. |
None | 3 (Selected options: Minimum uppercase, Minimum lowercase, Minimum digits) | Password1 | password, password1 |
Maximum repeated characters | The maximum number of times a character may be repeated after the first occurrence. | All | 2 | password | passsword |
Prevent use of account attributes | If checked, this requirement prevents users from including attribute values from their account on the source in their password. | Unchecked | In Active Directory: Display name: John Smith Phone: 555-555-1234 | password | password5555551234, passwordJohn |
Prevent use of identity attributes | If checked, this requirement prevents users from including attribute values from their IdentityNow account in their password. | Unchecked | In IdentityNow: Display name: John Smith Phone: 555-555-1234 | password | password5555551234, passwordJohn |
Disallow display name fragments | If checked, this requirement prevents users from including any part of their IdentityNow display name with a length greater than the Fragment char length in their password. | Unchecked Fragment char value: All | Display name: John Smith Fragment char length: 3 | password, passwordJoh, passwordSmi | passwordJohnSmith, passwordJohn, JohnSmith, hnSm |
Disallow account ID fragments | Prevents users from including any part of their IdentityNow account ID in their password with a length greater than the Fragment char length. | Unchecked Fragment char value: All | Account ID: john.smith Fragment char length: 3 | password, passwordjoh, passwordsmi | passwordjohn, passwordn.smi |
You can further customize your password requirements by creating a password dictionary. If you select the checkbox for Prevent use of words in this site's password dictionary, users of your site won't be allowed to use words in the password dictionary.
Note
IdentityNow cannot process non-English characters as letters. If you have users who are likely to use non-English characters in their password, we recommend that you don't set a minimum letter limit for their passwords so they can set their passwords more easily.
Evaluating and Enforcing Password Changes
Password changes made within IdentityNow are evaluated by SailPoint before being sent to the source system.
If the password meets the requirements of the IdentityNow password policy attached to your source, the changed password is sent to the source system, which may have its own set of policy requirements beyond those defined in IdentityNow. For example, Active Directory allows you to configure requirements related to how recently a password was changed or whether a new password matches a previous password.
If the password change passes both policies, the password is changed on the source system.
If the password change fails, the user is notified through the App Password Changed email or the User Password Changed email. The password failure is included in your audit events in Search.
Creating a Password Policy
You can define the requirements for a new policy and apply it to sources configured for Password Management.
-
Go to Admin > Password Mgmt > Password Policies.
-
Select +New.
-
Enter a name for your policy in the Policy Name field.
-
In Password Requirements, set the password parameters to meet the security requirements of your organization and the related source so users can change their password from IdentityNow.
If you have a password dictionary, you can enable it here.
-
If the policy is connected to an Active Directory source, you can choose to enable and set a password expiration date, as well as when users should receive reminders to change their passwords.
-
(Optional) Select the checkboxes to require all users, off-network users, or users in certain locations to authenticate before changing their password.
Important
If this is left empty, users can reset their passwords without going through an extra form of authentication.
Note
Authentication restrictions apply to:
-
Sources using this policy.
-
Apps associated with a password sync group using this policy.
-
Apps using a source with this policy as their account source.
-
All users with accounts on these sources.
-
-
Select Save to create your password policy.
After creating a password policy, you can associate it with a source.
Associating a Password Policy with a Source
All sources configured for Password Management will use the default policy unless you explicitly associate the source with a different policy. You can edit the default policy or create new policies and associate them with sources. Flat file sources are not compatible with Password Management.
Important
The policy you define must not conflict with the password requirements on the source itself for users to be able to change their password in IdentityNow.
After you edit the default policy or create new policies, you can associate them with direct connect sources.
To associate a policy with a source:
-
Go to Admin > Connections > Sources.
-
Select the source.
-
Select Import Data > Password Settings.
Note
This option is only available for certain direct connect sources that support Password Management. View the list of supported connectors to view if your source supports Password Management.
-
In the Password Policy dropdown list, select the new password policy. If the selected policy has an expiration period or a reminder starting date, they will display here automatically.
Note
This field is not editable if the source belongs to a password sync group.
-
Select Save.
Note
To allow users to reset their password on a source from IdentityNow, you must create an application for the source.
Associating Multiple Password Policies to a Source
You may need to have different password policies for different types of users of a single system. For example, you may want HR and Accounting users to have different password policies on the same source. To associate multiple password policies with a source, you can use exceptions and filtering.
Important
-
You must create and predefine the policies before they can be used as a primary or exception policy.
-
Sources defined in password sync groups do not support multiple password policies.
Adding Exceptions and Filtering to a Source
You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.
You may need to have different password policies for different types of users of a single system. You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.
Important
You cannot use exceptions with password sync groups. Putting a source in a sync group overrides individual password policy configurations, so exception policies specified for those sources are ignored.
To add an exception to a policy:
-
Go to Admin > Connections > Sources and choose a source.
-
Select Import Data > Password Settings and select Add Exceptions. Use the arrows to order your policy exceptions.
IdentityNow looks at each policy exception in the order they are listed in the UI to determine which policy parameters to apply to each user. The first policy the identity matches is applied.
Best Practice
List the strictest exception policy first. For example, if you have a policy for the Accounting department and a policy for Director-level job codes, list the stricter one first to impose the strongest password requirements for a Director in Accounting.
-
Choose the predefined password policy you want to add exceptions to and select the Filter on Identity Attribute dropdown to view a list of all IdentityNow identity attributes.
-
Select the identity attribute and enter the condition to filter on in the blank value field.
-
To add multiple exception conditions to a policy, select + Add Condition. An identity only needs to match one of the conditions to have the exception policy applied.
-
To add multiple policy exceptions to a source, select + Add Exception.
-
When you are done, select Save.
Reviewing Password Policies
You can review, edit, and delete password policies by going to Admin > Password Mgmt > Policies.
Here you can view all the sources associated with each password policy,
along with the number of apps that use the source's password policy.
Select the Edit icon to edit the policy or the X icon to delete it.
Note
You cannot delete the default policy, nor can you edit its name.
Select a source name to redirect to the Password Settings options where you can change the source's associated policy. You can also synchronize sources so that both the policies and the passwords are shared.
Reviewing Password Policies on an App
To view what password policy and password source an application is using, go to Admin > Applications and select the app you want to check. The Configuration tab will show you the policy and source for that app. Refer to Configuring an App for Password Management for more information.
Defining Password Expiration Settings
If users need to reset their Active Directory passwords at regular intervals, you can set expiration settings and reminders from within IdentityNow using a password policy (default or custom) connected to an AD direct connection source.
While a password policy can have multiple exceptions with multiple conditions, expiration periods are inherited from the primary policy and other expiration settings are ignored.
The expiration settings only determine the reminder messages, but if you have configured pass-through authentication for any identity profiles, you can prevent those users from signing in when their passwords have expired. This is because having an expired password in AD automatically prevents authentication to IdentityNow.
Setting a Password Expiration for a Policy
If the policy is connected to an Active Directory source, you can choose how long a password is usable before it expires, as well as when users will receive reminders to change their password.
-
Go to Admin > Password Mgmt > Policies. Select a policy associated with an Active Directory source.
-
Select the Edit icon
for the policy you want to edit.
-
In the Password Expiration panel, select Enable.
-
Set the Expiration Period for the number of days the password will be valid in Active Directory before it expires.
-
Set the Reminder Starting to the number of days prior to expiration to begin sending an email/SMS to users impacted by the policy. A reminder is sent each day within that time until the user resets their password.
Important
To send a notification to users when their password expires, the user must be registered as an active user in IdentityNow. IdentityNow checks the last time the password was changed in ActiveDirectory to determine when to send a reminder.
To find this value for yourself:
-
Go to Admin > Identities > Identity List.
-
Select the name of the identity to view its details.
-
Select Accounts and choose the Active Directory account.
The Password Last Changed timestamp is displayed at the top of the page under Password Details.
You can customize the contents of the email message that users receive using the Password Expiration email template.
Troubleshooting Password Changes
Users receiving expired password notifications after changing passwords
If users are still receiving expired password notifications after they have changed their password outside of IdentityNow, aggregate to your password source.
Best Practice
Schedule daily aggregations to your password source to keep password data current.
Password change for an app is retrying or has failed
If a user changes their password for an app that is configured for Password Management, the change might not succeed on the first attempt. Some resolutions include:
-
If there are connectivity problems with the source that return a retryable error, IdentityNow automatically retries the password change up to 3 times, at intervals of 5 seconds, 1 minute, and 3 minutes.
-
If the app is connected to a source that requires IQService, verify that the related instance of IQService is running.
-
Ensure that the related source is running as expected.