Skip to content

Managing Password Policies

You can create password policies and associate them with a source to customize the password requirements for that source.

Creating a Password Policy

You can define the requirements for a new policy and apply it to sources configured for Password Management.

  1. Go to Admin > Password Mgmt > Password Policies.

  2. Select + New.

  3. Enter a name for your policy in the Policy Name field.

  4. In Password Requirements, set the password parameters to meet the security requirements of your organization and the related source so users can change their password from IdentityNow.

    If you have a password dictionary, you can enable it here.

  5. If the policy is connected to an Active Directory source, you can choose to enable and set a password expiration date, as well as when users should receive reminders to change their passwords.

  6. (Optional) Select the checkboxes to require all users, off-network users, or users in certain locations to authenticate before changing their password.

    Option box to require authentication for password updates initiated by All Users, Off Network Users, or Users in Untrusted Geographies.

    Caution

    If this is left empty, users can reset their passwords without going through an extra form of authentication.

    Note

    Authentication restrictions apply to:

  7. Select Save to create your password policy.

After creating a password policy, you can associate it with a source.

Associating Password Policies with Sources

All sources configured for Password Management will use the default policy unless you explicitly associate the source with a different policy. You can edit the default policy or create new policies and associate them with sources. Flat file sources are not compatible with Password Management.

Important

The policy you define must not conflict with the password requirements on the source itself for users to be able to change their password in IdentityNow.

After you edit the default policy or create new policies, you can associate them with direct connect sources.

Associating a Password Policy with a Source

  1. Go to Admin > Connections > Sources.

  2. Select the source.

  3. Select Import Data > Password Settings.

    Note

    This option is only available for certain direct connect sources that support Password Management. View the list of supported connectors to determine if your source supports Password Management.

  4. In the Password Policy dropdown list, select the new password policy. If the selected policy has an expiration period or a reminder starting date, they will display here automatically.

    Note

    This field is not editable if the source belongs to a password sync group.

  5. Select Save.

Note

To allow users to reset their password on a source from IdentityNow, you must create an application for the source.

Associating Multiple Password Policies to a Source

You may need to have different password policies for different types of users of a single system. For example, you may want HR and Accounting users to have different password policies on the same source. To associate multiple password policies with a source, you can use exceptions and filtering.

Important

  • You must create and predefine the policies before they can be used as a primary or exception policy.

  • Sources defined in password sync groups do not support multiple password policies.

Adding Exceptions and Filtering to a Source

You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

You may need to have different password policies for different types of users of a single system. You can configure exceptions to the primary password policy and use filters to determine the group of users the exceptions apply to.

Important

You cannot use exceptions with password sync groups. Putting a source in a sync group overrides individual password policy configurations, so exception policies specified for those sources are ignored.

To add an exception to a policy:

  1. Go to Admin > Connections > Sources and choose a source.

  2. Select Import Data > Password Settings and select Add Exceptions. Use the arrows to order your policy exceptions.

    IdentityNow looks at each policy exception in the order they are listed in the UI to determine which policy parameters to apply to each user. The first policy the identity matches is applied.

    Best Practice

    List the strictest exception policy first. For example, if you have a policy for the Accounting department and a policy for Director-level job codes, list the stricter one first to impose the strongest password requirements for a Director in Accounting.

  3. Choose the predefined password policy you want to add exceptions to and select the Filter on Identity Attribute dropdown to view a list of all IdentityNow identity attributes.

    Password policy settings with an exception to Filter on the country Identity Attribute to exclude the United States.

  4. Select the identity attribute and enter the condition to filter on in the blank value field.

  5. To add multiple exception conditions to a policy, select + Add Condition. An identity only needs to match one of the conditions to have the exception policy applied.

  6. To add multiple policy exceptions to a source, select + Add Exception.

  7. When you are done, select Save.

Reviewing Password Policies

You can review, edit, and delete password policies by going to Admin > Password Mgmt > Policies.

Here you can view all the sources associated with each password policy, along with the number of apps that use the source's password policy. Select the Edit icon  to edit the policy or the X icon to delete it.

Note

You cannot delete the default policy, nor can you edit its name.

Select a source name to redirect to the Password Settings options where you can change the source's associated policy. You can also synchronize sources so that both the policies and the passwords are shared.

Reviewing Password Policies on an App

To view what password policy and password source an application is using, go to Admin > Applications and select the app you want to check. The Configuration tab will show you the policy and source for that app. Refer to Configuring an App for Password Management for more information.

Defining Password Expiration Settings

If users need to reset their Active Directory passwords at regular intervals, you can set expiration settings and reminders from within IdentityNow using a password policy (default or custom) connected to an AD direct connection source.

While a password policy can have multiple exceptions with multiple conditions, expiration periods are inherited from the primary policy and other expiration settings are ignored.

The expiration settings only determine the reminder messages, but if you have configured pass-through authentication for any identity profiles, you can prevent those users from signing in when their passwords have expired. This is because having an expired password in AD automatically prevents authentication to IdentityNow.

Setting a Password Expiration for a Policy

If the policy is connected to an Active Directory source, you can choose how long a password is usable before it expires, as well as when users will receive reminders to change their password.

  1. Go to Admin > Password Mgmt > Policies. Select a policy associated with an Active Directory source.

  2. Select the Edit icon  for the policy you want to edit.

  3. In the Password Expiration panel, select Enable.

  4. Set the Expiration Period for the number of days the password will be valid in Active Directory before it expires.

  5. Set the Reminder Starting to the number of days prior to expiration to begin sending an email/SMS to users impacted by the policy. A reminder is sent each day within that time until the user resets their password.

    Important

    To send a notification to users when their password expires, the user must be registered as an active user in IdentityNow. IdentityNow checks the last time the password was changed in ActiveDirectory to determine when to send a reminder.

To find this value for yourself:

  1. Go to Admin > Identity Management > Identities.

  2. Select the name of the identity to view its details.

  3. Select Accounts and choose the Active Directory account.

The Password Last Changed timestamp is displayed at the top of the page under Password Details.

Password details with the Password Last Changed timestamp. 

You can customize the contents of the email message that users receive using the Password Expiration email template.

Troubleshooting Password Changes

Users receiving expired password notifications after changing passwords

If users are still receiving expired password notifications after they have changed their password outside of IdentityNow, aggregate to your password source.

Best Practice

Schedule daily aggregations to your password source to keep password data current.

Password change for an app is retrying or has failed

If a user changes their password for an app that is configured for Password Management, the change might not succeed on the first attempt.

Some resolutions include:

  • If there are connectivity problems with the source that return a retryable error, IdentityNow automatically retries the password change up to 3 times, at intervals of 5 seconds, 1 minute, and 3 minutes.

  • If the app is connected to a source that requires IQService,​ verify that the related instance of IQService is running.

  • Ensure that the related source is running as expected.