Password management configurations
OpenIAM provides the capability to link multiple password policies to various objects such as roles, groups, organizations, managed systems and authentication policies. When a user sets/resets a password, a password policy resolver is called. The password policy with the highest priority is then applied.
- There are several password policies in OpenIAM: The
Default Password Policywith a priority of 10;
CustomPolicy1with a priority of 14 (more restricted than the default password policy);
AD Password Policywith a priority of 15.
- The following objects are in OpenIAM: The role
Manageris linked to
CustomPolicy1; the group
AD Usersis linked to
AD Password Policy; the organization
Sales Departmentis linked to
Default Password Policy.
- The user John.Snow has a
Managerrole and is a member of the
- The user Sansa.Stark belongs to the
AD Usersgroup and is a member of the
- The user Arya.Stark has a
Managerrole and belongs to the
The password policies that will be applied to these users are as follows:
- John.Snow -
- Sansa.Stark -
AD Password Policy
- Arya.Stark -
AD Password Policy
Now, let's explore the policy configuration blocks.
Password policy overview
- Priority -- A numeric value representing the priority of this policy. A higher number indicates that this policy has a higher priority over policies with a lower number.
- Active/not active -- If the policy is not active it won't be used during the policy resolving process.
Password policy composition
- Alpha character (Min-Max) amount
- Ideographic characters (chars) are not allowed in the password --Determines whether it is possible to use CJKV (Chinese, Japanese, Korean and Vietnamese) ideograph chars, defined by the Unicode Standard.
- Initial Password type
- Limit the repetition of same character --For example, if this value is set to 3, then the password kkfd44kddsk is not acceptable since it contains four 'k' letters, but kkfd44Kddsk will be accepted since one 'K' is uppercase.
- Lowercase characters (Min-Max) amount
- Minimum number of words in the phrase
- Non-alpha numeric symbols (Min-Max) amount
- Numeric characters (Min-Max) amount
- Reject Password equals password --If this is checked, the policy forbids the password to be the word "password".
- Password history versions
- Password length
- Reject password which equals to LoginId
- Reject password which equals to First or Last name
- Characters not allowed in a password
- Words not allowed in a password --If the password is in the blacklist (password dictionary) it will be rejected.
- Repetition of the same word in the phrase
- Uppercase characters (Min-Max) amount
Forgot password parameter
- Number of answers for user defined questions that are required to be correct --OpenIAM provides 18 out-of-the-box security questions, but also allows the creation of custom questions. To use this function, go to
Challenge Response Questions->
Create New Question. If you have custom questions, this policy defines the number of correct answers.
- Max number of fail attempts to answer Helpdesk questions --See Helpdesk protection for more information.
- User failed question answers count --Each time the user answers a question incorrectly, their failure count will increase. Upon surpassing the set number, the account will be locked.
- Number of days the forgot password token is valid --If not set, the default value is 3.
- Failed OTP count --If not set, the default value is 3.
- OTP Lifetime (minutes) --The default value is 30 minutes.
- Number of answers that are required to be correct --The minimum number of correct answers needed for out-of-the-box security questions.
- Number of questions to display --The total number of questions to be asked.
- Question list source
- Max number of Helpdesk questions to be asked to the end user --See Helpdesk protection for more information.
- Should user choose reset password action?
To disable security questions so that they won't be displayed during the first log in, disable the following policies:
- Max number of fail attempts to answer Helpdesk questions
- Number of answers that are required to be correct
Password change rule
- Change Password on the 1st login?
- Change Password after reset --This requires the user to change his/her password after the administrator resets the password for the user.
- Determines how many times you are allowed to change your password
- Password expiration grace period --The number of days after the password has expired during which the user is permitted to continue to log in. During the grace period, a message is displayed upon log in that reminds the user to change his/her password.
- Days to password expiration warning --The number of days prior to the expiration of the password to start displaying a warning .
- Password expiration days
- Reject reset by user --If set to
True, then the
Change Passwordbutton displayed in self-service upon selecting the username from the top right menu bar will become disabled. Access to the button is calculated in the cache, with a default refresh time of two minutes.
There is also a possibility to limit password validation attempts. Here, after the limit is reached, an error will be thrown:
Maximum limit for password validation for an identity reached.
User will again be able to validate this password after 10 minutes.