Set password complexity for users

In Enterprise Application Access (EAA) you can configure your Active Directory (AD) to allow EAA to manage password complexity of the Login Portal from EAA Management Portal. Every AD has a password complexity requirement. Your business may have other password reset requirements such as:

  • New employees may be required to change their password upon first login.

  • Periodic password change, for example every 90 or 180 days, as per your business' security policy. This can be set at the group or individual user lever in the AD domain.

    • Change password when it is still valid.

    • Reset password after it has expired.

  • Proactive or at will password change.

If your AD uses Windows 2008, 2012, or 2016, LDAPS is required for the directory host.
If your AD uses Open LDAP, LDAP or LDAPS may be used for the directory host.

The directory Password Management fields are:

  • Allow users to change password. Select this option to allow users to change their passwords in the EAA Login Portal.

    • For the AD, enable this setting to allow users to change their passwords if their current password is valid and the you do not require that users have to reset the password on their next login.

    • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset, provided the grace authentication limit with expired passwords or must-reset passwords has not been exceeded.

By default, this setting is disabled. If disabled, the user cannot change the password through the EAA Login Portal and need to do so through the native directory outside of EAA.

  • Allow users to reset password. Select this option to allow users to change their passwords in the EAA Login Portal.

    • For the AD enable this setting to allow users to change their passwords if the EAA administrator requires the user to reset the password on their next login.

    • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset after the grace authentication limit with expired passwords or must-reset passwords has been exceeded.

To support this capability, EAA needs write privileges on the service account to modify another user's password. This setting only controls whether EAA attempts to handle these use cases, the configuration needed for the service account must be configured on the AD or Open LDAP itself. Typically accounts with admin privileges also have the permissions to change another user's password. Admins may want to restrict this privilege for the service account using mechanisms supported by the directory.

By default, allowing users to reset their own password is disabled. If disabled, the user cannot change the password through the EAA Login Portal and need to do so through the native directory outside of EAA.

  • Default password policy. This is a required field. It is automatically completed by the Microsoft AD. If you are using Open LDAP as your directory host, enter the default password policy for the directory.

  • Password expiry warning threshold (in seconds). This setting allows EAA to set a password change reminder message to users when they log in to the EAA portal to encourage users to change their password before it expires. EAA can determine the age of the user's current password upon login and, if it exceeds the configured warning threshold, display a password change reminder message.

To support password changes from the EAA Login Portal, EAA needs write privileges on the service account to modify another user's password. If write privileges are not granted to EAA, the warning message may help to reduce admin support for expired user passwords. Enter the amount of time, in seconds, before the password expires to display the password change reminder message.

By default this threshold is set to zero (0). When set to zero (0), no warning messages display.

  • Password force change threshold (in seconds). This setting allows EAA to force a password change to users when they log in to the EAA Login Portal before they can access any application. This threshold should be greater than the warning threshold and less than the maximum age of the password in the AD. Enter the amount of time, in seconds, before the password expires to force a password change from the EAA Login Portal.

By default this threshold is set to zero (0). When set to zero (0), EAA does not attempt to force a change of current valid passwords.

  • Password complexity. To set a message for users to read in the EAA Login Portal, enter information about the password requirements in the Password complexity field.

Password character restrictions

Enterprise Application Access is flexible when it comes to passwords, but there are limitations on what you can use for password names.

Create all user and system-level passwords using the following requirements. Passwords must not be predictable or easy to guess. These passwords must meet the following requirements or they are rejected by the authorization system:

  • Minimum length of eight characters.

  • Cannot be the same as the username, accountID, userID, or loginID.

  • Contain at least one character from the following categories:

    • Uppercase characters
    • Lowercase characters
    • Numeric characters
    • Non-alphabetic characters (special characters "~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/".)
  • Passwords must be changed every 90 days (once changed, the password may not be reused for two years).

  • Passwords must not be shared or given to another user.

  • Group passwords are forbidden.

  • Passwords must not be stored in clear text.

  • Passwords must be changed or the account disabled upon:

    • Password compromise
    • Suspected security breach
    • Password disclosure

Manage password complexity for the Login Portal from the Active Directory (AD)

In Enterprise Application Access (EAA) you can configure your Active Directory (AD) to allow Enterprise Application Access to manage password complexity of the EAA Login Portal from EAA Management Portal.

  1. In the EAA navigation menu, select Identity > Directories.
    The Directory cards appear.

  2. On the directory card, click Configure Directory.
    The directory configuration page appears.

  3. In Host, select ldaps.

  4. Click Show Additional Attributes.

  5. In Password Management select Allow users to change password.

  6. Complete the fields that apply to your password policy.

  7. Click Save Directory.