Configuring a Password Policy

You can configure a password policy for:

  • Your own users: your direct child reseller or customer account users
  • Child account users: your reseller or customer account users.

To configure a password policy, complete the following steps:

  1. In Operations PCP, go to Services > Identity Service > Password Policy.

  2. Specify the following password-related settings:

    • General Settings

      • Minimum password length: the minimum length for a password to be valid.
      • Blacklist weak passwords: a password is verified as not existing in the fixed and pre-defined blacklist.
      • Prohibit username-based passwords: a username cannot be used as a password.

    • Required Character Types

      • Digits: digits are required for a password to be valid.
      • Uppercase: uppercase characters are required for a password to be valid.
      • Lowercase: lowercase characters are required for a password to be valid.
      • Special symbols: special symbols are required for a password to be valid, they are ()[]#,.;@&*-_+!.

        Important: A password must include at least one character from this group.

    • Password Expiration

      • Password expiration: if selected, a password will have an expiration period.
      • Expiration period, days: the number of days after which a password is considered expired.
      • Number of previous passwords to prohibit: the number of previously used passwords that cannot be used as a new password.

    • Two-Factor Authentication

      • Enable: if selected, a two-factor authentication is enabled. For more information, refer to keycloak documentation.
      • One Time Password Type: Select Time Based or Counter Based.
      • Look-ahead Window:
        • For Time Based: Specify how many intervals ahead should the server try to match the hash.
        • For Counter Based Specify how many counters ahead should the server try to match the hash.

      • Initial Counter (for Counter Based only): Specify the value of the initial counter.

        Note:
        For the time-based type, the following applications are supported:
        - FreeOTP
        - Google Authenticator
        - Microsoft Authenticator
        For the counter-based type, the following application is supported:
        - FreeOTP

        Resetting Two-factor Authentication

        Note: This functionality requires Identity Service 4.1 or later and UI and Branding 21.16 or later.

        Provider's and operating unit's users can reset two-factor authentication settings for users that belong to their own account, or to their resellers and customers.

        To be able to reset two-factor authentication settings, provider's or operating unit's user must have one of the following privileges:

        • Admin level of the Own Users operations privilege is required to reset it for users in your account.

          Note: A user cannot request reset of their own two-factor authentication settings.

        • Admin level of the All Users operations privilege is required to reset it for your direct and indirect customers' users.

        • Admin level of the Reseller Users privilege is required to reset it for your resellers' users.

        To reset the settings for a user, complete these steps:

        1. Log in to the Provider Control Panel, Reseller Control Panel or UX1 for Resellers.

          Note: Currently, from the UX1 for Resellers it is only possible to reset two-factor authentication settings only for the users in your own account.

        2. Find the user to reset the settings for and open their details.

        3. Click Reset two-factor authentication.

        4. On the next login attempt, that user will be asked to reconfigure their two-factor authentication settings.

        Resetting One-Time Password

        Note: Use this feature only if you are using Identity Service version 4.0 or earlier. Otherwise, reset two-factor authentication settings using the instructions above.

        In case of a user's smartphone is lost, or in the other circumstances, you can reset a one-time password (OTP) setting. To do this, complete the following steps:

        1. Log in to the Keycloak administration panel.
        2. Open a security realm that corresponds to a brand in which a user needs to log in.
        3. Go to Users and click the user account.
        4. Go to Credentials. Under Manage Credentials, find credentials with the OTP type and delete it to reset the OTP for the user.

      Note: IDP password policies will not be applied, if Password Quality level for Child Accounts is set to None in System > Settings > Setup > Password Quality in the Classic Control Panel.

© 2024 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept