Account and Password Policies

Service Provider account and password policies behave differently than those for Identity Manager:

• There can be only one account policy defined for the entire Service Provider user population. This policy can be set on the main Service Provider configuration page.

• The Service Provider account policy does not support the following options that are available for Identity Manager users

  • Expires in

  • Warning time before expiration

  • Reset Option

  • Reset temporary password expires in

  • Reset Notification Option

  • Passwords may be changed or reset

  • Enforce Answer Policy at Login

  • Allow User Supplied Questions

    These options are not displayed when editing the Service Provider Policy object.

  The Service Provider account policy can refer to an accountId and a password policy. Service Provider does not maintain the password history. Password policies, however, allow setting the Number of Previous Passwords that Cannot be Reused and Maximum Number of Similar Characters from Previous Passwords that Cannot be Reused options. These options are ignored by Service Provider.

• Account lockout in Service Provider occurs when a user has too many consecutive failed login attempts. This applies to both password-based login attempts and login attempts based on authentication questions.

• The sample account policy Service Provider Policy sets separate limits for password-based and question-based account lockouts. Accounts that are locked out can be explicitly unlocked by an administrator or implicitly when the lock expires (such as after one hour).