20 Managing Password Policies
This chapter describes about the password policy management in the following sections:
20.1 About Password Policies
The Oracle Identity Manager provides a common password policy management framework between Oracle Identity Manager and Oracle Access Manager (OAM). It also introduces the concept of a challenge policy, which allows you to specify whether challenge questions are system-defined or end-user defined (or a combination of both).
Organization administrators can associate a password policy to an organization. The organization administrators can select a relevant password policy from the password policies created by system administrators. A password policy set for an organization is applicable for that organization and all its suborganizations. If the suborganization-level administrator sets a different password policy for that organization, then the parent organization password policy is overridden by the new one, and is applicable to all suborganizations under this organization. If a user is a member of multiple organizations, then the user's password policy depends on the home organization and the home organization hierarchy.
In addition, password policy priority determines which password policy is applicable for a user if the user is a member of multiple organizations. If the organizations are in hierarchy, then the password policy of the organization that is closest to the user is applicable even if the password policy associated with the parent organization has higher priority.During user creation, Oracle Identity Manager validates the password provided manually or autogenerated against the default password policy which is attached to the Top organization. When a user logs in for the first time and changes the password, the password policy with the highest priority that is applicable to the user's organization is applied.
20.2 Searching Password Policies
Use the Password Policy page to perform simple and advanced search for password policy.
To search for Password Policies you can perform one of the following:
20.2.1 Performing Basic Search for Password Policies
To search for password policies:
- Login to Identity Self Service.
- Click Manage. Place your mouse pointer on the Policies box, and click Password Policies. The Password Policy page is displayed.
- In the Policy Name field, enter the policy name you want to search.
- Click Search. The password policies that match search condition Policy Name is displayed.
20.2.2 Performing Advanced Search for Password Policies
To perform advanced search:
-
Log in to Identity Self Service.
-
Click Manage. Place your mouse pointer on the Policies box, and click Password Policies. The Password Policy page is displayed.
-
Click Advance link. Advance Password Policies search page is displayed.
-
Select a search comparator. The default search comparator is Starts With. Other options are Equals, Ends with, Does not equal, and Contains.
You can use wildcard characters to specify the Password Policy name.
-
To add a field to your search:
-
Click Add Fields, and select Policy Name.
-
Enter value for the search attribute that you added.
This option is useful to create complex conditions such as Policy Name starts with Test and Policy Name ends with User. In this case two fields have to be included.
If you want to remove a field that you added in the search, then click the cross icon next to the field.
-
-
To reorder the search element list, click Reorder. A Reorder Search Fields tab opens. Select the search element that has to be reordered and rearrange it using the arrow keys. Click OK.
The order in which search elements are listed is modified accordingly.
-
Click Search. The results are displayed in the search results table.
20.3 Creating a Password Policy
Creating a password policy involves setting password restrictions, challenge question restrictions, and rules that are associated with a password policy.
By creating password policies, you can:
-
Set password restrictions, for example, define the minimum and maximum length of passwords
-
Set challenge question restrictions
-
See rules that are associated with a password policy
Note:
In an environment in which LDAP synchronization is enabled, you must ensure one of the following:
-
Password policies set on Oracle Identity Manager must be more restrictive than password policies set on the LDAP server.
-
Password policies set on Oracle Identity Manager must match the password policies set on the LDAP server.
To create a password policy:
Note:
A password policy is not applied during the creation of an Oracle Identity Manager user through trusted source reconciliation.
20.4 Understanding Password Policy Rules
Setting password policy rules involves specifying criteria for your password policy in the Policy Rules section of the password policy details page.
This section describes the password policy rules in the following topics:
20.4.1 Password Policy Rules
Setting password policy rules involves specifying criteria for your password policy, for example, the minimum and maximum length of passwords.
You can use either or both of the following methods to set password restrictions:
-
Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.
-
In the Password File field, enter the directory path and name of the password policy file (for example, c:\Xellerate\userlimits.txt). This file contains predefined words that you do not want to be used as passwords. The delimiter specified in the File Delimiter field separates these words. The predefined words in the file cannot be used as passwords. For example, if the file contains the word welcome, then welcome, Welcome, and welcome123 are invalid passwords.
20.4.2 Setting Password Policy Rules
To set the rules for a password policy:
Note:
After creating a password policy, you must associate the policy with an organization. The rules of the policy will be applied for the users of that organization and its suborganizations. For information see, Evaluating Password Policies.
20.5 Evaluating Password Policies
Oracle Identity Manager evaluates the password policy that is applicable to a user when user registers to Oracle Identity Manager or when user resets forgotten password.
In Oracle Identity Manager, password policies are evaluated in the following scenarios:
-
When users register themselves to Oracle Identity Manager to perform certain tasks in Identity Self Service or Oracle Identity System Administration.
-
When users reset their password using the Forgot Password? link.
-
When users change their enterprise password or target system account password from the Change Password section of the My Information page.
-
When an administrator sets or changes the password of a user manually.
The following is the order in which a user's effective password policy is evaluated:
-
The password policy (if available) set for the user's home organization is applicable for the user.
-
If no password policy is set for the user's home organization, then the policy of the organization at the next level in the organization hierarchy of the user's home organization is picked. This procedure of identifying an organization at the next level in the hierarchy of the user's home organization continues until an organization associated with a password policy is determined. This password policy is applicable to the user.
-
If none of the organizations in the hierarchy has password policies set, then the password policy attached to the Top organization is applicable. If no password policy is attached to the Top organization, then the default password policy of the XellerateUsers resource is applicable.
20.6 Setting Challenge Options
Oracle Identity Manager allows administrator to configure the set of challenge question that is shown to the user to validate the user's identity before resetting forgotten password.
To set the Challenge question options for a password policy:
-
In the Password Policy page, search and select the password policy that you want to open.
-
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The password policy details page is displayed.
Note:
You can also set the Challenge option at the time of creating the password policy.
-
In the Challenge Options section, if Enable Challenge Policy support is enabled then the fields listed in Table 20-3 can be configured:
Table 20-3 Fields in the Challenge Option Section
Field Name Description Allowed Challenges
This field allows you to select which set of challenge question is shown to the user. The options are: User Defined, Admin Defined, or User or Admin Defined.
If User Defined is selected, then the challenge questions is set by the user.
If Admin Defined is selected, then the challenge questions is selected from the list provided by the admin.
If User or Admin Defined is selected, then the combination of questions is admin defined and user customized.
Total Questions To Be Collected
This determines the total number of challenge questions a user needs to provide at login.
Minimum Correct Answers When Challenged
The minimum number of correct answers the user needs to provide when he is asked the challenge questions.
Allow Duplicate Responses
This allows you to select if duplicate responses are allowed or not.
Minimum Answer Length
The minimum length of answer for the challenge questions.
Lock User After Attempts
The number of attempts before the user is locked if he provided wrong answers to the challenge questions.
-
When Allowed Challenges is set to Admin Defined or User or Admin Defined, challenge questions have to be added. The number of challenge question is determined by Total Questions To Be Collected field.
To add questions:
-
Under Challenge Questions section, click Add.
-
Enter the challenge question in the Questions table. To include more questions, click Add.
-
To delete a question, select the question and click Delete.
Note:
If you have customized the challenge questions, then modify thecustomResources
properties under the IDM_HOME/server/customResources/ directory to add your local messages. -
-
Click Apply to save the password policy changes.
20.7 Deleting a Password Policy
Delete the password policy that are not required or are not in use.
To delete a password policy:
- In the Password Policy page, search and select a password policy that you want to delete.
- From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
- Click Yes to confirm the deletion.
20.8 Associating Password Policies with Organization
To associate the password policy with an organization and use the password policy to manage the passwords of Oracle Identity Manager users, see Creating an Organization.
To associate the password policy with a resource, see "Configuring Password Policies for Application Instances" in the Administering Oracle Identity Governance.