Password Policies and Authorization on Policy Server
search cancel

Password Policies and Authorization on Policy Server

book

Article ID: 214472

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

Are password policies applied at the authorization phase?

 

Resolution

At first glance, as user's password come into play only at the Authentication Phase, the Password Policies will be applied only when the Authentication Scheme is triggered.

  • You should note that when login the user, the Policy Server actually does a Bind to the LDAP User Store at the Authentication Phase.
  • At the Authorization Phase, Policy Server doesn't try to do that Bind with the LDAP User Store. It only validates the user and tries to find the user in the User Directory to apply the User Policy. No password nor account status is validated at that time as stated in the documentation (1)(2)(3).

 

Additional Information

(1)

    Policy Bindings

      A policy binding is the method used to link a user with a policy. The
      Policy Server only resolves policies for users who are part of a
      policy binding created by the users or groups contained in a policy.

      Before the Policy Server can resolve a user’s attempt to access a
      protected resource, the user must be authenticated. When SiteMinder
      authenticates a user, it establishes a context for the user. The user
      context provides information about who the user is and what privileges
      the user has when accessing resources.

      For example, if a user is part of the group in a user directory called
      Employees, when the user authenticates, the Policy Server creates a
      policy binding for the user’s membership in the group Employees. When
      the user attempts to access a resource protected by a rule in a policy
      that allows access for Employees group members, the user’s policy
      binding allows SiteMinder to authorize the user.

    Policy Overview
  
(2)
    are password policies applied retroactively

      The important thing to understand is that the policy evaluation is
      done when a user tries to log in. There is no continual monitoring
      of a user.

    Are password policies applied retroactively

(3)

    Which authentication schemes support Password Policies?

      Not all authentication schemes support password policies. If the
      authentication scheme does not support Password Policies, the check
      box description is dimmed and the check box is unavailable.

    Which authentication schemes support Password Policies?

Powered by Wolken Software