search cancel

Password Policies and Authorization on Policy Server

book

Article ID: 214472

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server, one might like to know if Password
Policies applies on the Authorization phase.

 

Resolution

 

At first glance, as user's password come into play only at the
Authentication Phase, the Password Policies will be applied only when
the Authentication Scheme is triggered.

You should note that when login the user, the Policy Server actually
does a Bind to the LDAP User Store at the Authentication Phase. At the
Authorization Phase, Policy Server doesn't try to do that Bind with
the LDAP User Store. It only validates the user and tries to find the
user in the User Directory to apply the User Policy. No password nor
account status is validated at that time as stated in the
documentation (1)(2)(3).

 

Additional Information

 

(1)

    Policy Bindings

      A policy binding is the method used to link a user with a policy. The
      Policy Server only resolves policies for users who are part of a
      policy binding created by the users or groups contained in a policy.

      Before the Policy Server can resolve a user’s attempt to access a
      protected resource, the user must be authenticated. When SiteMinder
      authenticates a user, it establishes a context for the user. The user
      context provides information about who the user is and what privileges
      the user has when accessing resources.

      For example, if a user is part of the group in a user directory called
      Employees, when the user authenticates, the Policy Server creates a
      policy binding for the user’s membership in the group Employees. When
      the user attempts to access a resource protected by a rule in a policy
      that allows access for Employees group members, the user’s policy
      binding allows SiteMinder to authorize the user.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/policy-overview.html
  
(2)
    are password policies applied retroactively

      The important thing to understand is that the policy evaluation is
      done when a user tries to log in. There is no continual monitoring
      of a user.

    https://knowledge.broadcom.com/external/article?articleId=98258

(3)

    Which authentication schemes support Password Policies?

      Not all authentication schemes support password policies. If the
      authentication scheme does not support Password Policies, the check
      box description is dimmed and the check box is unavailable.

    https://knowledge.broadcom.com/external/article?articleId=51196