When running a Policy Server, one might like to know if Password
Policies applies on the Authorization phase.
At first glance, as user's password come into play only at the
Authentication Phase, the Password Policies will be applied only when
the Authentication Scheme is triggered.
You should note that when login the user, the Policy Server actually
does a Bind to the LDAP User Store at the Authentication Phase. At the
Authorization Phase, Policy Server doesn't try to do that Bind with
the LDAP User Store. It only validates the user and tries to find the
user in the User Directory to apply the User Policy. No password nor
account status is validated at that time as stated in the
documentation (1)(2)(3).
(1)
Policy Bindings
A policy binding is the method used to link a user with a policy. The
Policy Server only resolves policies for users who are part of a
policy binding created by the users or groups contained in a policy.
Before the Policy Server can resolve a user’s attempt to access a
protected resource, the user must be authenticated. When SiteMinder
authenticates a user, it establishes a context for the user. The user
context provides information about who the user is and what privileges
the user has when accessing resources.
For example, if a user is part of the group in a user directory called
Employees, when the user authenticates, the Policy Server creates a
policy binding for the user’s membership in the group Employees. When
the user attempts to access a resource protected by a rule in a policy
that allows access for Employees group members, the user’s policy
binding allows SiteMinder to authorize the user.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/policy-overview.html
(2)
are password policies applied retroactively
The important thing to understand is that the policy evaluation is
done when a user tries to log in. There is no continual monitoring
of a user.
https://knowledge.broadcom.com/external/article?articleId=98258
(3)
Which authentication schemes support Password Policies?
Not all authentication schemes support password policies. If the
authentication scheme does not support Password Policies, the check
box description is dimmed and the check box is unavailable.
https://knowledge.broadcom.com/external/article?articleId=51196