How the CA siteminder Basic Password Policy works with "Priority" setting?
Article ID: 273956
Updated On:
Products
Issue/Introduction
This is to provide more detailed Information on how the SiteMinder Basic Password Policy works with "Priority" setting.
Environment
Release : 12.8.xx.xx and 12.9 (Applicable to all the supported releases)
Component: SMPLC (Siteminder Policy Server)
Cause
- Use cases:
" User1 " is standard user and generic password policy (passpolicy1) would apply.
passpolicy1 enforce minimum password length to be 6.
" Manager1 " is a standard user (passpolicy1) too but also part of a group where more strict password policy is required (passpolicy2)
passpolicy2 enforce minimum password length to be 12 and special characters must be part of the password.
Resolution
When a password policy is applied, 1 password policy with highest priority would apply and end even though there are more password policies that may be applicable.
In the above use case, when " User1 " login with "User must change password" then only passpolicy1 would match so that will be applied.
When " Manager1 " login with "User must change password", both passpolicy1 and passpolicy2 are applicable but only 1 will be applied which is the policy having the higher priority.
- Higher Priority means the Password Policy Priority has "Evaluation Priority" set with higher numeric value (range from 0 ~ 999).
For example If the evaluation priority set to 999, that is the highest.
It is required to set the Priority if someone will have a condition where multiple password policies will be applicable.
For 'manager1' user, if the passpolicy1 has higher evaluation priority then passpolicy1 will be applied, if passpolicy2 has higher value then passpolicy2 will be applied.
If only 1 password policy is to be applied then then someone just need to ensure that password policy has the right evaluation priority.
However, there may be a use case where more than 1 password policy must actually apply.
In that case, administrator must ensure the more strict password policy is having the highest evaluation priority, in this case it would be the passpolicy2.
So passpolicy2 is set with evaluation priority of 100 and passpolicy1 is set with evaluation priority of 50.
And passpolicy2 and passpolicy1 must be compatible.
For example, if passpolicy1 says password must be using numbers only and if passpolicy2 says password must be letters only, this is not going to work and user will not be able to pass the 2 password policies as they will be in "AND" condition.
At the Password Policy Priority Section, administrator need to check "Apply Lower Priority Password Policies"
This tells Policy Server to also process the next highest priority password policy that is applicable.
Policy Server will continue to evaluate the next password policy as long as those password policies have this checked and all will be in the AND condition.
As the first password policy is the most strict one, all the subsequent password policies will be passed seamlessly.
If there are more strict password policy at later stage, the password change will not be able to complete successfully and user will not be able to login.
Feedback
