With the requirements being to secure Identity Governance portal, we have applied the following configuration
- We configured sage.security.disable to be false and restart the application server.
- We configured SSO authentication
While we can see in the eurekify.log *** Eurekify Security is ENABLED ***
Yet, we are able to use any password for the users - there is no actual verification of password value. Any password allows us to login to the portal.
Identity Governance 12.6
Identity Governance 14
Setting sage.security.disable to false, the product switches to the Default Deny security method.
Only functionality that is explicitly permitted is visible and enabled for the user.
This has an effect on accessibility rather than password content verification.
Usually, in Production environments, an external authentication source (such as AD/LDAP/IdentityMinder) will be configured to control the managers and reviewers authentication.
When any of the external authentication sources is in place, password verification does take place.
As long as no external authentication source is configured, the assumption is that the software is used in trial / demo mode therefore lower security enforcement is in place.
The only way to enforce password validation (for any / all users) is to enable external authentication - with this enabled, then the password for AD1\ EAdmin (as well as all other users) will be verified.
To trigger password verification (for AD1\EAdmin as well as SSO users) we can set
sage.security.disable.IMAuthentication=false