Tenant administrators can create and configure a custom password policy for scenarios where Identity Authentication is the authenticating authority.
Identity Authentication provides you with two predefined password policies, in addition to which you can create and configure up to three custom ones.
The custom password policy by default must be stronger than the enterprise policy, which in turn is stronger than the standard policy. It's the responsibility of the tenant administrator to configure the custom password policy stronger than the standard and enterprise ones. Each password policy has a strength assigned to it, which is visualized by stars in the administration console for SAP Cloud Identity Services. The strength specifies the priority of the password policy. It will define which policy will be enforced for password checks.
It is not possible to have password policies with one and the same strength. Once created and saved, the tenant administrator can reorder the custom password policies in the administration console, thus changing the strength assigned to the custom password policies.
To change the configuration of the custom password policies or to create a new password policy when you have already reached the limit of three custom password policy in the tenant, delete an existing custom policy first, then create the new one. For more information, see Delete Custom Password Policy.
Donna Moore is an administrator of company A. She has set a Standard password policy for the Leave Request application.
Dona Moore wants a stronger password policy for the administration console, and she configured a custom password policy with a minimum password length of 15 characters, and maximum password lifetime of three months. The number of allowed logon attempts is 3. Dona has set a strength of three stars for this password policy.
Dona has set the new custom password policy for the administration console. At his first logon after the setting of the new password policy, Michael Adams, who is also an administrator at Company A, is required to update his password according to the new policy. Thus when he accesses the Leave Request application he uses the stronger password. John Miller who is an employee at company A, but not an admin, logs on to the Leave Request with a password that is compliant to the Standard password policy.
To create and configure a new custom password policy, follow the procedure:
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Choose the Password Policies tile.
-
Under Password Policies, choose the + Add Custom Policy button.
You can only add one custom password policy. If you already have a custom password policy in your tenant, the + Add Custom Policy button is grayed out.
-
Fill in the required information in the fields.
Configuration Options
Information
Policy Name
The name of the password policy that appears in the administration console.
Policy Strength
This strength specifies the priority of the password policy. It will define which policy will be enforced for password checks. It's the responsibility of the tenant administrator to configure the custom password policy stronger than the standard and enterprise ones.
Password Length
The length can be between 8 and 255 characters. The default value is 8 characters.
Password Lifetime
The minimum password lifetime can be between 1 hour and 48 hours. The default value is 24 hours. Possible values are 1 hour, 2 hours, …, 48 hours.
The maximum password lifetime can be between 1 month and unlimited. The default value is 6 months. Possible values are: 1 month, 2 months, … 6 months; 1 year, 2 years, 3 years; unlimited.
The Password Lifetime configuration for a user starts after the following is done:
-
Create a custom password policy with Password Lifetime lifetime configured.
-
Assign the password policy to an application.
-
Authenticate to the application so the policy is assigned.
User Inactivity
The maximum duration of user inactivity can be between 1 and 6 months. The default value is 6 months.
If a user didn’t use the password during the set user inactivity period, the system will force either a password reset or change at the first logon. The reset or change depends on the setting for Password Behavior.
Password History
The minimum requirement is the last 5 passwords to be retained. The value can’t be more than 20.
Failed Sign In Attempts
The number of allowed failed sign in attempts can be between 1 and 6. The default value is 5.
Password Locked Period
The period can be between 1 hour and unlimited.
When Unlimited is selected, we recommend you to mark this password policy the strongest.
Required Character Groups
Specifies the number of required character groups for the password. The value can be between 1 and 4. Based on the value, the users are required to include 1, 2, 3 or 4 of the following in their passwords:
- Uppercase letters
- Lowercase letters
- Numbers
- Symbols
Password Behavior
- Reset password - At logon, the user is forced to reset password, if the current password is not compliant with the new password policy. This is the default choice.
- Change password - At logon, the user is redirected to the change password page if the current password is not compliant with the new password policy.
-
-
Save your changes.
Once the password policy has been created and configured, the system displays the message Password policies configuration updated.
The new custom password policy appears in the list of the password policies that you can use for the applications.
To use the custom password policy for your application or applications, you should set it as a password policy for that application or applications. For more information, see Set a Password Policy for an Application.
Related Information