Passwords for the authentication of users are subject to certain rules. These rules are defined in the password policy. Identity Authentication provides you with two predefined password policies, in addition to which you can create and configure up to three custom password policies.
You have the following options for a password policy:
-
Standard
(Predefined) Use this option to set special rules for changing, resetting, and locking a password.
This is the default setting. It meets the minimum strength requirements.
-
Enterprise
(Predefined) Use this option to set enhanced password management features. It’s stronger than the standard policy, but weaker than the custom one.
-
Custom
(Configurable) Use this option to set the strongest password management features for the password policy. It's the responsibility of the tenant administrator to configure the custom password policy stronger than the standard and enterprise ones.
This option is only possible if you’ve configured a custom password policy in the administration console for SAP Cloud Identity Services. For more information, see Configure Custom Password Policy.
Password Policy Requirements
|
Requirement |
Standard |
Enterprise |
Custom |
|---|---|---|---|
|
Content of password |
|
|
|
|
Session time limit Indicates when the current session expires. |
Yes, 12 hours |
Yes, 12 hours |
Yes, 12 hours |
|
"Remember me" option Indicates whether the browser can store a cookie with the credentials. |
Yes |
Yes |
Yes |
|
Forgot password deactivation period Indicates the period during which users can initiate the number of forgot password emails specified by the forgot password counter. |
Yes, 24 hours |
Yes, 24 hours |
Yes, 24 hours |
|
Forgot password counter Indicates how many times a user can initiate forgot password emails during the deactivation period. For example, a user can initiate up to 3 forgot password emails within 24 hours. |
Yes, 3 |
Yes, 3 |
Yes, 3 |
|
Minimum password age Shows the minimum lifetime of a password before it can be changed. |
Unlimited |
Yes, 24 hours |
Yes, minimum 1 hour, maximum 48 hours |
|
Maximum failed logon attempts Indicates how many logon attempts are allowed before the user password is locked. |
Yes, 5 |
Yes, 5 |
Yes, minimum 1, maximum 6, default choice 5 |
|
Password locked period Indicates how long a password is locked for. |
Yes, 1 hour |
Yes, 1 hour |
Yes, minimum 1 hour, maximum unlimited
|
|
Maximum password age Shows the maximum lifetime of a password before it has to be changed. |
Unlimited |
Yes, 6 months |
Yes, minimum 1 month, maximum unlimited Possible values: 1 month, 2 months, … 6 months; 1 year, 2 years, 3 years; unlimited |
|
Password history Indicates whether a password history is retained, and how many passwords from the history are retained. |
Unlimited |
Yes, the last 5 passwords are retained. |
Yes, minimum the last 5 passwords, and maximum the last 20 passwords are retained. |
|
Maximum unused period Indicates how long the system retains unused passwords for. |
Unlimited |
Yes, 6 months |
Yes, minimum 1 month, maximum 6 months |
|
Password behavior Indicates possibility to force the user to reset or change password if the applied password policy requires stronger password than the current one. |
Not Applicable |
Scenario Based
|
Yes, administrator can choose from:
|
The non-alphabetic characters are all characters that are not lower-case Latin characters (a-z), upper-case Latin characters (A-Z), or base 10 digits (0-9).
As a tenant administrator, you can do the following:
Related Information
Configuring Authorization Policies
Configuring Provisioning Systems
Configuring Real-Time Provisioning
Configuring Social Identity Providers
Integrating with Existing Customer Landscape