Can IDN do Password History?

gmilunich · October 27, 2023, 8:08pm

When looking at using IDN for password management, one of the client requirements is to have a password history. They want the users to not be able to use the last 5 passwords, or the same password they used in the last 12 months.

Is this possible in IDN?

If not directly, is there a work around for it?

WyssAJ01 · October 27, 2023, 8:46pm

IdentityNow does not keep current or historical passwords. They are encrypted and sent to the target source so it would not have a way to directly tell you that you can’t use your previous 5 passwords.

RAKGDS · October 29, 2023, 9:06am

Hi,
This is not possible for Identitynow default authentication method. If you have source like Active Directory then yes you can use the pass through authentication to achieve your requirement.

Thanks
Rakesh

phodgdon · December 5, 2023, 9:51pm

I setup an OpenLDAP with PTA and both reset password and update password once authenticated don’t seem to check the password history in LDAP, it seems to be using the admin account to make the password change. It definitely is enforced in my LDAP:

RAKGDS · December 6, 2023, 11:28am

Hi Paul,
There is a setting in the source which needs to be checked to enforce password policy.
DId you check the same ?

Thanks

phodgdon · December 6, 2023, 12:46pm

Looks like this is only on AD and not OpenLDAP. Can someone provide a screenshot of what it looks like when you set a password that is in password history?

RAKGDS · December 6, 2023, 1:11pm

This is the error message you get when you have Password History configured. I am not sure about OpenLDAP but this works fine for Active Directory.

Can you please open a Sailpoint ticket to confirm that OpenLDAP do support Password history OOTB ?

Thanks
Rakesh Bhati

phodgdon · December 6, 2023, 1:31pm

I added “enforcePasswordPolicy”: “true” to the OpenLDAP connector and that doesn’t appear to change the behavior so I am guessing it isn’t supported. As long as AD works, I was skeptical it wouldn’t. I appreciate the insight.

phodgdon · December 11, 2023, 8:31pm

Can we prevent users from using Password Reset i.e. there is a security incident on the user’s account and they shouldn’t be able to self-service without calling a Help Desk? I assume if the AD account is disabled it won’t let them? I also don’t see any way to disable the unlock option is that correct?

RAKGDS · December 12, 2023, 6:16am

Hi Paul,
Thats correct, the only option is you disable AD account. Once you disable AD account no one can login into using Pass Through authentication

system · February 10, 2024, 6:17am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to set Active Directory as default for Desktop Password Reset ISC Discussion and Questions identity-security-cloud	9	429	August 10, 2023
Application to Application Passwort Management ISC Discussion and Questions identity-security-cloud , password-management	2	301	June 28, 2023
Reset AD password when AD is enabled ISC Discussion and Questions identity-security-cloud , provisioning	8	282	December 15, 2023
Password History not Working! ISC Discussion and Questions identity-security-cloud	7	160	April 25, 2024
Active Directory - pwdLastSet - update the value to force user to change password on next login ISC Discussion and Questions identity-security-cloud , provisioning , connectors	11	429	March 3, 2024

Can IDN do Password History?

Related Topics