Hello Experts,
Do we know what are the actions that ISC performs on the password expiration day specifically for AD? As its not clearly mentioned in the documentation
Scenario:
We have set up AD as pass through authenticator and have a password policy where we have set up password expiration day to 90 days.
Queries:
Will SailPoint update some flag on the target AD account to reflect the password is expired on day 90?
As the password policy is in ISC and the password is expired on day 90 user won’t be able to login to SP with the expired password, but will the user be able to use the AD credential to login to some other application beside ISC if it has been configured?
Will ISC force the user to change the password if they try to use expired password to login to ISC?
If we are using AD to SSO will the SSO work if the password is expired after 90 days?
Will SailPoint update some flag on the target AD account to reflect the password is expired on day 90?
It appears from querying the identity data that Sailpoint tracks the last changed time. There is also another note that for reminders it is looking to the data from the active directory source.
As the password policy is in ISC and the password is expired on day 90 user won’t be able to login to SP with the expired password, but will the user be able to use the AD credential to login to some other application beside ISC if it has been configured?
The ISC password “expiration” is used to send reminders to the user to reset the password. If the dates were to somehow drift (for example, the user changed the password directly in AD and you don’t have the password interceptor to send to ISC), the password could be older than 90 days in ISC but AD would allow authentication if 90 days haven’t passed since the AD change.
Will ISC force the user to change the password if they try to use expired password to login to ISC?
Since you mentioned that you have pass-through authentication setup up, when the user tries to login to ISC, it will not allow the user to authenticate.
If we are using AD to SSO will the SSO work if the password is expired after 90 days?
If you have a 90 day policy in AD, it should block other authentication attempts after 90 days.