Password complexity for end users in the Login Portal

In Enterprise Application Access (EAA) you can configure your Active Directory (AD) to allow EAA to manage password complexity of the Login Portal from the Management Portal. Every AD has a password complexity requirement. Your business may have other password reset requirements such as:
  • New employees may be required to change their password upon first login.
  • Periodic password change, for example every 90 or 180 days, as per your business’ security policy. This can be set at the group or individual user lever in the AD domain.
    • Change password when it is still valid.
    • Reset password after it has expired.
  • Proactive or at will password change.

    If your AD is using Windows 2008, 2012, or 2016, LDAPS is required for the directory host.

    If your AD is using Open LDAP, LDAP or LDAPS may be used for the directory host.

The directory Password Management fields are:

Allow users to change password: Select this option to allow users to change their passwords in the EAA Login Portal.

  • For the AD, enable this setting to allow users to change their passwords if their current password is valid and the EAA administrator has not required the user to reset the password on their next login.
  • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset, provided the grace authentication limit with expired passwords or must-reset passwords has not been exceeded.

By default, this setting is disabled. If disabled, the user cannot change the password through the EAA Login Portal and will need to do so through the native directory outside of EAA.

Allow users to reset password: Select this option to allow users to change their passwords in the EAA Login Portal.
  • For the AD enable this setting to allow users to change their passwords if the EAA administrator requires the user to reset the password on their next login.
  • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset after the grace authentication limit with expired passwords or must-reset passwords has been exceeded.

To support this capability, EAA needs write privileges on the service account to modify another user’s password. This setting only controls whether EAA attempts to handle these use cases, the configuration needed for the service account must be configured on the AD or Open LDAP itself. Typically accounts with admin privileges also have the permissions to change another user’s password. Admins may want to restrict this privilege for the service account using mechanisms supported by the directory.

By default, allowing users to reset their own password is disabled. If disabled, the user cannot change the password through the EAA Login Portal and, will need to do so through the native directory outside of EAA.

Default password policy: This is a required field. It is automatically completed by the Microsoft AD. If you are using Open LDAP as your directory host, enter the default password policy for the directory.

Password expiry warning threshold (in seconds): This setting allows EAA to provide a password change reminder message to users when they login to the EAA portal to encourage users to change their password before it expires. EAA can determine the age of the user’s current password upon login and, if it exceeds the configured warning threshold, display a password change reminder message.

To support password changes from the EAA Login Portal, EAA needs write privileges on the service account to modify another user’s password. If write privileges are not granted to EAA, the warning message may help to reduce admin support for expired user passwords. Enter the amount of time, in seconds, before the password expires to display the password change reminder message.

By default this threshold is set to zero (0). When set to zero (0), no warning messages display.

Password force change threshold (in seconds): This setting allows EAA to force a password change to users when they log in to the EAA Login Portal before they can access any application. This threshold should be greater than the warning threshold and less than the maximum age of the password in the AD. Enter the amount of time, in seconds, before the password expires to force a password change from the EAA Login Portal.

By default this threshold is set to zero (0). When set to zero (0), EAA will not attempt to force a change of current valid passwords.

Password complexity: To provide a message for users to read in the Login Portal, enter information about the password requirements in the Password complexity field.