Skip to main content

Illumio Core 25.1 Administration Guide

Password Policy Configuration

The PCE enforces password policies that only a Global Organization Owner can configure. In the PCE web console, you set password policies that the PCE enforces, such as password length, composition (required number and types of characters), and password expiration, re-use, and history.

About Password Policy for the PCE

You need to be a Global Organization Owner to view the Password Policy feature under the Settings > Authentication menu options.

Prior to Illumio Core 18.2.0, a Global Organization Owner set the password in the PCE by using the PCE runtime script. The settings in the PCE runtime script are the same as before Illumio Core 18.2.0, except that the password length can now be set to a maximum of 64 characters.

Note

The Password Policy feature is not applicable for organizations using SAML authentication.

Note

Permission to edit this setting is dependent on your role.

Password Requirements

The password requirements you set are displayed to users when they are required to change their passwords. You can set the minimum character length, ranging from a minimum of 8 characters to a maximum of 64 characters. The default length is 8 characters.

A Global Organization Owner should configure passwords based on the following categories:

  • Uppercase English letters

  • Lowercase English letters

  • Numbers 0 through 9 inclusive

  • Any of the following special characters: ! @ # $ % ^ & * < > ? .

Warning

Any other special characters are neither tested nor supported.

You have to select at least three of the above categories. The default password requirement is one number, one uppercase character, and one lowercase character. You can set the password to use either one or two characters from each category.

Password Expiration and Reuse

You can set the password expiration range from 1 day to 999 days. The default setting for password expiration is “Never.”

You can set the password reuse history from 1 to 24 passwords before a user can reuse the old password. The default setting is five password changes before reuse of the password is allowed.

Note

The number of password changes before password reuse is allowed is the value you enter + 1 (the current password). For example, when you specify 3, the number of passwords before reuse is allowed is 4.

You can also set the similarity of a password by not allowing a user to change their password unless it changes from a minimum of 1 to a maximum of 4 characters and positions from their current password.

Allowable password reuse and password history can be set to from 1 to 24 passwords before reuse is allowed. The default setting for password reuse is five password changes before reuse is permitted.

Important Notes about Password Management

  • When a Global Organization Owner increases the required minimum password length policy or increases the password complexity requirements and enables the password expiration (1-999 days), all the existing users must reset their passwords based on the new policy.

  • When a Global Organization Owner configures the password to never expire, all users who were migrated from an older release to 18.2.0 must reset their passwords when they next log in.

  • Note

    The PCE session timeout setting applies to all user sessions regardless of how they authenticated (local, SAML, or LDAP). This setting controls how frequently a user's web session times out once successfully authenticated. It is independent of the user's session with the authentication provider itself.

Change Password Policy Settings

  1. From the PCE web console menu, choose Access > Authentication.

  2. In the Authentication Settings screen, choose the Authentication Method to authenticate users for accessing the PCE:

    • LOCAL (IN USE) : User will sign in to the PCE only with a local credential provided by the user's organization password policy.

    • SAML (IN USE) : SAML users can also authenticate to the PCE using local credentials.

    • LDAP: LDAP users can also authenticate to the PCE using local credentials.

  3. Once you decide which option to take, click on the Configure button.

  4. Depending on the authentication method, these are the available options:

    Choose option LOCAL, SAML, or LDAP:

    LOCAL (in use)

    Password requirements

    Min lengths

    8 characters

    Character categories

    A-Z (required),

    a-z (required),

    0-9 (required)

    Min characters per category

    1

    Password expiration and reuse

    Expiration

    Never

    Reuse history

    1 password changes

    Similarity

    1 character and position from the current password

    Session timeout

    The session expiration timeout values must be set accordingly to balance security and usability so that your users can comfortably complete operations within the PCE web console without their session frequently expiring. The timeout value is dependent on how critical the application and its data are. For example, you might set the timeout to 3-5 minutes for high-value applications and 15-30 minutes for low-risk applications.

    The changed session timeout value applies to new browser sessions. Existing browser sessions are not affected when the session timeout value is changed.

    The PCE Org owner can go to Access > Authentication > Local to configure Session Timeout. This PCE session timeout is applicable to any user belonging to the same organization, regardless whether they are local or external users.

    Timeout

    30 minutes

    SAML (in use)

    Information from identity provider

    SAML Identity provider certificate

    -----BEGIN CERTIFICATE----- MIICpDCCAYwCCQD05WZzgx RugDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlsb2NhbGhvc 3QwHhcNMTgxMTE0MjAyNzM2WhcNMjgxMTExMjAyNzM2WjAUMRIw EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4I BDwAwggEKAoIBAQDXs/OhH90IPQ8qBrUMqzQZb5MI72fu+Ay0s P8gI1v8RiUqSl+WJNo8s9L8GNI9hnQT+OXg99PNmoE41xiAlnx qx8T78Qxb9zX3uc4hec+9bMSF7iieUiFXWQQrIUVM3g8TWI6B5g Uapt0vZcxNok2eNhiFvVTLgPzB06vb2/yU68ilwQ8wz/MGO00Un/ lRw3LORynEA1uMeT6terWtX8JQGbvc1qYddnXD86Y5MOP1AXU+ 1w1w1JFxD0uKiuOHJvNYfJjkisEbDis9bO/EO0SyayVA7ABELaw QTfeWM6xLrNhZCTGeQiKb4XHMBgeliAloEvNDDofKbLDQrWUyIf7 TAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANLhqsZsFUnq7kc+B5a vMmOXbCNJmSaASBULsX+akexhyJdMZUxmN6wfLjZ3FOwxvFuheTa Zpkp1UtC+2E9YlxY//FxOX/YyvNT/xfOBzqZ9SCsNxpCBsSRK5X4 DS+2jGQuz3fwbJDxTXP4sKNUZ/E9Z+dC9Npdq7xtcXr7pWhI2qe MO8E9LdvfWLcsqq8Z0VtxyHYYZYNh8KN0Q6ObfK1sPC4QZ/292B xm2ckxsWDTyONV8ytLQKwp93exxqmzzpbz6qi23y0B4u4af+/SW9 ukjzD/atP34bY1YjeLBCsKEgy1nDTVgypAZSEy46kJ9mAu6t3r4/gEg XTkMYQDtrPA= -----END CERTIFICATE-----

    Remote login URL

    https://hohoho.illumio.com

    Logout landing URL

    https://hohoho.illumios.com/1logout

    Information for identity provider

    Authentication method

    unspecified

    Force re-authentiucation

    no

    Sign SAML request

    no

    SAML version

    2.0

    Issuer URL

    https://2x2testlab360.ilabs.io:8443/login

    NameID format

    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    Assertion consumer URL

    https://2x2testlab360.mylabs.io:8443/login/acs/6b5243ef-2305-4ffd-bf81-4fa97fb91a5b

    Logout URL

    https://2x2testllab360.mylabs.io:8443/login/logout/6b5243ef-2305-4ffd-bf81-4fa97fb91a5b

    Timeout

    30 minutes

  5. LDAP authentication is not active. Click Turn On to apply on all the LDAP servers.

  6. To create an LDAP server, click on Create Server.

    To continue with LDAP server configuration, see the "LDAP Authentication" topic.