Password Policy Configuration
The PCE enforces password policies that only a Global Organization Owner can configure. In the PCE web console, you set password policies that the PCE enforces, such as password length, composition (the required number and types of characters), and expiration, re-use, and history.
About Password Policy for the PCE
You must be a Global Organization Owner to view the Password Policy feature under the Settings > Authentication menu options.
The password length can be set to a maximum of 64 characters.
Note
The Password Policy feature does not apply to organizations using SAML authentication.
Note
Permission to edit this setting is dependent on your role.
Password Requirements
The password requirements you set are displayed to users when they must change their passwords. You can set the minimum character length, ranging from a minimum of 8 characters to a maximum of 64 characters. The default length is eight characters.
A Global Organization Owner should configure passwords based on the following categories:
Uppercase English letters
Lowercase English letters
Numbers 0 through 9 inclusive
Any of the following special characters:
! @ # $ % ^ & * < > ?.
Warning
Any other special characters are neither tested nor supported.
You have to select at least three of the above categories. The default password requirement is one number, one uppercase character, and one lowercase character. You can set the password to use one or two characters from each category.
Password Expiration and Reuse
You can set the password expiration range from 1 day to 999 days. The default setting is “Never.”
You can set the password reuse history from 1 to 24 passwords before a user can reuse the old password. The default setting is five password changes before reuse is allowed.
Note
The number of password changes before password reuse is allowed is the value you enter + 1 (the current password). For example, when you specify 3, the number of passwords before reuse is allowed is 4.
You can also set a password's similarity by not allowing a user to change it unless it changes from a minimum of 1 to a maximum of 4 characters and positions from their current password.
Allowable password reuse and password history can be set to 1 to 24 passwords before reuse. The default setting for password reuse is five password changes before reuse is permitted.
Caveats
When a Global Organization Owner increases the minimum password length policy or the password complexity requirements and enables password expiration (1-999 days), all existing users must reset their passwords based on the new policy.
When a Global Organization Owner configures the password never to expire, all users who migrated from an older release to 18.2.0 must reset their passwords when they log in.
Change Password Policy Settings
From the PCE web console menu, choose Access -> Authentication.
In the Authentication Settings screen, choose the Authentication Method to authenticate users for accessing the PCE:
LOCAL (IN USE): The user will sign in to the PCE only with a local credential provided by the user's organization's password policy.
SAML (IN USE): SAML users can authenticate to the PCE using local credentials.
LDAP: LDAP user can also authenticate to the PCE using local credentials>
Once you decide which option to take, click on the Configure button.
Depending on the authentication method, these are the available options:
Choose option LOCAL, SAML, or LDAP:
LOCAL (in use)
Password requirements
Min lengths
8 characters
Character categories
A-Z (required),
a-z (required),
0-9 (required)
Min characters per category
1
Password expiration and reuse
Expiration
Never
Reuse history
1 password change
Similarity
1 character and position from the current password
Session timeout
You can configure the session timeout value using the PCE web console. The session expiration timeout values must be set accordingly to balance security and usability so that your users can comfortably complete operations within the PCE web console without their sessions frequently expiring. The timeout value depends on how critical the application and its data are. For example, you might set the timeout to 3-5 minutes for high-value applications and 15-30 minutes for low-risk applications.
The changed session timeout value applies to new browser sessions; it does not affect existing browser sessions.
Timeout
30 minutes
SAML (in use)
Information from identity source
SAML Identity source certificate
-----BEGIN CERTIFICATE----- MIICpDCCAYwCCQD05WZzgx RugDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlsb2NhbGhvc 3QwHhcNMTgxMTE0MjAyNzM2WhcNMjgxMTExMjAyNzM2WjAUMRIw EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4I BDwAwggEKAoIBAQDXs/OhH90IPQ8qBrUMqzQZb5MI72fu+Ay0s P8gI1v8RiUqSl+WJNo8s9L8GNI9hnQT+OXg99PNmoE41xiAlnx qx8T78Qxb9zX3uc4hec+9bMSF7iieUiFXWQQrIUVM3g8TWI6B5g Uapt0vZcxNok2eNhiFvVTLgPzB06vb2/yU68ilwQ8wz/MGO00Un/ lRw3LORynEA1uMeT6terWtX8JQGbvc1qYddnXD86Y5MOP1AXU+ 1w1w1JFxD0uKiuOHJvNYfJjkisEbDis9bO/EO0SyayVA7ABELaw QTfeWM6xLrNhZCTGeQiKb4XHMBgeliAloEvNDDofKbLDQrWUyIf7 TAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANLhqsZsFUnq7kc+B5a vMmOXbCNJmSaASBULsX+akexhyJdMZUxmN6wfLjZ3FOwxvFuheTa Zpkp1UtC+2E9YlxY//FxOX/YyvNT/xfOBzqZ9SCsNxpCBsSRK5X4 DS+2jGQuz3fwbJDxTXP4sKNUZ/E9Z+dC9Npdq7xtcXr7pWhI2qe MO8E9LdvfWLcsqq8Z0VtxyHYYZYNh8KN0Q6ObfK1sPC4QZ/292B xm2ckxsWDTyONV8ytLQKwp93exxqmzzpbz6qi23y0B4u4af+/SW9 ukjzD/atP34bY1YjeLBCsKEgy1nDTVgypAZSEy46kJ9mAu6t3r4/gEg XTkMYQDtrPA= -----END CERTIFICATE-----Remote login URL
https://hohoho.illumio.com
Logout landing URL
https://hohoho.illumios.com/1logout
Information for the identity source
Authentication method
unspecified
Force re-authentication
no
Sign SAML request
no
SAML version
2.0
Issuer URL
https://2x2testlab360.ilabs.io:8443/login
NameID format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Assertion destination URL
https://2x2testlab360.mylabs.io:8443/login/acs/6b5243ef-2305-4ffd-bf81-4fa97fb91a5b
Logout URL
https://2x2testllab360.mylabs.io:8443/login/logout/6b5243ef-2305-4ffd-bf81-4fa97fb91a5b
Timeout
30 minutes
LDAP authentication is not active. Click Turn On to apply to all the LDAP servers.
To create an LDAP server, click on Create Server.
To continue with LDAP server configuration, see Enable LDAP Authentication.