It is the responsibility of the Appliance Administrator to initially set up user login controls such as the number of failed sign-in attempts before locking out an account.
To configure the login controls
- Go to Local Login Control:
web client: Navigate to
Safeguard Access > Local Login Control.
- Provide the following information. Some settings are for local users only, such as Lockout Window. Other settings are for all user types, such as the Token Lifetime.
Token Lifetime Set the number of minutes a user can stay logged into SPP.
Range: 10 minutes to 28,800 minutes (20 days)
Default: 1,440 minutes (one day)
Web Client Inactivity Timeout
Set the maximum time to allow from the user's last request to the server before the user is automatically logged out. The default is 15 minutes. The minimum value is five minutes and the maximum value is 2,880 minutes (two days) if the Token Lifetime is increased to match the value. If the Token Lifetime is not increased, the token will expire before the Web Client Inactivity Timeout.
When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes.
Lockout Duration Set the number of minutes a locked out account remains locked.
Range: One to 9,999 minutes; A setting of 9,999 requires an administrator to manually unlock the account.
Default: 15 minutes
Lockout Threshold Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.
If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, SPP locks the account until the Lockout Duration period has been met.
Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins. The default is five consecutive failures. Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.
Lockout Window Set the duration (in minutes) in which SPP increments the number of failed sign-in attempts.
Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.
Default: 10 minutes
Deactivate After Set the number of days to wait before automatically disabling an inactive user account.
If a user has not logged onto SPP this number of days, SPP disables the user account.
NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account.
Range: 14 to 365 days
Default: 365 days
Minimum Password Age Set the number of days a user must wait before changing their password.
Range: 0 to 14 days
Default: Zero
Maximum Password Age Set the number of days users can use their current password before they must change it.
Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.
Default: 42 days
Password Age Reminder Set the period of time (in days) before the Maximum Password Age limit is met and SPP begins to remind the user that their password is about to expire.
NOTE: This value will also be applied to any Active Directory Identity and Authentication providers. This only acts as a reminder. A user will not be able to change their directory password from within SPP. If an Active Directory user is part of a Fine-Grained Password Policy, that policy’s maximum password age setting takes precedence.
Range: 0 to 45 days
Default: 14 days
Password History Enter the number of old passwords stored by SPP for user accounts. Stored passwords cannot be reused, and are replaced on a first-in, first-out basis.
NOTE: Administrators are not restricted by the password history setting.
Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords.
Default: Five stored passwords
Inform User of Locked Account
Select this check box to inform users when SPP has locked their account when they attempt to log in. When cleared, SPP tells the user that their access has been denied.
NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.
A user with a locked account cannot sign into SPP until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a local user's account..
Default: Not set
Inform User of Deactivated Account
Select this check box to inform users when SPP has disabled their account when they attempt to log in. When cleared, SPP tells the user that their access has been denied.
NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.
A user with a disabled account cannot sign into SPP until an administrator has re-enabled their account. For more information, see Activating or deactivating a user account..
Default: Not set
Inform User of Bad Password
Select this check box to inform users when the password is bad.
Default: Not set
Inform User of Expired Password
Select this check box to inform users when the password is expired.
Default: Not set
Inform User of Invalid Token
Select this check box to inform users when the token is invalid.
Default: Not set
Enable Secure Token Service Login Timeout
Select this check box to set a 15 minute expiration time for session based cookies.
Session based cookies are used during login. Typically, a session based cookie does not expire and is deleted by the browser/user-agent when closed. This setting, when enabled, will cause the session-based cookies to have a 15 minute expiration time, enforced by the server. This adds security and can prevent some replay attacks. End users must complete the login process within this time frame, including any multi-factor authentication.