Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Login Notification

It is the responsibility of the Appliance Administrator to configure the login notification displayed when a user logs into One Identity Safeguard for Privileged Passwords. This feature is typically used for describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the system. Note that the message text can be viewed anonymously. Therefore, you should not include any sensitive information that you don't want read by an unauthenticated user. See the Message of the Day for messages that are only available to authenticated users.

To configure the login notification

  1. Go to Messaging:
    • web client: Navigate to  Settings | Safeguard Access | Messaging.
    • desktop client: Navigate to Administrative Tools | Settings | Messaging | Login Notification.
  2. desktop client only: Select the Message check box.
  3. Type in the Login Notification.
  4. Click Save (web client) or OK (desktop client).

Message of the Day

It is primarily the responsibility of the Appliance Administrator to configure the message of the day displayed on the Home page, however any user with administrator permissions has the ability to set the message of the day. The message is only visible to authenticated users after they have logged in.

To configure the message of the day

web client: If you choose RSS, the feed should be HTTPS. The RSS server needs CORS policy enabled.

  1. To change the message of the day:
    • web client: Navigate to  Settings | Safeguard Access | Messaging.
    • desktop client: Navigate to Administrative Tools | Settings | Messaging | Message of the Day.
  1. Under Message of the Day, choose either the RSS or Subject Line option.
  2. When the RSS option is selected, enter a web address.
  3. When the Subject line option is selected, enter the following information:
    • Subject Line: Enter a short description.
    • Message: Enter the text of up to 255 characters.
  4. Click Save (web client) or OK (desktop client).

Local Login Control

It is the responsibility of the Appliance Administrator to initially set up user login controls such as the number of failed sign-in attempts before locking out an account. .

To configure the login controls

  1. Go to Local Login Control:
    • web client: Navigate to  Settings | Safeguard Access | Local Login Control.
    • desktop client: Navigate to Administrative Tools | Settings| | Safeguard Access | Login Control.
  1. Provide the following information. Some settings are for local users only, such as Lockout Window. Other settings are for all user types, such as the Token Lifetime. (The desktop client elements are in a different order.)
    Token Lifetime

    Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords.

    Range: 10 minutes to 28,800 minutes (20 days)

    Default: 1,440 minutes (one day)

    Web Client Inactivity Timeout

    Set the maximum time to allow from the user's last request to the server before the user is automatically logged out. The default is 15 minutes. The minimum value is five minutes and the maximum value is 2,880 minutes (two days) if the Token Lifetime is increased to match the value. If the Token Lifetime is not increased, the token will expire before the Web Client Inactivity Timeout.

    When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes.

    Maximum Platform Retries

    web client

    Set the maximum number of platform retries.

    Maximum Notification Recipients

    web client

    Set the maximum number of notification recipients.

    Expiration Warning Duration

    web client

    Enter the number of days for the warning to expire.

    Lockout Duration

    Set the number of minutes a locked out account remains locked.

    Range: One to 9,999 minutes; A setting of 9,999 requires an administrator to manually unlock the account.

    Default: 15 minutes

    Lockout Threshold

    Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.

    If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met.

    Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins. The default is five consecutive failures. Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

    Lockout Window

    Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts.

    Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.

    Default: 10 minutes

    Disable After

    Set the number of days to wait before automatically disabling an inactive user account.

    If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account.

    NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account.

    Range: 14 to 365 days

    Default: 365 days

    Change Password URL

    web client

    Enter the URL used to change the password.

    Minimum Password Age

    Set the number of days a user must wait before changing his or her password.

    Range: 0 to 14 days

    Default: Zero

    Maximum Password Age

    Set the number of days users can use their current password before they must change it.

    Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.

    Default: 42 days

    Password Age Reminder

    Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire.

    Range: 0 to 30 days

    Default: 14 days

    Password History

    Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in, first-out basis.

    NOTE: Administrators are not restricted by the password history setting.

    Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords.

    Default: Five stored passwords

    Inform User of Locked Account

    Select this check box to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a user's account.

    Default: Not set

    Inform User of Disabled Account

    Select this check box to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A disabled user cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled his or her account. For more information, see Enabling or disabling a user.

    Default: Not set

    Inform User of Bad Password

    web client

    Select this check box to inform users when the password is bad.

    Default: Not set

    Inform User of Expired Password

    web client

    Select this check box to inform users when the password is expired.

    Default: Not set

    Inform User of Invalid Token

    web client

    Select this check box to inform users when the token is invalid.

    Default: Not set

    Enable Secure Token Service Login Timeout

    desktop client

    Select this check box to set a 15 minute expiration time for session based cookies.

    Session based cookies are used during login. Typically, a session based cookie does not expire and is deleted by the browser/user-agent when closed. This setting, when enabled, will cause the session-based cookies to have a 15 minute expiration time, enforced by the server. This adds security and can prevent some replay attacks. End users must complete the login process within this time frame, including any multi-factor authentication.

Local Password Rule

Password rules define the complexity requirements for user authentication to Safeguard for Privileged Passwords. You can create rules governing the type of password a user can create, such as:

  • Set the allowable password length in a range from 3 to 225 characters.
  • Set first characters type and last character type.
  • Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols along with the minimum amounts of each.
  • Identify excluded uppercase letters, lowercase letters, numbers, and symbols.
  • Identify if consecutive letters, numbers, and/or symbols can be repeated sequentially and, if allowed, set the maximum repetitions allowed.

Note: These rules only apply to local users; they do not affect users accessing Safeguard for Privileged Passwords from an external provider such as Microsoft Active Directory. The password rules are listed in the Set password dialog. For more information, see Setting a local user's password.

Related Topics

Safeguard Access settings

Modifying user password requirements

Account Password Rules

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating