These settings allow the administrator to control what a new password must look like. For example, a policy could require passwords to contain all numbers, at least three letters, or at least two numbers and at least four punctuation characters.
Use caution with these settings, as it is possible to set requirements that no passwords could ever satisfy. For instance, should the Maximum Password Length field be set to 8 characters, the Letters field set to 6 and the Digits field set to 6, all passwords would implicitly be required to contain at least 12 characters (6 letters and 6 digits), but no passwords this length are allowed. Thus, all passwords would be rejected.
Because of setting overrides, APS cannot detect such impossible combinations when the configuration file is read. When a password is validated, however, APS will determine if the combination of settings that apply to that user is possible. If it is not, an error is displayed to the user. While APS can detect many such combinations (at run-time), it may not be able to detect all of them.
All settings can be overridden.
These settings are used only when the user changes their password, they may not impact an Administrator changing user passwords except as provided by APSAdmin (see page 210) or if the APS API is called.
Passwords can be tested using the IsMyPasswordValid and IsPasswordValid functions in the APS Application Programming Interface (API).
Range: 4-32 characters
Default: 4
Recommended: 6-8
Complexity Level: Basic
Controls the minimum length allowed for passwords. Any setting below four will be ignored. The minimum may not exceed the maximum. Attempting to set this value outside of the allowed range will cause parsing error and the setting will be ignored.
Minimum Length=4
Minimum Length={@Employees}6
Range: 4-32 characters
Default: 32
Recommended: 32
Complexity Level: Basic
Controls the maximum required length of a password. Any setting above 32 will be ignored and a parsing error will be logged. The Minimum Length must be less than or equal to the maximum length.
Maximum Length=20
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Intermediate
This setting requires that the password contain a certain minimum number of alphabetic letters. Alphabetic characters are defined as the letters in the alphabet, regardless of case.
Minimum Letters=2
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting requires that the password contain a certain minimum number of upper case alphabetic letters. Care should be taken in non-standard character set environments, since APS detection of upper case letters only applies to standard ASCII letters.
Minimum Uppercase=2
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting requires that the password contain a certain minimum number of lower case alphabetic letters. Care should be taken in non-standard character set environments, since APS detects lower case only using the standard ASCII character set.
Minimum Lowercase=2
Range: 0-32 characters
Default: 0
Recommended: 2
Complexity Level: Intermediate
This setting requires that the password contain a minimum number of numeric digits ("0" to "9").
Minimum Digits=1
Minimum Digits={@Customers} 2
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Intermediate
This setting requires that the password contain a certain minimum number of alphanumeric characters ("A"-"Z" or "0"-"9"). If this setting is used along with one of the settings above, characters can satisfy both requirements. For example, if Digits is four and this setting is four, the password 1234 satisfies both requirements.
Minimum Alphanumeric=1
Minimum Alphanumeric={@Employees} 3
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Intermediate
This setting requires that the password contain a certain minimum number of punctuation marks. These can be periods, commas, exclamation marks, etc.
Minimum Punctuation=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Intermediate
This setting requires that the password contain a certain minimum number of symbol characters. Symbol characters are defined within APS as the characters:
|
"~" (tilde) |
"@" (at) |
"#" (number) |
|
"$" (dollar) |
"%" (percent) |
"^" (circumflex) |
|
"&" (ampersand) |
"*" (asterisk) |
"(" (open parenthesis) |
|
")"(close parenthesis) |
"_" (underscore) |
"-" (hyphen) |
|
"+" (plus) |
"=" (equals) |
"{" (open brace) |
|
"}" (close brace) |
"[" (open bracket) |
"]" (close bracket) |
|
"<" (less than) |
">" (greater than) |
"/" (virgule) |
|
"\" (back slash) |
"|" (vertical bar) |
|
and all extended ASCII characters, including diacritical marks. Note that some browsers do not support the entry of extended ASCII characters and some LDAP directories do not support them as part of an LDAP attribute.
Minimum Symbols=1
Minimum Symbols={@Partners} 2
Range: 0-32 characters
Default: 0
Recommended: 1-2
Complexity Level: Intermediate
This setting requires that the password contain a specified minimum number of non-alphanumeric characters. This includes punctuation marks and other symbols located on the keyboard.
Similar to the Minimum Alphanumeric field above, a given character can satisfy this requirement in addition to "Punctuation" or "Symbols".
Minimum Other=1
Using the above settings, a site can require certain combinations. However, the use of those settings is fairly inflexible, in that a new password must satisfy all of those settings.
APS can allow a site to specify a series of settings, then require that a new password satisfy a minimum number of them.
The easiest way to think of this is as a "point system". The site specifies the conditions required to get each "point", then the minimum number of "points" that a new password must have.
The Combination Xxxx settings (below) specify the conditions required to earn a "point". The Minimum Combinations setting tells APS how many points are required by new passwords.
For example, if a site wants to require an uppercase letter, a lowercase letter, a digit, and a punctuation mark, they would use the following settings:
Minimum Uppercase=1 Minimum Lowercase=1 Minimum Digits=1 Minimum Punctuation=1
However, if they only wanted to require any three of the four (instead of requiring all four), a site would use:
Combination Uppercase=1 Combination Lowercase=1 Combination Digits=1 Combination Punctuation=1 Minimum Combinations=3
APS will log a warning to the SiteMinder console log if:
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting defines the number of letters (upper- and lower-case) needed to satisfy one of the possible Minimum Combinations of character types required in the password.
Combination Letters=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting defines the number of uppercase letters needed to satisfy one of the possible Minimum Combinations of character types required in the password. Care should be taken in non-standard character set environments, since APS detection of upper case letters only applies to standard ASCII letters.
Combination Uppercase=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting defines the number of lowercase letters needed to satisfy one of the possible Minimum Combinations of character types required in the password. Care should be taken in non-standard character set environments, since APS detection of lower case letters only applies to standard ASCII letters.
Combination Lowercase=2
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting defines the number of numeric digits ("0" to "9") needed to satisfy one of the possible Minimum Combinations of character types required in the password.
Combination Digits=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting defines the number of alphanumeric characters ("A"-"Z" or "0"-"9") needed to satisfy one of the possible Minimum Combinations of character types required in the password. If this setting is used along with one of the settings above, characters can satisfy both requirements. For example, if Digits is four and this setting is four, the password 1234 satisfies both requirements.
Combination Alphanumeric=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting requires that the password contain a certain minimum number of punctuation marks in order to satisfy one of the Minimum Combinations of character types required in the password. These can be periods, commas, exclamation marks, etc.
Combination Punctuation=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting requires that the password contain a certain minimum number of symbol characters in order to satisfy one of the character types required by the Minimum Combinations setting. Symbol characters are defined within APS as the characters:
|
"~" (tilde) |
"@" (at) |
"#" (number) |
|
"$" (dollar) |
"%" (percent) |
"^" (circumflex) |
|
"&" (ampersand) |
"*" (asterisk) |
"(" (open parenthesis) |
|
")"(close parenthesis) |
"_" (underscore) |
"-" (hyphen) |
|
"+" (plus) |
"=" (equals) |
"{" (open brace) |
|
"}" (close brace) |
"[" (open bracket) |
"]" (close bracket) |
|
"<" (less than) |
">" (greater than) |
"/" (virgule) |
|
"\" (back slash) |
"|" (vertical bar) |
|
and all extended ASCII characters, including diacritical marks. Note that some browsers do not support the entry of extended ASCII characters and some LDAP directories do not support them as part of an LDAP attribute.
Combination Symbols=1
Range: 0-32 characters
Default: 0
Recommended: 0
Complexity Level: Advanced
This specified that the password contain a specified minimum number of non-alphanumeric characters in order to satisfy one of the character types required by the Minimum Combinations setting. This includes punctuation marks and other symbols located on the keyboard.
Similar to the Combination Alphanumeric field above, a given character can satisfy this requirement in addition to "Punctuation" or "Symbols".
Combination Other=1
Range: 0-7 types
Default: 0
Recommended: 0
Complexity Level: Advanced
This setting tells how many different character types must be represented in the new password. In order for a given character type to be counted, one of the Combination Xxx settings (above) must be satisfied.
If any Combination Xxx setting is not zero and this value is not set (or zero), a warning will be issued in the SiteMinder Authentication Log.
If there are not enough Combination Xxx settings defined to possibly satisfy this setting, then this setting will be ignored and a warning will be logged to the SiteMinder Authentication Log.
Minimum Combinations=3
Range: 0-32 characters
Default: 0
Recommended: 3
Complexity Level: Basic
This setting controls the number of identical characters that cannot appear consecutively. For example, if this setting is four, then aaaa could not appear anywhere in the password.
Maximum Repeat=3
Maximum Repeat={@Employees} 2
Range: 0-400
Default: 0
Recommended: 40
Complexity Level: Advanced
APS can numerically evaluate the complexity of a password (See Password Complexity for details on how APS evaluates password complexity). If the complexity of the new password does not exceed this value, the password is not allowed.
To turn off this checking, set to zero or comment it out.
Complexity=40
Range: upper, lower, or none
Default: none
Recommended: none
Complexity Level: Advanced
Controls whether passwords should be forced to upper or lower case. CA does not recommend the use of this keyword, since it reduces the possible combinations of characters that can be used for passwords (thus easing the duties of a programmatic attack).
APS "knows" upper and lower case based on the standard ASCII character set. It does not recognize the difference between upper and lower case letters in the extended character set (such as those with diacritical marks).
If this option is used, the site must also use the Authentication Scheme wedge described on page 264 to convert entered passwords to the correct case.
Note: Sites should be very careful when implementing this setting for the first time. Once turned on, all passwords entered by users will have their case changed. If users have existing passwords that do not satisfy the new case requirements, they will not be able to login.
To turn off this checking, set it to none or comment it out.
Force Case=none
Range: n/a
Default: none
Recommended: none
Complexity Level: Advanced
The Match keyword specifies patterns ("regular expressions") that new passwords must match in order to be valid. Unlike most keywords, the Match keyword may appear as many times as required, with or without overrides (the same override may appear more than once). All applicable patterns will be applied.
Each value must include two parts, an error key and a pattern, separated by one or more spaces.
The error key is an index into the APS.lang file for the error message to display if the new password fails to match the associated pattern. There is no default for this value. If Match is to be used, your site must specify the error key and must update the APS.lang file to provide an error message.
To turn off this checking, comment out all values.
The following example requires that a password start with an alphabetic character. Note that a key named ERR_MUST_START_ALPHA must be added to the APS.LANG file so that a proper error message can be displayed.
Match=ERR_MUST_START_ALPHA [A-Za-z]*
Range: n/a
Default: none
Recommended: none
Complexity Level: Advanced
The NoMatch keyword specifies patterns ("regular expressions") that new passwords must not match in order to be valid. Unlike most keywords, the NoMatch keyword may appear as many times as required, with or without overrides (the same override may appear more than once). All applicable patterns will be applied.
Each value must include two parts, an error key and a pattern, separated by one or more spaces.
The error key is an index into the APS.lang file for the error message to display if the new password matches the pattern. There is no default for this value. If NoMatch is to be used, your site must specify the error key and must update the APS.lang file to provide an error message.
To turn off this checking, comment out all values.
The following example requires that a password not end in a digit (preventing things like PASSWORD9). Note that a key named ERR_NO_TRAILING_DIGIT must be added to the APS.LANG file so that a proper error message can be displayed.
NoMatch=ERR_NO_TRAILING_DIGIT *[0-9]
Range: Character list
Default: none
Recommended: none
Complexity Level: Advanced
The Allowed Characters keyword specifies a list of characters that are allowed in a password. Only characters listed with this keyword will be allowed in new passwords.
Each instance of this keyword can specify a list of characters. They may or may not be surrounded by double quotes. Since leading and trailing blanks in a setting value are ignored, these quotes may be necessary. If the value is surrounded by quotes, they will be removed from the list of allowed characters (though any contained quotes will be retained).
Multiple instances of this keyword may exist and may apply. APS will use the characters listed with every applicable instance of this setting.
If no Allowed Characters keyword is valid, then all characters will be allowed (subject to the Disallowed Characters setting below).
APS does not detect characters that are both allowed and disallowed (they will be disallowed).
Allowed Characters=abcdefABCDEF01234
Range: Character list
Default: none
Recommended: none
Complexity Level: Advanced
The Disallowed Characters keyword specifies a list of characters that are not allowed in a password. Characters listed with this keyword will not be allowed in new passwords.
Each instance of this keyword can specify a list of characters. They may or may not be surrounded by double quotes. Since leading and trailing blanks in a setting value are ignored, these quotes may be necessary. If the value is surrounded by quotes, they will be removed from the list of allowed characters (though any contained quotes will be retained).
Multiple instances of this keyword may exist and may apply. APS will use the characters listed with every applicable instance of this setting.
If no Disallowed Characters keyword is valid, then all characters will be allowed (subject to the Allowed Characters setting above).
APS does not detect characters that are both allowed and disallowed (they will be disallowed).
Disallowed Characters=xyzXYZ56789
|
Copyright © 2014 CA.
All rights reserved.
|
|