Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

credential-less account Password rotation

Manpreet_Kaur
New Contributor II
New Contributor II

‎11/27/2023 07:06 AM

Dear Team

We need your advice on the credential-less accounts passwords, whether the password is rotated by the Saviynt EIC for credential-less accounts.
As we are getting the prompt  “ your password will expire within so & so Days, try changing your password”
Snapshot as below:

Manpreet_Kaur_0-1701097414220.png

If the rotation is supported for credential less accounts can you guide us wherein, we need to change the configuration. We have added the below config at the endpointlevel as of now:
{"maxSessionWarnPeriodInSec":"100000","maxReqExpWarnPeriodInSec":"100000","maxSessionLimitInSec":"100000","maxConcurrentSession":"50","maxInActiveTimeInSec":"100000","maxInActiveWarnPeriodInSec":"100000","rotateKey":"true"}

If the rotation is not supported then do we need to make the account’s password expiry disabled at the server level (here it's a windows server).
Request you to throw some light so that we can guide appropriately to the client.

Thanks for your support.

Regards,

Manpreet Kaur

 

0 Kudos
4 REPLIES 4

sk
All-Star
All-Star

‎12/01/2023 09:37 AM

@Manpreet_Kaur : Based on configuration you have used it will rotate the password of credential less account after each check out. Below highlighted config will define that.

 {"maxSessionWarnPeriodInSec":"100000","maxReqExpWarnPeriodInSec":"100000","maxSessionLimitInSec":"100000","maxConcurrentSession":"50","maxInActiveTimeInSec":"100000","maxInActiveWarnPeriodInSec":"100000","rotateKey":"true"}

Let say you requested credential-less account for 1hr then after 1hr password gets rotated. Provided you have respective configuration updated properly like change password JSON, Password Policy, regex etc.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

Manpreet_Kaur
New Contributor II
New Contributor II
In response to sk

‎12/07/2023 05:58 PM

Hi @sk 

Thanks for your revert.

As mentioned by you on the basis "rotatekey:true", the password should be rotated.

Since, the passwords are auto-injected & rotated with every new session launch so we are assuming that at the server level the password expiry should be pushed to further date but still, the message is prompted for "changing the password as it will expire in so & so days".

We have configured the Password rotation job in dev and looking into its working and behaviour.

Kindly help us for giving some more clarity.

Regards,

Manpreet Kaur

Manpreet Kaur

 

0 Kudos

sk
All-Star
All-Star
In response to Manpreet_Kaur

‎12/08/2023 08:56 AM - edited ‎12/08/2023 08:59 AM

@Manpreet_Kaur : Just FYI, Password Rotation Jar will be identifying the accounts whose passwords are not rotated for X days based on password policy associated to respective endpoint. This job is not at all involved in the process of password change that happens after each credential-less/credential sessions.

Password rotation happen in two scenarios

  1. After each credential-less/credential sessions this is determined by config (rotateKey:true). This process is not dependent on password rotation job
  2. Rotation based on password policy associated to respective endpoint this is determined by config (rotateKey:true). This process is dependent on password rotation job

Scenario for Case:2 is let say my password policy 30 days. Now I have not done any credential-less/credential sessions on my account for more than 30 days. In that scenario my password will never get rotated based on Case:1 but still my password should rotate based on password policy which will be handled by Case:2.

Now coming to your issue couple of things I want to check is

  1. Does the password policy (like number of days password will expire) is matching the target?
  2. After checkout period ended do you see Last Password Change date on Account level in Saviynt is updating to latest value?
  3. If it is updating in Saviynt do you see the same date is reflecting on target?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

pruthvi_t
Saviynt Employee
Saviynt Employee

‎12/01/2023 05:36 PM

@Manpreet_Kaur ,

You can disable the password expiry in the windows server and use the password rotation from saviynt. We do periodic password rotation for credential less accounts.

Thanks,


Regards,
Pruthvi
0 Kudos
Copyright © 2024 Khoros, LLC