Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

credential-less account Password rotation

Manpreet_Kaur
New Contributor II
New Contributor II

Dear Team

We need your advice on the credential-less accounts passwords, whether the password is rotated by the Saviynt EIC for credential-less accounts.
As we are getting the prompt  “ your password will expire within so & so Days, try changing your password”
Snapshot as below:

Manpreet_Kaur_0-1701097414220.png

If the rotation is supported for credential less accounts can you guide us wherein, we need to change the configuration. We have added the below config at the endpointlevel as of now:
{"maxSessionWarnPeriodInSec":"100000","maxReqExpWarnPeriodInSec":"100000","maxSessionLimitInSec":"100000","maxConcurrentSession":"50","maxInActiveTimeInSec":"100000","maxInActiveWarnPeriodInSec":"100000","rotateKey":"true"}

If the rotation is not supported then do we need to make the account’s password expiry disabled at the server level (here it's a windows server).
Request you to throw some light so that we can guide appropriately to the client.

Thanks for your support.

Regards,

Manpreet Kaur

 

4 REPLIES 4

Saathvik
All-Star
All-Star

@Manpreet_Kaur : Based on configuration you have used it will rotate the password of credential less account after each check out. Below highlighted config will define that.

 {"maxSessionWarnPeriodInSec":"100000","maxReqExpWarnPeriodInSec":"100000","maxSessionLimitInSec":"100000","maxConcurrentSession":"50","maxInActiveTimeInSec":"100000","maxInActiveWarnPeriodInSec":"100000","rotateKey":"true"}

Let say you requested credential-less account for 1hr then after 1hr password gets rotated. Provided you have respective configuration updated properly like change password JSON, Password Policy, regex etc.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Hi @Saathvik 

Thanks for your revert.

As mentioned by you on the basis "rotatekey:true", the password should be rotated.

Since, the passwords are auto-injected & rotated with every new session launch so we are assuming that at the server level the password expiry should be pushed to further date but still, the message is prompted for "changing the password as it will expire in so & so days".

We have configured the Password rotation job in dev and looking into its working and behaviour.

Kindly help us for giving some more clarity.

Regards,

Manpreet Kaur

Manpreet Kaur

 

@Manpreet_Kaur : Just FYI, Password Rotation Jar will be identifying the accounts whose passwords are not rotated for X days based on password policy associated to respective endpoint. This job is not at all involved in the process of password change that happens after each credential-less/credential sessions.

Password rotation happen in two scenarios

  1. After each credential-less/credential sessions this is determined by config (rotateKey:true). This process is not dependent on password rotation job
  2. Rotation based on password policy associated to respective endpoint this is determined by config (rotateKey:true). This process is dependent on password rotation job

Scenario for Case:2 is let say my password policy 30 days. Now I have not done any credential-less/credential sessions on my account for more than 30 days. In that scenario my password will never get rotated based on Case:1 but still my password should rotate based on password policy which will be handled by Case:2.

Now coming to your issue couple of things I want to check is

  1. Does the password policy (like number of days password will expire) is matching the target?
  2. After checkout period ended do you see Last Password Change date on Account level in Saviynt is updating to latest value?
  3. If it is updating in Saviynt do you see the same date is reflecting on target?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

pruthvi_t
Saviynt Employee
Saviynt Employee

@Manpreet_Kaur ,

You can disable the password expiry in the windows server and use the password rotation from saviynt. We do periodic password rotation for credential less accounts.

Thanks,


Regards,
Pruthvi