This section provides orientation on managing the system’s authentication policy, available through the Administration module. This policy can only be configured when authentication is handled by the system. When the system is integrated with an external authentication service (with Active Directory, for example), these configuration options will be unavailable.
The authentication policy discussed here affects all system users and must be compatible with the security policy adopted by the organization. The configurations set for the authentication policy will only go into effect from the time it was configured, but will not affect existing user accounts. For example, users with passwords or usernames below the minimum configured will not be forced to change their passwords or create new usernames. When creating new passwords or user accounts, the system will require that they meet the requirements from the policy.
The system supports the following configurations:
• The minimum number of characters for usernames can be specified. When usernames are created, the system will require that they contain at least the number of characters specified in this field. The system default is 6 characters, while the system minimum is five. However, note that if the system is integrated with Active Directory, the minimum is one character.
• The minimum number of characters for passwords can be specified. When passwords are generated or reset, the system will require that they contain at least the number of characters specified in this field. The system default is 8 characters, while the system minimum is 5.
• The number of unsuccessful login attempts before a user account is blocked can be specified. The system default is 4.
• The number of days user passwords will be valid before they expire and must be reset can be specified. The system default and maximum is 180 days.
• You can specify whether passwords must contain letters and numbers.
• You can require passwords to be reset the first time a user signs in to the system.
• You can specify how many minutes user sessions should last before expiring, as well as decide whether a pop-up will be displayed indicating that a session is about to expire. The default time limit is 30 minutes plus the time configured for the "SessionUpdateIntervalThresholdInMinutes" key in the web.config file located in the system installation folder. The minimum time respects the "clock skew", which is also configured in the web.config file. Keep in mind that the number of minutes for the session to expire can be less than 30 minutes, but cannot be less than the value set for the "clock skew".
• You can allow users to authenticate in the system using digital certificates and specify how certificates will be associated with users. Digital certificates can be used instead of regular access credentials to allow a user to prove that they are who they claim to be. Instead of entering their usernames and passwords, users can click the Login with certificate link so that their certificate can be validated and they can be authenticated in the system. Some additional configurations are necessary to enable this functionality in the system. For details, see Appendix -> Additional Configurations for Authentication Using Digital Certificates.
Certificates can be associated:
o by the criteria selected for each user when their access account is configured. When authentication using digital certificates is enabled, an additional configuration will appear for each user account, where you can decide which criteria will be used for each account individually. For details, see Chapter 17: Administration -> Access Control -> Manage Users.
o by the user’s name. This option looks for users whose name is the same as that specified in the Simple Name field in the Subject of the certificate.
o by the user’s e-mail address. This option looks for users whose e-mail address is the same as that specified in the Subject field of the certificate.
o by the user’s username (UPN). This option looks for users whose username is the same as that specified in the Principal Name field from the Subject Alternative Name extension of the certificate.
When configured adequately, these options provide additional protection against unauthorized access attempts.
Some of the terms used here are explained in Chapter 17: Administration -> Access Control -> Access Control Concepts.