Symantec Access Management

Just verifying usage.  I'm in the AdminUI (12.51), I set the password expiration in a password policy to be let's say 90 days, do I need any of the checkboxes for tracking selected to make the policy verify if the password has indeed expired?

Or is password expiration always verified by the policy server and only inactivity and failures require a checkbox to be selected?

Thanks

To verify password expiry after X days, you don't need to check any of the checkboxes for login tracking.

Thanks for the reply.  That is interesting.  We're using the SDK to look at the contents of the blob for different use cases and with only the track login failures set, we can get very old last password change times to let us in with no problem.  As well as empty last pwd change times (although maybe the policy server handles that as a special use case).

I was under the impression that to catch expired passwords, you needed track successful logins.

@Sam Dikeman

Let me elaborate a bit further on this.

These are two different features that CA SSO supports which are related to Password Expiry :

Feature 1. Password expiry if not changed after X days

Feature 2. Password expiry from Inactivity (login inactivity) after X days

Password expiry logic Feature 1

Password expires if :

• Current Time -Last Password Change Time > X

Password expiry logic Feature 2

Password expires if :

• Current Time - Last Login Time > X   (AND)
• Current Time - Last Password Change Time > X
  

Basically, if the password was changed by Admin , then that time is also considered as login, though not explicitly recorded in the Last Login Time attribute.

So, now your question is about the Feature 1, for this CA SSO don't event look at the "Last Login Time" attribute which is populated on selecting the check box for "Track Successful logins"

Cheers,

Ujwol