cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM Password Policy - Regex to revoke passwords

Former Member

on ‎11-07-2014 1:45 PM

0 Kudos

Hi experts,

I am using the SAP-Logon Help for Windows in cooperation with the SAP IDM.

The software allows our users to reset their passwort with answering predefined security questions.

This function perfectly..even with the use of many domain-controllers.

Want I want to do now is to except specific words/substrings to be part of the password.

The Password Policy Tab of my master idstore will give me the option to use a Regex.

Example:

Incoming Password:             BlackForest_123!

Regex:                                 /(?:(Forest))/g

This example should result in revoking the password synchronization

To cut a long story short: I fear that the Regex I am trying to use is put against the already encrypted password.

If this would be the case, I could Regex whatever I want and it would not work, because I wont be able to decrypt the password, in that pre-defined SAP-process.

Can someone please tell me that this is not the case or suggest a workaround?

Best regards and thanks in Advance,

Lukas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

normann
Advisor
Advisor
‎11-07-2014 2:25 PM
0 Kudos

Hello Lukas,

it should work if you are using the IdM UI to set the password (not 100% sure right now but I think I have done it already). If you set the password somewhere else, e.g. by password hook in Windows logon screen I am not sure whether it does.

How many words do you want to exclude though? You are aware of the limited length of the Regex of something about 189 characters?

Regards

Norman

Show replies
Show replies
Former Member
‎11-07-2014 2:51 PM
0 Kudos

Hello Norman,

I tried using the UI-Task to reset the passwort, but the regex - still - seems not to work.

Maybe I am missing some settings?

Could you confirm me, if the Regex I have posted in my question up there, is correct?

Thanks for the tipp with the limitation of length! I want to exclude about 12 Words. This could be very close...

Best Regards,

Lukas

bxiv
Active Contributor
‎11-07-2014 4:25 PM
0 Kudos

If a password was already encrypted and it was not done so by IdM, then it will remain encrypted and could match a regex string.  Its also a good thing that it stays encrypted from IdM as this would lead to a man in the middle type of attack or impersonation scenarios for all IDs known to IdM, which is probably not in the best interest for anyone.

Former Member
‎11-07-2014 4:44 PM
0 Kudos

Billy,

this is a good point. It could be, that the IDM gets that password already encrypted. But why would the SAP give me the options to check if the password could contain "Mixed case characters" etc.?

Speaking about the options, I recognized, that there is one option to use a password dictionary. But I wasn't able to use the words in the dictionary to compare it as a substring with my password. Any other ideas concerning the password dictionary or my former regex-problem?

Regards,

Lukas

bxiv
Active Contributor
‎11-07-2014 7:20 PM
0 Kudos

When you say SAP, you are referring to IdM or another system?

Is IdM your central system for IDs?

Former Member
‎11-07-2014 7:26 PM
0 Kudos

Yes, I mean the IdM when I'm talking about the SAP.

The IdM is going to be our central system for IDs.

normann
Advisor
Advisor
‎11-07-2014 7:28 PM
0 Kudos

Hi Billy,

as far as I know the UI is taking the Regex at runtime - means it is checking the values before they get encrypted and stored in database.

@Lukas: I also always need to try with Regex, I cannot remember the syntax. But there is web sites where you can check a string against a given Regex where you can verify your Regex.

Regards

Norman

bxiv
Active Contributor
‎11-07-2014 7:39 PM
0 Kudos

Like this one - Online regex tester and debugger: JavaScript, Python, PHP, and PCRE

Ask a Question