Introduction
For enterprises that use the ZEDEDA-native (local) identity provider instead of an external one like OIDC, you can enforce specific password policies using a local authentication profile. This ensures that users who sign in directly to ZEDEDA adhere to your organization's security standards.
You can only have one active authentication profile per Enterprise. The following steps show how to create, activate, and manage a local auth profile using ZCLI.
You cannot modify individual user password expiry conditions. You can modify only the authentication profile expiry conditions at the Enterprise level. So take note that you need to create a separate Enterprise if you have different users with different conditions.
Prerequisites
- ZCLI is running.
- You have SysRoot privileges in your Enterprise.
Create a Local Auth Profile
First, create a new profile with your desired password requirements.
zcli auth-profile create MY_AUTH_PROFILE --type=local --min-len=10 --max-len=64 --min-num-chars=2 --min-sym-chars=2 --min-upper-chars=2 --min-lower-chars=2 --max-pwd-age=946080000 --min-pwd-age=86400 --num-prev-pwd-check=3 --pwd-expiry-notification=2 --default-role=SysRootActivate the Profile
To enforce the new policy, you must mark the profile as active. An enterprise can only have one active auth profile at a time.
zcli auth-profile update MY_AUTH_PROFILE --activeUpdate the Profile
You can modify the profile at any time. For example, to change the maximum password age to a different value:
zcli auth-profile update MY_AUTH_PROFILE --max-pwd-age=94608000View the Profile
View the detailed configuration of an existing profile:
zcli --format=raw auth-profile show MY_AUTH_PROFILE --detail