Skip to content

Security Configuration and Behavior

Authenticator Protection

The system implements multiple security measures to protect authenticators:

Data Protection:

  • Encryption of sensitive data at rest
  • Secure transmission using TLS
  • Cryptographic hashing for stored credentials

Access Controls:

  • Role-based access control (RBAC)
  • Fine-grained permissions for authentication settings
  • Detailed audit logging of authenticator activities

Password Policy

The IAM allows configuration of various password policies to ensure secure authentication. These policies define requirements and restrictions for user passwords.

Default Password Policy

The system comes with the following default password policy settings:

  • Minimum length of 12 characters
  • At least 1 lowercase character
  • At least 1 uppercase character
  • At least 1 number
  • At least 1 special character
  • Does not contain Username
  • Does not contain Email

  • Not equal than the last 3 password

    NOTICE

    Additional password requirements are introduced during the initial user creation process, but they are not necessarily enforced.

Creating Password Policy

Prerequisites

  • User with access to IAM (Keycloak)

Procedure

  1. Login to Identity & Access Management tile.

  2. In the navigation menu, click on Authentication.

  3. Navigate to the Policies tab.

  4. From the Add policy drop-down list, add the policy types you want to use.

    There are several password policy types. Here you can find all the available policy types.

    add-policy

  5. Create your password policy by adding your required policy types and corresponding policy values.

  6. Click Save when you are done.

    After saving the password policy, Keycloak enforces the policy for new users. For existing users, Keycloak sets an update password action to ensure existing users change their password the next time they log in.

Special characters

The number of special characters required to be in the password string can be defined in password policy.

Password Expiration Policy

The password expiration policy enforces regular password changes to enhance security. When enabled, users must change their passwords after a specified period.

To configure the password expiration policy:

  1. In the navigation menu, click on Authentication.
  2. Navigate to the Policies tab.
  3. Add policy "Expire Password".
  4. Set "Days to Expire" to your desired value.
  5. This defines how many days a password remains valid.
  6. After this period, users will be required to change their password.
  7. Default value is 365 days.

When a password expires:

  • Users are automatically prompted to change their password at next login
  • Access to the system is only granted after successful password change
  • The new password must comply with all configured password policies

NOTICE

Setting "Days to Expire" to 0 disables the password expiration policy.

Initial Actions User

Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For example, an admin may schedule users to reset their passwords every month. An update password required action would be set for all these users.

Sign Up Process - How to register yourself as user

Register yourself

You can allow users to register themselves.

Once logged-in select the Identity & Access Management tile in the launchpad.

Go to Realm Settings and select the tab Login.

There you can enable User registration.

Users now have the ability to register themselves by clicking on the Sign up link located on the login page. The user has to fill in the form and choose a password.

The user needs either one role - User or Admin to access IEM.

Password Change Authentication Settings

Overview

When changing passwords in Industrial Edge Management (IEM), users might notice that they are not always prompted to enter their current password for verification. This behavior is controlled by an authentication age setting in the Identity and Access Management (IAM) required actions configuration.

Default Behavior

By default, users can change their password without re-authentication if their current session is less than 300 seconds (5 minutes) old. After this period, users will need to verify their identity by entering their current password before making changes.

Adjusting the Authentication Age Setting

To modify this behavior, follow these steps:

  1. Open the IAM interface

  2. Navigate to the "Authentication" menu

  3. Select the "Required Actions" tab

  4. Click on "Configure" next to "Update Password"

  5. Locate the "Maximum Age of Authentication" setting

  6. Enter your desired value in seconds

    • Set to 0 to always require re-authentication

    • Set to a higher value to extend the time window where re-authentication is not required

  7. Submit changes

NOTICE

Adjusting these settings affects all users in your Industrial Edge Management system. Choose a value that balances security requirements with user convenience for your organization.

Authenticator Feedback

Protected Data Display

The Identity and Access Management (IAM) interface prevents unauthorized viewing of sensitive information by obscuring authentication and confidential data in the user interface.

The following data types are protected by default:

  • Passwords
  • One-Time Passwords
  • Secrets
  • Other authentication and confidential data

To prevent unauthorized viewing of sensitive information:

  • All protected fields display masked characters (e.g., ••••••) by default
  • A reveal icon is provided next to protected fields
  • Users can temporarily toggle visibility when needed
  • Data automatically returns to masked state upon page reload

This implementation helps prevent:

  • Shoulder surfing attacks
  • Unauthorized capture of sensitive information
  • Accidental exposure of confidential data

Generic Error Messages

To enhance security, the IAM provides generic error messages during authentication failures. When login attempts fail, the system returns a general message such as "Invalid username or password" regardless of the actual cause of failure.

This approach prevents potential attackers from determining:

  • Whether a specific username exists
  • Whether the username was correct but the password was wrong
  • Other specific authentication failure reasons

By not disclosing specific error details, the system makes it more difficult for attackers to gather information about valid user accounts through failed login attempts.