Skip to content

Security Configuration and Behavior

Creating Password Policy

To create a password policy, follow the steps mentioned in the procedure section.

Prerequisites

  • User with access to IAM (Keycloak)

Procedure

  1. Login to Identity & Access Management tile in the launchpad.

  2. In the navigation menu, click on Authentication.

  3. Navigate to the Policies tab.

  4. From the Add policy drop-down list, add the policy types you want to use.

    There are several password policy types. You can find all the available policy types here.

    add-policy

  5. Create your password policy by adding your required policy types and corresponding policy values.

  6. Click Save when you are done.

    After saving the password policy, Keycloak enforces the policy for new users. For existing users, Keycloak sets an update password action to ensure existing users change their password the next time they log in.

Special characters

The number of special characters required to be in the password string can be defined in password policy.

Initial Actions User

Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For example, an admin may schedule users to reset their passwords every month. An update password required action would be set for all these users.

Sign Up Process - How to register yourself as user

Register yourself

You can allow users to register themselves.

Once logged-in select the Identity & Access Management tile in the launchpad.

Go to Realm Settings and select the tab Login.

There you can enable User registration.

Users now have the ability to register themselves by clicking on the Sign up link located on the login page. The user has to fill in the form and choose a password.

The user needs either one role - User or Admin to access IEM.

Password Change Authentication Settings

Overview

When changing passwords in Industrial Edge Management (IEM), users might notice that they are not always prompted to enter their current password for verification. This behavior is controlled by an authentication age setting in the Identity and Access Management (IAM) required actions configuration.

Default Behavior

By default, users can change their password without re-authentication if their current session is less than 300 seconds (5 minutes) old. After this period, users will need to verify their identity by entering their current password before making changes.

Adjusting the Authentication Age Setting

To modify this behavior, follow these steps:

  1. Open the IAM interface

  2. Navigate to the "Authentication" menu

  3. Select the "Required Actions" tab

  4. Click on "Configure" next to "Update Password"

  5. Locate the "Maximum Age of Authentication" setting

  6. Enter your desired value in seconds

    • Set to 0 to always require re-authentication

    • Set to a higher value to extend the time window where re-authentication is not required

  7. Submit changes

NOTICE

Adjusting these settings affects all users in your Industrial Edge Management system. Choose a value that balances security requirements with user convenience for your organization.

Protected Data Display in Identity and Access Management (IAM)

The IAM interface enhances security by obscuring sensitive information by default. This includes:

  • Passwords
  • One-Time Passwords
  • Secrets
  • Other confidential data

This feature helps prevent shoulder surfing and unauthorized access to sensitive information. Each protected field is displayed with masked characters (e.g., ••••••) and includes a reveal icon next to it. Users can temporarily toggle the visibility of the protected data by clicking this icon.

When the reveal icon is clicked:

  • The masked characters are replaced with the actual content
  • Users can verify or copy the information as needed
  • The data automatically returns to its masked state when the page is reloaded

Authenticator Feedback

Protected Data Display

The Identity and Access Management (IAM) interface prevents unauthorized viewing of sensitive information by obscuring authentication and confidential data in the user interface.

The following data types are protected by default:

  • Passwords
  • One-Time Passwords
  • Secrets
  • Other authentication and confidential data

To prevent unauthorized viewing of sensitive information:

  • All protected fields display masked characters (e.g., ••••••) by default
  • A reveal icon is provided next to protected fields
  • Users can temporarily toggle visibility when needed
  • Data automatically returns to masked state upon page reload

This implementation helps prevent:

  • Shoulder surfing attacks
  • Unauthorized capture of sensitive information
  • Accidental exposure of confidential data

Generic Error Messages

To enhance security, the IAM provides generic error messages during authentication failures. When login attempts fail, the system returns a general message such as "Invalid username or password" regardless of the actual cause of failure.

This approach prevents potential attackers from determining:

  • Whether a specific username exists
  • Whether the username was correct but the password was wrong
  • Other specific authentication failure reasons

By not disclosing specific error details, the system makes it more difficult for attackers to gather information about valid user accounts through failed login attempts.