The iCM and website user tabs let you set up password complexity rules for your users. The recommended settings are taken from guidelines published by the OWASP (Open Web Application Security Project) Foundation.
The list of common passwords that should be blocked is held in the iCM custom folder, often available using iCM's File Manager. It has been compiled using publicly available lists of common passwords.
We strongly recommend you use the suggested password settings.
iCM Users
You can load the recommended settings using the "Use recommended settings" link. This link only appears if your current settings don't meet the minimum recommendations.
Changes to the complexity rules are applied to iCM users the next time they log in, including immediately after an upgrade, forcing them to reset their password so that it meets the new rules.
The rules you can set are:
- Minimum length
- Old password kept - this prevents the reuse of old passwords
- Minimum number of lower/uppercase letters, numbers, special characters
- Block repeated characters
- Block commonly used passwords
Password expiry can also be set for users in the iCM Users section.
iCM Login Providers
This feature is still in beta.
iCM login providers allow users to log into iCM using third party accounts, like a local network or corporate account. It's actually possible to configure any of the Authentication worker's Provider Types as iCM logins, although take care if you enable social media logins as anyone with that account type could then log into iCM (if you want to enable a provider like Google, IP restrict your iCM logins first).
To enable a new provider, press "Create". You can then pick a provider that has already been set up in the API Server configuration from the drop-down, which will populate the name and type inputs. Pick "Other" to enter these details manually. The name and type must match a provider to have any effect.
The providers you enter here can be used to log into the iCM enterprise URL. They can also be inherited by subsites.
Once enabled you'll see a new button on the iCM login page.
Before site user logins can be used to log into iCM, group and user aliases also need to be set up. See Using External Authentication with iCM for a full description.
Website Users
Website user passwords are also managed from within iCM. These settings are used by:
- The Password (Storing) field type in the forms designer (if you select "Apply site Password Rules")
- The Password Guidance Text field to display the rules to site users
Both of these fields are part of our example registration form.
Recommended settings are listed next to each field. Changing the complexity rules does not force existing users to change their passwords. They will have to meet the new rules if they reset their password.
Failed login attempts and lockout durations are set in the API Server configuration of the iCMSiteUser provider (the defaults are 5 attempts and fifteen minutes).
Profile Form Mappings
Once you have users registered with your site, these mappings should not be changed. Changing mappings will cause problems for existing users. For more information about user profiles and how they can be created and updated, see the Site Groups and Users section.
If you do make changes you must resend the configuration to your API Server so the Authentication worker is aware of them.
Property | Description |
---|---|
User Profile Form | This is the private form that iCM should use to display user profiles when you are editing users in iCM (not the user profile object definition or "master" form). The standard form is called "iCM User Profile Form" |
Email Address Field | The property within the userprofile object that holds a user's email address |
Display Name Template
User accounts in iCM are generally identified by GUIDs (unless created manually in iCM). Rather than display GUIDs in the user trees in iCM a display name is constructed using a Handlebars template.
The template also sets the value of the
This is the default template, which cannot be modified:
{{#and LASTNAME FIRSTNAME}}{{{LASTNAME}}}, {{{FIRSTNAME}}}, {{else if LASTNAME}}{{{LASTNAME}}}, {{else if FIRSTNAME}}{{{FIRSTNAME}}}, {{/and}}{{#if EMAIL}}{{{EMAIL}}}, {{/if}}{{{user.username}}}
It will display the LASTNAME and FIRSTNAME from the user's profile (if both exist), followed by the EMAIL, followed by the account username/unique ID. For example:
If either the FIRSTNAME or LASTNAME (or both) are missing, the template will display those elements that are present.
Preferred Name
The preferred name template works on the same principles as the display name. It sets the value of the
Rather confusingly the default template uses a single field called