Navigate to Admin > Settings > Security Policies to create and manage Password and Single Sign-on (SSO) security policies for users. You can apply these security policies to user accounts to determine whether they log into Vault with a password or using SSO.
If necessary, you can use the Convert Security Policy action to change a user’s security policy assignment.
The System Managed security policy does not appear on the Security Policies page, and you cannot edit it, delete it, or assign it to a user.
Note: Security policies apply across all Vaults in a multi-Vault domain. You must be a Domain Admin to modify these settings.
Password Security Policies
Password security policies allow user accounts to log into Vault with a password. On these security policies, you can configure password requirements, expiration period, reuse policy, security question policy, and more. Regardless of how you configure password-related fields on Password security policies, users are always able to unlock their accounts by resetting their passwords.
To create and edit a Password security policy:
- On the Admin > Settings > Security Policies page, click Create > Password. If editing an existing Password security policy, click on the security policy from the list and then click Edit.
- Enter a Policy Name and an optional Description.
- Select the Status. By default, new security policies are created in the Active status.
- Select Password as the Authentication Type.
- Optional: Adjust the remaining security policy settings as needed.
- Click Save.
Single Sign-on Security Policies
Single Sign-on (SSO) security policies allow user accounts to use SSO. When creating a new SSO security policy, you must apply the new security policy to each user account individually. If you edit an existing SSO security policy, you can bypass this step only if the existing policy is already in use, but you may have to enter the Federated ID for each user if your SSO configuration uses Federated ID rather than Vault User Name as the User ID Type.
See Configuring Single Sign-on for more information.
To create or edit an SSO security policy:
- On the Admin > Settings > Security Policies page, click Create > Single Sign-on. If editing an existing SSO security policy, click on the security policy from the list and then click Edit.
- Enter a Policy Name and an optional Description.
- Select the Status. By default, new security policies are created in the Active status.
- Optional: Select one SAML Single Sign-on Profile.
- Optional: Select one SAML eSignature Profile.
- Optional: Select one OAuth 2.0 / OpenID Connect Profile.
- Optional: Adjust the remaining security policy settings as needed.
Security Policy Settings
For each security policy, you can configure the settings below.
| Security Policy Type | Field | Explanation |
|---|---|---|
| Password, SSO | Status | Active or Inactive. Only Active security policies are available for selection in the Vault Users UI. |
| Password | Password Requirements | Set the checkboxes to indicate which characters users must include in their passwords: number, upper-case letter, non-alphanumeric character (symbol). |
| Password | Minimum Password Length | Select the minimum number of characters that users must include in their passwords. You can choose a number between 7 and 40. The default value is 8. |
| Password | Password Expiration | Choose how often user passwords should expire. When a user’s password expires, Vault prompts the user to create a new password. Choose No expiration (default) or Expire in…. You can set the expiration to a value between 30 and 720 days. The default value for the expiration date is 90 days. |
| Password | Password History Reuse | Choose whether Vault should prevent a user from reusing the same password, and how many previous passwords to track and prevent reuse. You can select No password history tracking (default) or Prevent the reuse of the last…. You can set the number of passwords to track any number from 1 to 20. The default value is 5. |
| Password | Account lockout duration | Choose how long users will be locked out of their account after 5 consecutive instances of entering the incorrect password. You can set this to Permanent (default), 5 minutes, 10 minutes, 30 minutes, or 60 minutes. |
| Password | Password Reset Daily Limit | Choose whether Vault should enforce a daily password reset limit and, if so, how long it should be. You can select Unlimited (default) or Limited to…. You can set the reset limit to any number from 1 to 10. The default value is 10. This applies to password resets from the login page by unauthenticated users. Password resets performed by an administrator or from the user’s profile page do not count against the daily reset limit. |
| Password | Require security question on password reset | Set the checkbox to require that users create a security question and answer the question when resetting their passwords. After enabling this setting, Vault will prompt all users to create the security question the next time they log in. Answers are not case-sensitive. |
| Password | Allow browsers to save and autofill password field on the login form | When this setting is on, users can choose to save passwords to a password manager or to their browser. When the setting is off, Vault prevents this. |
| Password, SSO | Logout user after inactivity | This setting controls the maximum amount of time users can be idle before Vault automatically logs them out. You can set this to 10 minutes, 15 minutes, 20 minutes, 30 minutes, 45 minutes, 1 hour, 2 hours, 4 hours, or 8 hours. When configured, this setting overrides the domain-level Session Duration configured in Admin > Settings > Domain Settings. By default, this is set to Domain Default Duration and uses the domain-level Session Duration. |
| Password, SSO | Allow device-enforced access | This setting is applicable to Vault Mobile only. Enable this setting to allow users to use their device authentication (biometrics or passcode) to refresh their Vault authentication in the mobile app up to the configured duration (four weeks by default). After that duration has passed, users are required to manually re-enter their credentials to re-authenticate. This setting is only available for Password security policies or SSO security policies that do not have an associated OAuth profile with vaultmobile in the Client Application mapping table because OAuth configurations can leverage the IDP’s refresh token. It is best practice when inactivating a user’s IDP access to also immediately inactivate their Vault access to prevent any extended access from their browser or mobile app sessions. |
| Password, SSO | Allow login via Salesforce.com | Select the checkbox to allow users who are logged into Salesforce.com or Veeva CRM to access Vault without logging in again. When this checkbox is selected, you must specify your company’s Salesforce.com Organization ID. |
How to Delete or Inactivate a Security Policy
To delete a security policy:
- From the Security Policies page, select the policy you want to delete.
- Select Delete from the All Actions menu.
- Click Continue to confirm that you want to delete the security policy.
You can only delete security policies that are not assigned to any users. This includes inactive users.
To inactivate a security policy:
- From the Security Policies page, select the policy you want to inactivate.
- Click Edit.
- In the Status field, select Inactive.
- Click Save.
Once a security policy is inactive, it does not appear as an available option when creating or editing users.
How to Reset All Passwords
Resetting all passwords can help you enforce a new password security policy. For example, if you change the minimum length, resetting all passwords forces users to create passwords that comply with the new minimum length requirement. From the Security Policies page, select Reset All Passwords from the All Actions menu.
Note: This action does not affect users with Single Sign-on (SSO) security policies. You can only reset passwords for these users through your organization’s Identity Provider (IdP).
User Account Lockout
Vault locks user accounts after five continuous unsuccessful login attempts over any period of time. Vault does not notify users that they are locked out on the login screen, however, Admins can view a record of lockouts in the Login Audit History. User accounts remain locked out until either the user or an Admin requests a password reset.
Note: This setting affects all accounts and is not configurable.