Overview
This article provides information about the password policy for Druva Cloud Administrators using the failsafe option when SSO for administrators is enabled.
Druva Cloud Administrator
A Druva Cloud Administrator is equivalent to a super user and has access to all inSync users, workloads and inSync settings.
Single Sign-on for Administrators
After SSO is enabled, Druva disables passwords for all product administrators, except the Druva Cloud Administrators and the administrators having the Legal Admin role. Once SSO is enabled, failsafe login is enabled for Druva Cloud Administrators and the administrators having the Legal Admin role.
Refer to the SSO configuration process - https://help.druva.com/en/articles/8580828-set-up-single-sign-on-sso
Failsafe option when SSO is enabled for Administrators
The last step during the SSO configuration process is to configure failsafe. Failsafe is a mechanism that allows Druva Administrators to use a "password" based sign-on.
During a situation where IdP has issues authenticating the Druva Admin or in case of outages at the IdP side.
That means, with the new security posture of Druva, all Druva Cloud Administrators will need to be required to set the failsafe password, in accordance with the new password policy.
After SSO is configured, the following points will be valid
Failsafe admins (Druva Cloud Administrators) will receive an email containing the password reset link when Single Sign-On is enabled.
The password is reset for all administrators when Single Sign-On is disabled.
Password policy is enabled for Druva Cloud Administrators when Single Sign-On is enabled. After a Druva Cloud Administrator logs in using Single Sign-On, the Druva Cloud Platform Console prompts the administrator to reset the password.
Administrators are not notified if the Failsafe for Administrators setting is disabled.
Product administrators will not be able to login using failsafe, only Druva Cloud Administrators will be able to login using the failsafe option.
Important note
The regular SSO authentication will work and you don't need to enter the password while signing in via IdP. The Failsafe admin password is required when your IdP authentication doesn't work.
The Failsafe password will need to be set and changed every 60 days (default). The maximum Password Expiry days can be 99 days.
It is not possible to change the complexity requirements of the password
Reference -
Password Policy for administrators -