We here at Ping Identity are doing our best to get rid of passwords, as fast as we can. Sadly, however, you and I still deal with passwords. Every day. So we're used to notifications.
Maybe you get an email. A status bar pop-up. Or some other fancy notification method. What about your PingFederate server?
Application passwords need expiration love too!
An issue that we often see in Support is an outage caused by the passwords that PingFederate uses to connect to various data stores expiring. These commonly occur at weird times -- who knows when the expiration time is going to occur! There are a lot of ways you could track this, from something as simple as running a report in AD using various tools (there are scripts for PowerShell, reports in the ADUC snap-in, etc.) a SQL query, etc. There are lots of cookbooks out on the Internet for you to use, and I'm not going to go into them here -- there are just too many data stores to consider for that. Heck, you could even set a calendar reminder for 5 days prior to expiration (*if* you know when that expiration date is -- like, when you set the password).
What I can say, however, is, that it is important for you (or your PingFederate administrators) to know
If the password(s) that PingFederate is using expire, and;
If so, when those passwords are scheduled to expire, so you can manage the expirations, minimize downtime (and calls to support).
Can PingFederate monitor Its password expirations?
I knew you were going to ask this question.
The short answer is "no".
The long answer? We're looking at how to do this -- after all, we *are* connected to the data stores, right? Well, yes, we are, but that doesn't necessarily give us access to the expirations. The problem is that when it comes to directories and databases, the expiration time attributes may or may not be exposed to our user, and the attribute names vary.
We try to write code that's pretty agnostic to the various vendors -- with databases, we count on the driver to abstract the crazy from the code, and we do most of our LDAP stuff with plain old LDAPv3. We're looking at it - but, no promises. For now, it's better for you to figure out how and plan to monitor the datastore passwords that you set for PingFederate.
Can't we figure out some standards?
Wouldn't it be nice if vendors would get together and make all of our lives easier? Couldn't the various vendors for directories and databases sing a single song of expiration information? At least in their own arena?
Sure would make life easier for those of us that care about multiple application accounts, wouldn't it?