I am still trying to figure out SSPR and integration with Identity
Manager as it seems some of the functionality doesn't work or just is
lacking versus NMAS. Below are a few things that we have found, please
give feedback if I am missing something.

Individual Password History (e.g. can't re-use the last 7 passwords):
Not available in SSPR, and seems to be replaced by Shared History. For
an organization that has +25K accounts, it seems that this could get
frustrating for a user to try and determine why they couldn't use a
password because someone else had in the past 28 days.

Disallow Current Password (as somewhat a replacement of above):
There is the password policy of 'Disallow Current Password' with a
description of 'Prohibit current password from being used as new
password. Note that this can only be enforced if the login method
permits the user's password to be known.' After testing with the SSPR
application change password page, it doesn't seem to work. After
digging into the code of ChangePasswordServlet.java in
https://github.com/pwm-project/pwm, it seems that the app is hard coded
to not check the previous password even if you require previous password
to change password. Specifically in handleChangeRequest around line 227
is this line
'pwmPasswordRuleValidator.testPassword(password1,n ull,uiBean,theUser);'
The second param is supposed to be the current password, instead it is

Minimum Lifetime (again to help replace password history):
The maximum value that is allowed in the UI is 100. This value
represents seconds. This seems like a serious oversight of less than 2
minutes need to pass.

schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54948