18.1 Using Self Service Password Reset for Forgotten Password Management

In most cases, you can enable the forgotten password management feature when you install SSPR and the identity applications. However, you might not have specified the URL of the landing page for the identity applications to which SSPR forwards users after a password change. You might also need to enable forgotten password management. This section provides the following information:

18.1.1 Configuring Identity Manager to Use Self Service Password Reset

This section provides information about configuring Identity Manager to use SSPR.

  1. Log in to the server where you installed the identity applications.

  2. Run the RBPM configuration utility. For more information, see Section 12.4.1, Running the Identity Applications Configuration Utility.

  3. In the utility, navigate to Authentication > Password Management.

  4. For Password Management Provider, specify SSPR.

  5. Select Forgotten Password.

  6. Navigate to SSO Clients > Self Service Password Reset.

  7. For OSP client ID, specify the name that you want to use to identify the single sign-on client for SSPR to the authentication server. The default value is sspr.

  8. For OSP client secret, specify the password for the single sign-on client for SSPR.

  9. For OSP redirect URL, specify the absolute URL to which the authentication server redirects a browser client when authentication is complete.

    Use the following format: protocol://server:port/path.For example, http://10.10.10.48:8180/sspr/public/oauth.

  10. Save your changes and close the utility.

18.1.2 Configuring Self Service Password Reset for Identity Manager

This section provides information about configuring SSPR to work with Identity Manager. For example, you might want to modify the password policies and challenge response questions.

When you installed SSPR with Identity Manager, you specified a password that an administrator can use to configure the application. NetIQ recommends that you modify the SSPR settings, then specify an administrator account or group can configure SSPR.

NOTE:If you install SSPR on a different server than user application server, ensure that SSPR application certificate is added to user application cacerts.

  1. Log in to SSPR by using the configuration password that you specified during installation.

  2. In the Settings page, modify the settings for the password policy and challenge response questions. For more information about configuring the default values for SSPR settings, see Configuring Self Service Password Reset in the NetIQ Self Service Password Reset Administration Guide.

  3. Lock the SSPR configuration file (SSPRConfiguration.xml). For more information about locking the configuration file, see Locking the SSPR Configuration.

  4. (Optional) To modify SSPR settings after you lock the configuration, you must set the configIsEditable setting to true in the SSPRConfiguration.xml file.

  5. Log out of SSPR.

  6. For the changes to take effect, restart Tomcat.

18.1.3 Locking the SSPR Configuration

  1. Go to http://<IP/DNS name>:<port>/sspr. This link takes you to the SSPR portal.

  2. Log in to the Identity Manager with an administrator account or log in with your existing login credentials.

  3. Click Configuration Manager at the top of the page and specify the configuration password that you specified during installation.

  4. Click Configuration Editor and navigate to Settings > LDAP Settings.

  5. Lock the SSPR configuration file (SSPRConfiguration.xml).

    1. Under the Administrator Permission section, define a filter in LDAP format for a user or a group that has administrator rights to SSPR in the Identity Vault. By default, the filter is set to groupMembership=cn=Admins,ou=Groups,o=example.

      For example, set it to uaadmin (cn=uaadmin) for the User Application administrator.

      This prevents users from modifying the configuration in SSPR except the SSPR admin user who has full rights to modify the settings.

    2. To ensure LDAP query returns results, click View Matches.

      If there is any error in the setting, you cannot proceed to the next configuration option. SSPR displays the error details to help you troubleshoot the issue.

    3. Click Save.

    4. In the confirmation window that pops up, click OK.

      When SSPR is locked, the admin user can see additional options in the Administration user interface such as Dashboard, User Activity, Data Analysis, and so on that were not available for him before SSPR lock down.

  6. (Optional) To modify SSPR settings after you lock the configuration, you must set the configIsEditable setting to true in the SSPRConfiguration.xml file.

  7. Log out of SSPR.

  8. Log in to SSPR again as an admin user defined in Step 3.

  9. Click Close Configuration, then click OK to confirm the changes.

  10. For the changes to take effect, restart Tomcat.