5.6 Configuring Forgotten Password Management

The Identity Manager installation includes Self Service Password Reset to help you manage the process for resetting forgotten passwords. Alternatively, you can use an external password management system.

5.6.1 Using Self Service Password Reset for Forgotten Password Management

In most cases, you can enable the forgotten password management feature when you install SSPR and the identity applications. However, you might not have specified the URL of the landing page for the identity applications to which SSPR forwards users after a password change. You might also need to enable forgotten password management. This section provides the following information:

Configuring Identity Manager to Use Self Service Password Reset

This section provides information about configuring Identity Manager to use SSPR.

  1. Log in to the server where you installed the identity applications.

  2. Run the RBPM configuration utility. For more information, see Running the Identity Applications Configuration Utility.

  3. In the utility, navigate to Authentication > Password Management.

  4. For Password Management Provider, specify SSPR.

  5. Select Forgotten Password.

  6. Navigate to SSO Clients > Self Service Password Reset.

  7. For OSP client ID, specify the name that you want to use to identify the single sign-on client for SSPR to the authentication server. The default value is sspr.

  8. For OSP client secret, specify the password for the single sign-on client for SSPR.

  9. For OSP redirect URL, specify the absolute URL to which the authentication server redirects a browser client when authentication is complete.

    Use the following format: protocol://server:port/path.For example, http://10.10.10.48:8180/sspr/public/oauth.

  10. Save your changes and close the utility.

Configuring Self Service Password Reset for Identity Manager

This section provides information about configuring SSPR to work with Identity Manager. For example, you might want to modify the password policies and challenge response questions.

When you installed SSPR with Identity Manager, you specified a password that an administrator can use to configure the application. NetIQ recommends that you modify the SSPR settings, then specify an administrator account or group can configure SSPR.

NOTE:If you install SSPR on a different server than user application server, ensure that SSPR application certificate is added to user application cacerts.

  1. Log in to SSPR by using the configuration password that you specified during installation.

  2. In the Settings page, modify the settings for the password policy and challenge response questions. For more information about configuring the default values for SSPR settings, see Configuring Self Service Password Reset in the NetIQ Self Service Password Reset Administration Guide.

  3. Lock the SSPR configuration file (SSPRConfiguration.xml). For more information about locking the configuration file, see Locking the SSPR Configuration.

  4. (Optional) To modify SSPR settings after you lock the configuration, you must set the configIsEditable setting to true in the SSPRConfiguration.xml file.

  5. Log out of SSPR.

  6. For the changes to take effect, restart Tomcat.

Locking the SSPR Configuration

  1. Go to http://<IP/DNS name>:<port>/sspr. This link takes you to the SSPR portal.

  2. Log in to the Identity Manager with an administrator account or log in with your existing login credentials.

  3. Click Configuration Manager at the top of the page and specify the configuration password that you specified during installation.

  4. Click Configuration Editor and navigate to Settings > LDAP Settings.

  5. Lock the SSPR configuration file (SSPRConfiguration.xml).

    1. Under the Administrator Permission section, define a filter in LDAP format for a user or a group that has administrator rights to SSPR in the Identity Vault. By default, the filter is set to groupMembership=cn=Admins,ou=Groups,o=example.

      For example, set it to uaadmin (cn=uaadmin) for the User Application administrator.

      This prevents users from modifying the configuration in SSPR except the SSPR admin user who has full rights to modify the settings.

    2. To ensure LDAP query returns results, click View Matches.

      If there is any error in the setting, you cannot proceed to the next configuration option. SSPR displays the error details to help you troubleshoot the issue.

    3. Click Save.

    4. In the confirmation window that pops up, click OK.

      When SSPR is locked, the admin user can see additional options in the Administration user interface such as Dashboard, User Activity, Data Analysis, and so on that were not available for him before SSPR lock down.

  6. (Optional) To modify SSPR settings after you lock the configuration, you must set the configIsEditable setting to true in the SSPRConfiguration.xml file.

  7. Log out of SSPR.

  8. Log in to SSPR again as an admin user defined in Step 3.

  9. Click Close Configuration, then click OK to confirm the changes.

  10. For the changes to take effect, restart Tomcat.

5.6.2 Using an External System for Forgotten Password Management

To use an external system, you must specify the location of a WAR file containing Forgot Password functionality. This process includes the following activities:

Specifying an External Forgotten Password Management WAR File

If you did not specify these values during installation and want to modify the settings, you can use either the RBPM Configuration utility or make the changes in the User Application as an administrator.

  1. (Conditional) To modify the settings in the RBPM Configuration utility, complete the following steps:

    1. Log in to the server where you installed the identity applications.

    2. Run the RBPM configuration utility. For more information, see Running the Identity Applications Configuration Utility.

    3. In the utility, navigate to Authentication > Password Management.

    4. For Password Management Provider, specify User Application (Legacy).

  2. (Conditional) To modify the settings in the User Application, complete the following steps:

    1. Log in as the User Application Administrator.

    2. Navigate to Administration > Application Configuration > Password Module Setup > Login.

  3. For Forgotten Password, specify External.

  4. For Forgot Password Link, specify the link shown when the user clicks Forgot password on the login page. When the user clicks this link, the application directs the user to the external password management system. For example:

    http://localhost:8180/ExternalPwd/jsps/pwdmgt/ForgotPassword.jsp
  5. For Forgot Password Return Link, specify the link shown after the user finishes performing the forgot password procedure. When the user clicks this link, the user is redirected to the link specified. For example:

    http://localhost/IDMProv
  6. For Forgot Password Web Service URL, specify the URL for the web service that the external forward password WAR uses to call back to the identity applications. Use the following format:

    https://idmhost:sslport/idm/pwdmgt/service

    The return link must use SSL to ensure secure web service communication to the identity applications. For more information, see Configuring SSL Communication between Application Servers.

  7. Manually copy ExternalPwd.war to the remote application server deploy directory that runs the external password WAR functionality.

Testing the External Forgot Password Configuration

If you have an external password WAR file and want to test the Forgot Password functionality by accessing it, you can access it in the following locations:

  • Directly, in a browser. Go to the Forgot Password page in the external password WAR file. For example, http://localhost:8180/ExternalPwd/jsps/pwdmgt/ForgotPassword.jsp.

  • On the User Application login page, click the link for Forgot password.

Configuring SSL Communication between Application Servers

If you use an external password management system, you must configure SSL communication between the Tomcat instances on which you deploy the identity applications and the External Forgotten Password Management WAR file. For more information, refer to the Tomcat documentation.

5.6.3 Updating SSPR Links in the Dashboard for a Distributed or Clustered Environment

The installation process assumes that you deploy SSPR on the same application server as the identity applications and Identity Reporting. By default, the built-in links on the Applications page in the Dashboard use a relative URL format that points to SSPR on the local system. For example, \sspr\private\changepassword. If you install the applications in a distributed or clustered environment, you must update the URLs for the SSPR links.

For more information, see the Help for the Identity Applications.

  1. Log in as an administrator to the Dashboard. For example, log in as uaadmin.

  2. Click Edit.

  3. In the Edit Home Items page, hover on the item that you want to update, and then click the edit icon. For example, select Change My Password.

  4. For Link, specify the absolute URL. For example, http://10.10.10.48:8180/sspr/changepassword.

  5. Click Save.

  6. Repeat for each SSPR link that you want to update.

  7. Upon completion, click I’m done.

  8. Log out, and then log in as a regular user to test the changes.