Identity Manager includes NetIQ Self Service Password Reset (SSPR) to help users who have access to the identity applications to reset their passwords without administrative intervention. The installation process enables SSPR by default when you install or upgrade to the latest version of Identity Manager. In a new installation, SSPR uses a proprietary protocol for managing authentication methods. However, after an upgrade, you can instruct SSPR to use the NetIQ Modular Authentication Services (NMAS) that Identity Manager traditionally has used for its legacy password management program.
Depending on whether you want to use complex password management, you can configure one of the following providers:
NetIQ Self Service Password Reset is the default option when you install or upgrade Identity Manager. For more information, see Understanding the Default Self-Service Process.
Uses the password management process from Identity Manager 4.0.2, which supports the use of multiple password policies. For more information, see Understanding the Legacy Password Management Provider.
You can use an third-party program for managing forgotten passwords. You need to modify some configuration settings for Identity Manager. For more information, see Using an External System for Forgotten Password Management.
SSPR automatically integrates with the single sign-on process for the identity applications and Identity Reporting. It is the default password management program for Identity Manager, even when you do not install SSPR. When a user requests a password reset, SSPR requires the user to answer the challenge-response question. If the answers are correct, SSPR responds in one of the following ways:
Allow users to create a new password
Create a new password and send it to the user
Create a new password, send it to the user, and mark the old password as expired.
You configure this response in the SSPR Configuration Editor. After upgrading to a new version of Identity Manager, you can configure SSPR to use the NMAS method that Identity Manager traditionally has used for password management. However, SSPR does not recognize your existing password policies for managing forgotten passwords. To continue using your policies, see Understanding the Legacy Password Management Provider.
You also can configure SSPR to use its proprietary protocol instead of NMAS. If you make this change, you cannot return to using NMAS without resetting your password policies.
For more information about... |
See... |
---|---|
Installing SSPR |
|
Configuring password management for the identity applications |
Using Self Service Password Reset for Forgotten Password Management |
Managing and configuring SSPR |
NOTE:The Legacy Password Self-Service feature of the User Application is deprecated with this release. NetIQ strongly recommends that you start using SSPR for all password-specific tasks. The installation process enables SSPR by default.
When you upgrade from an older version of Identity Manager, the identity applications default to SSPR as the password management program. SSPR can use the NMAS method that Identity Manager traditionally has used for password management. However, SSPR does not recognize your existing password policies for managing forgotten passwords. You can bypass SSPR and use the legacy password management provider.
When a user requests a password reset, the legacy provider compares the user’s credentials to the password policies that you set. For example, it might requires the user to answer a challenge-response question. Based on the policy applied to that user, the program responds in one of the following ways:
Resets the password
Shows the password hint
Emails the password hint to the user
Emails a new password to the user
Use the legacy provider if your enterprise uses multiple or complex password policies. For example, your password policies are based on user roles. An intern might simply need a auto-generated password without a challenge response. For a manager who can access secure data, you might have more stringent requirements. This user might need to regularly reset the password. In both cases, you want the users to have self-service for password requests.
To use the legacy provider, modify the configuration settings for the identity applications after you install or upgrade Identity Manager. You do not need to reconfigure your password policies after the upgrade.
For more information about... |
See... |
---|---|
Configuring Identity Manager to use the legacy provider |
|
Using the legacy provider for password management |