The Identity Manager installation includes Self Service Password Reset to help you manage the process for resetting forgotten passwords. Alternatively, you can use an external password management system.
Section 34.7.1, Using Self Service Password Reset for Forgotten Password Management
Section 34.7.2, Using the Legacy Provider for Forgotten Password Management
Section 34.7.3, Using an External System for Forgotten Password Management
Section 34.7.4, Updating SSPR Links on the Home Page for a Distributed or Clustered Environment
In most cases, you can enable the forgotten password management feature when you install SSPR and the identity applications. However, you might not have specified the URL of the landing page for the identity applications to which SSPR forwards users after a password change. You might also need to enable forgotten password management. This section provides the following information:
This section provides information about configuring Identity Manager to use SSPR.
Log in to the server where you installed the identity applications.
Run the RBPM configuration utility. For more information, see Section 35.1, Running the Identity Applications Configuration Utility.
In the utility, navigate to Authentication > Password Management.
For Password Management Provider, specify SSPR.
Select Forgotten Password.
Navigate to SSO Clients > Self Service Password Reset.
For OSP client ID, specify the name that you want to use to identify the single sign-on client for SSPR to the authentication server. The default value is sspr.
For OSP client secret, specify the password for the single sign-on client for SSPR.
For OSP redirect URL, specify the absolute URL to which the authentication server redirects a browser client when authentication is complete.
Use the following format: protocol://server:port/path.For example, http://10.10.10.48:8180/sspr/public/oauth.
Save your changes and close the utility.
This section provides information about configuring SSPR to work with Identity Manager. For example, you might want to modify the password policies and challenge response questions.
When you installed SSPR with Identity Manager, you specified a password that an administrator can use to configure the application. NetIQ recommends that you modify the SSPR settings, then specify an administrator account or group can configure SSPR. For more information about the configuration password, see Section 27.0, Installing Single Sign-on and Password Management for Identity Manager.
Log in to SSPR by using the configuration password that you specified during installation.
In the Settings page, modify the settings for the password policy and challenge response questions. For more information about configuring the default values for SSPR settings, see Configuring Self Service Password Reset in the NetIQ Self Service Password Reset Administration Guide.
Lock the SSPR configuration file (SSPRConfiguration.xml). For more information about locking the configuration file, see Locking the SSPR Configuration.
(Optional) To modify SSPR settings after you lock the configuration, you must set the configIsEditable setting to true in the SSPRConfiguration.xml file.
Log out of SSPR.
For the changes to take effect, restart Tomcat.
Go to http://<IP/DNS name>:<port>/sspr. This link takes you to the SSPR portal.
Log in to the Identity Manager with an administrator account or log in with your existing login credentials.
Click Configuration Manager at the top of the page and specify the configuration password that you specified during installation.
Click Configuration Editor and navigate to Modules > Administration.
Lock the SSPR configuration file (SSPRConfiguration.xml).
Under the Administrator Permission section, define a filter in LDAP format for a user or a group that has administrator rights to SSPR in the Identity Vault. By default, the filter is set to groupMembership=cn=Admins,ou=Groups,o=example.
For example, set it to uaadmin (cn=uaadmin) for the User Application administrator.
This prevents users from modifying the configuration in SSPR except the SSPR admin user who has full rights to modify the settings.
To ensure LDAP query returns results, click View Matches.
If there is any error in the setting, you cannot proceed to the next configuration option. SSPR displays the error details to help you troubleshoot the issue.
Click Save.
In the confirmation window that pops up, click OK.
When SSPR is locked, the admin user can see additional options in the Administration user interface such as Dashboard, User Activity, Data Analysis, and so on that were not available for him before SSPR lock down.
(Optional) To modify SSPR settings after you lock the configuration, you must set the configIsEditable setting to true in the SSPRConfiguration.xml file.
Log out of SSPR.
Log in to SSPR again as an admin user defined in Step 3.
Click Close Configuration, then click OK to confirm the changes.
For the changes to take effect, restart Tomcat.
Instead of SSPR, you can use the legacy provider in Identity Manager for the Forgotten Password Management feature. If you choose the legacy provider, you do not need to install SSPR. However, you will need to reassign permissions for users to access the shared pages for password management. This section provides the steps to perform these activities:
For more information about the legacy provider, see Section 4.4.2, Understanding the Legacy Password Management Provider. For more information about shared pages and permissions, see Page Administration
in the NetIQ Identity Manager User Application: Administration Guide.
Log in to the server where you installed the identity applications.
Run the RBPM configuration utility. For more information, see Section 35.1, Running the Identity Applications Configuration Utility.
In the utility, navigate to Authentication > Password Management.
For Password Management Provider, specify User Application (Legacy).
For Forgotten Password, specify Internal.
Navigate to SSO Clients > Self Service Password Reset.
For OSP redirect URL, the setting should be empty.
Save your changes and close the utility.
The settings for the identity applications default to SSPR during installation. You must assign or reassign the permissions for the users, groups, or containers that you want to access the shared pages for managing passwords. When you assign users View permission for a container page or shared page, the users can access the page and see it in a list of available pages.
Ensure that Identity Manager is using the legacy provider. For more information, see Configuring the Legacy Provider for Forgotten Password Management.
Log in to the User Application as the application administrator. For example, log in as uaadmin.
Navigate to Administration > Page Admin.
In the Shared Pages panel, navigate to Password Management.
Select the page for which you want to specify permissions. For example, Change Password or Password Challenge Response.
In the right panel, click Assign Permission.
In View, select the users, groups, or containers that you want to assign to the page.
(Optional) To ensure that only an application administrator can access the specified page, select View Permission Set to Admin Only.
Click Save.
Perform Step 5 through Step 9 for each page that you want to configure.
Return to Identity Manager Home.
Click Edit.
On the Edit Home Items page, replace the link to the SSPR page with the link for UserApp PwdMgt.
For more information, see Section 34.7.4, Updating SSPR Links on the Home Page for a Distributed or Clustered Environment.
Log out, and then restart the application server.
To use an external system, you must specify the location of a WAR file containing Forgot Password functionality. This process includes the following activities:
If you did not specify this values during installation and want to modify the settings, you can use either the RBPM Configuration utility or make the changes in the User Application as an administrator.
(Conditional) To modify the settings in the RBPM Configuration utility, complete the following steps:
Log in to the server where you installed the identity applications.
Run the RBPM configuration utility. For more information, see Section 35.1, Running the Identity Applications Configuration Utility.
In the utility, navigate to Authentication > Password Management.
For Password Management Provider, specify User Application (Legacy).
(Conditional) To modify the settings in the User Application, complete the following steps:
Log in as the User Application Administrator.
Navigate to Administration > Application Configuration > Password Module Setup > Login.
For Forgotten Password, specify External.
For Forgot Password Link, specify the link shown when the user clicks Forgot password on the login page. When the user clicks this link, the application directs the user to the external password management system. For example:
http://localhost:8180/ExternalPwd/jsps/pwdmgt/ForgotPassword.jsp
For Forgot Password Return Link, specify the link shown after the user finishes performing the forgot password procedure. When the user clicks this link, the user is redirected to the link specified. For example:
http://localhost/IDMProv
For Forgot Password Web Service URL, specify the URL for the web service that the external forward password WAR uses to call back to the identity applications. Use the following format:
https://idmhost:sslport/idm/pwdmgt/service
The return link must use SSL to ensure secure web service communication to the identity applications. For more information, see Configuring SSL Communication between Application Servers.
Manually copy ExternalPwd.war to the remote application server deploy directory that runs the external password WAR functionality.
If you have an external password WAR file and want to test the Forgot Password functionality by accessing it, you can access it in the following locations:
Directly, in a browser. Go to the Forgot Password page in the external password WAR file. For example, http://localhost:8180/ExternalPwd/jsps/pwdmgt/ForgotPassword.jsp.
On the User Application login page, click the link for Forgot password.
If you use an external password management system, you must configure SSL communication between the application servers on which you deploy the identity applications and the External Forgotten Password Management WAR file. Refer to the documentation for the application server.
The installation process assumes that you deploy SSPR on the same application server as the identity applications and Identity Reporting. By default, the built-in links on the Identity Manager Home page use a relative URL format that points to SSPR on the local system. For example, /sspr/private/changepassword. If you install the applications in a distributed or clustered environment, you must update the URLs for the SSPR links.
Log in as an administrator to Identity Manager Home. For example, log in as uaadmin.
Click Edit.
In the Edit Home Items page, hover on the item that you want to update, and then click the edit icon. For example, select Change My Password.
For Link, specify the absolute URL. For example, http://10.10.10.48:8180/sspr/changepassword.
Click Save.
Repeat for each SSPR link that you want to update.
Upon completion, click I’m done.
Log out, and then log in as a regular user to test the changes.