4.1 Configuring Change Password

Users can change their passwords whenever they want by using SSPR. You, as an administrator, can configure various settings for the Change Password feature such as enforcing users to provide their current password while changing it, actions to take when a user changes password, and so on.

When a user clicks on Change Password, the list of prerequisites for the password is displayed. If you require to change the text from the listed items, refer the Password Rule Text setting in Configuring Password Policy for a Profile.

To configure Change Password settings, perform the following steps:

  1. In Configuration Editor, click Modules > Change Password.

  2. Configure the following settings:

    Setting

    Description

    Change Password Permission

    Specify the query for the users who are allowed to change their password. You can query by using Add Filter that will include the object class, and by using Add Group that will include the LDAP group.

    Logout After Password Change

    Select this check box to enable the system to log out the user after changing a password.

    The recommendation is to enable this feature for all users especially if a user is using a single sign-on service.

    Change Password Required Values Form

    Specify the values required to be entered before changing the password.

    Require Current Password During Change

    Select this check box if you want users to provide their current passwords on the Change Password page while changing their passwords. This is required when a user is using single sign-on.

    In most cases, this is not required because the user gets authenticated prior to accessing the Change Password page.

    Password Change Agreement Message

    Specify the message to display to user before being allowed to change the password. The message can include HTML tags.

    If you leave this field blank, the Change Password Agreement page is not visible to users.

    You can use Macros in this setting. For more information about macros, see Configuring Macros for Messages and Actions or select View > Macro Help in Configuration Editor.

    Password Change Completion Message

    Specify the message that must be displayed to users when the password change process is completed. If you leave this setting blank, the change password completion page will not be displayed to the user.

    This message may include HTML tags. You can also use macros. For more information about macros refer, Configuring Macros for Messages and Actions.

    You can also configure this setting in a different language. Select the required language from the drop down list then click Add Locale.

    Password Guide Text

    Specify the text (in HTML format) that needs to be displayed for the Password Guide page.

    Password Change Minimum Wait Time

    Specify the time in seconds required for a password change to take effect. System uses this time for background synchronization processes.

    Password Change Maximum Wait Time

    Specify the maximum time in seconds the system waits for the password to be synchronized to all configured LDAP servers during a password change action. This setting prevents the page from timing out when the synchronization takes longer time.

    Password Pre-Expire Time

    Specify the time in seconds.

    Users require to change their password earlier, based on the time specified here, than the actual password expiry date. If the user's password expires within this time frame, the system behaves as if the user's password has already expired.

    Setting this value prevents the users' passwords expiries while users are logged in.

    The recommend value for this setting is 86400 seconds (One day).

    Password Expire Warn Time

    Specify the time in seconds. SSPR sends the password expiry notification before a user's password expires. If the user's password expires within this time frame, the system will warn the user during a CommandServlet, checkExpire, or checkAll operation.

    If this time is zero or less than expirePreTime, this feature is disabled. The recommended value for this setting is 432000 seconds (5 days).

    Check Expire During Authentication

    Select this check box to allow the system to verify whether a user’s password is expired or about to expire while authenticating the user. If the password is expired, system forwards the user to the Expired Password page.

    Seedlist File

    Specify the Seedlist file.

    SSPR uses words from the Seedlist file to generate random passwords. You require modifying Seedlist to ensure randomness and also to meet the configured policy for the user. SSPR generate user-friendly random passwords suggestions to users.

    Post Password Change Actions

    Specify actions to be taken when a user changes password. The system invokes the configured actions immediately after the password is changed. You can use Macros within the action.

    When you add an action, following are the services available to set the actions:

    • webservice: You can select the HTTP method, add headers and specify the web service URL.

    • LDAP: You can specify the LDAP attribute name, attribute value, and the type of the operation that needs to be performed.

      • Replace: Remove the existing values and include the new ones in the output.

      • Add: Add the new values along with the existing values in the output.

      • Remove: Remove the specified value in the output.

  3. Click the Save icon.