The Forgotten Password feature allows users to recover a forgotten password without contacting helpdesk. After enabling this feature, users get the Forgotten Password button on the login page.
You can also set up policies for Forgotten Password. This feature uses challenge-response authentication to let users recover their passwords. This feature enables prompting for challenge set or a one time password that allows a password change. Requiring a user to answer challenge questions, or enter OTP before receiving forgotten password provides an additional level of security.
To use this feature, users require to enroll the challenge responses, or enroll the device with OTP secret. You can configure the forgotten password settings by performing the procedure mentioned in Configuring Other Settings.
To make the Forgotten Password button work, ensure the following:
You have enabled the Forgotten Password feature in SSPR.
The user must do challenge-response setup before using the Forgotten Password feature.
For more information about how to configure challenge-request, see Configuring Challenge-Response Authentication.
You can also set up actions that Forgotten Password performs during the password recovery process.
NOTE:(Only when the back-end directory is Active Directory) When users change their passwords, SSPR considers the password history only when the Minimum Password Age is set to 0 in Active Directory and proxy is disabled. If Minimum Password Age is non-zero, it is recommended that users change the password through the email token to the password history.
This section includes the following topics:
You can configure SSPR to select an action to take when the user completes the forgotten password process.
SSPR provides the following options:
Allow user to reset password: After answering challenge questions to prove their identity, users can change to a new password. Because the user has authenticated through answering the challenge questions, the user can change the password without being required to provide the current password. To use this option, you must require a challenge set and the user must have set up challenge-response by answering the challenge questions.
Email new password to user: After answering challenge questions, the user receives the new password in an email. To enable this option, configure SMTP email server.
For more information about how to configure email settings, see Configuring Email Notification Settings.
SMS new password to user: After answering challenge questions, the user receives the new password through an SMS.
For more information about how to configure email settings, see Configuring SMS Notification Settings.
Email and SMS new password to user: After answering challenge questions, the user receives both an email and an SMS containing the new password.
Perform the following steps:
In Configuration Editor, click Modules > Forgotten Password > Forgotten Password Profiles.
Select an action from the Forgotten Password Recovery Mode list.
Click the Save icon.
Apart from enabling the Forgotten Password feature, configuring token setting, and configuring actions, you can configure various other settings for this feature. If you want to create different policies for different user groups, you can use the Edit List option and create different profiles. For more information about creating and configuring the profiles refer, Configuring Forgotten Password Policy for a Profile.
In Configuration Editor, click Modules > Forgotten Password Settings.
Configure the following settings:
|
Setting |
Description |
|---|---|
|
Enable Forgotten Password |
Select the Enabled checkbox to allow users to recover forgotten password. |
|
Forgotten Password User Search Form |
Specify form attributes that a user specifies to be authenticated such as name, email ID, and so forth. These details are confidential. System uses these values internally to search for the users who request for the forgotten password recovery action. |
|
Forgotten Password User Search Filter |
Specify a filter to find username. Each attribute configured in the Forgotten Password User Search Form should be included in the search filter. Strings encoded with a percent sign (%) is replaced with values supplied by the user. For example, if Forgotten Password User Search Form includes email and sn attributes, then the filter would be (&(objectClass=person)(email=%email%)(sn=%sn%)). |
|
Response Read Location |
Specify the location where challenge-responses are stored. If you select an option with multiple locations, the system reads each location until it finds a stored response. |
|
Response Write Location |
Specify the location to write the responses to. If you select an option with multiple locations, the system stores responses in each location when users configure their response answers. |
|
Response Storage Attribute |
Specify an attribute to use for storing responses when you want to store responses in the LDAP directory. The system stores responses in the LDAP directory in addition to any other configured storage repositories. |
|
Responses Storage Hashing Method |
Select a hashing method used to store responses from the list. By default SSPR uses PBKDF2WithHmacSHA1. The available options are:
Storing the responses as plaintext facilitates synchronization or migration to other systems. NOTE:If an administrator changes this setting and uses the same browser to store the responses, then the changes are not effective. The administrator needs to start a new browser session for the changes to be made effective. |
|
Forgotten Password Post Actions |
Specify the name of the actions and define the following services to set the actions that must be executed after a user successfully completes the forgotten password process and the user's password gets modified. Macros can be used.
|
Click Forgotten Password Profiles > default.
Configure the settings for the default profile. For more information on configuring the settings for a profile, refer Configuring Forgotten Password Policy for a Profile.
Click the Save icon.