You can configure a forgotten password policy for a particular profile and the users of that group can reset their password by using the method that is defined in the settings for that profile. The users can use challenge response and also use one time password (OTP) during forgotten password process, depending on the verification method that is defined in the profile. For more information about one time password, refer Configuring One Time Password.
The verification method that you require the users to use must be set to required (placing the vertical bar to extreme right). You can also include any number of optional method as required method by specifying that number in Minimum Optional Required. For example, if you set the Verification method, Challenge/Response Answers to Required and set OTP (Mobile Device) Verification to Optional with no value specified in Minimum Optional Required then, during forgotten password process the user is required to answer the challenge/ response and has an option to skip using one time password for verification.
Following are the verification methods that can be used during a forgotten password process:
Previous Authentication: This verification method checks if a user has used the same browser previously for authentication. The user is required to use the same browser for forgotten password.
LDAP Attributes: This verification method requires the user to specify the values for all the LDAP attributes that are mentioned in the Required LDAP Attributes setting.
If you have upgraded SSPR from an earlier version where, LDAP attributes were required for forgotten password process, then ensure that you specify the LDAP attributes under the Required LDAP Attributes setting and mark this verification method as Required.
Challenge/Response Answers: This verification method requires the users to answer the challenge responses.
SMS/Email Token Verification: This verification method allows the user to use the token verification through SMS or email.
If you have upgraded SSPR from an earlier version where the password send method was set as token, then ensure that you mark this verification method as Required.
OTP (Mobile Device) Verification: This verification method requires the user to use the one time password (OTP) during forgotten password process. For more information about OTP, refer Configuring One Time Password.
External Responses: This verification method allows the user to use the responses that are stored in the external webservices server. This is applicable if you have specified the external web service server URL in Settings > Web Services > REST Clients > External Remote Responses REST Server URL.
NetIQ Advanced Authentication Framework: This verification method requires the user to use the authentication method that is configured in the NetIQ Advanced authentication framework (NAAF) setting. For more information about NAAF settings, refer Section 7.0, Integrating SSPR with NetIQ Advanced Authentication Framework.
In a scenario where, the verification method is challenge/ response and OTP is optional, users can choose to skip enrolling for OTP. But during forgotten password process, If the OTP is enabled with the Force Setup-but allow user to skip setting the users are prompted to enroll for OTP with an option to skip it. The Active directory users are prompted to enroll for OTP before a password is reset and eDirectory users are prompted to enroll after a password is reset.
To configure forgotten password policy for a profile, perform the following:
On the Configuration Editor page, click Modules > Forgotten Password > Forgotten Password Profiles > default.
(Conditional) If you want to create different profiles for different set of users, click Edit List then on the right pane add the profile names to the list by using Add Profile.
SSPR does not allow changing the name of the profile.
In the Add Value field enter the profile name.
The profile name must have the following format:
Start with a letter (a-Z)
Contain only letters, numbers, and hyphens
Length between 2 and 15 characters
You can include multiple profiles. During authentication, SSPR searches for the default profile first, and then the other profiles in the order mentioned.
On the left pane, click the specified forgotten password profile.
On the right pane, configure the following settings:
|
Field |
Description |
|---|---|
|
Forgotten Password Profile Match |
Specify the set of users for whom the profile is set. You can search for the users by using the following:
You can also search for LDAP users by using the group DN. You can add a group or multiple groups by using Add Group. |
|
Verification Methods |
Specify the verification methods that will be used during the forgotten password process. You can choose to mark a particular method Not Used, Optional or Required. If you want to make a particular method optional, move the vertical bar to the middle and if you want to make a particular method as a required option, move the vertical bar to the right. If you do not want to use any specific verification method, move the vertical bar to the left. The user must verify by using all the methods that are marked as Required. If you want users to verify by using the optional methods apart from the required methods for a user during forgotten password, then specify the number of optional methods that a user can use, in the Minimum Optional Required field. For example, if you specify 2 in the Minimum Optional Required field, and there are 4 optional verification methods then, user can use any of the 2 methods from the 4 optional methods. |
|
Token Send Method |
Select any of the following methods that will be used for sending the token code or new password to the user: Email Only: The message with the token will be sent only to the user’s email. SMS Only: The message with the token will be sent only to the user’s mobile. Both: The message with the token will be sent to the user’s email and mobile. Email First: The message with the token will be sent to the user’s email. But if the email address is unavailable, then the token is sent to the user’s mobile. SMS First: The message with the token will be sent to the user’s mobile. But if the mobile number is unavailable, then the token is sent to the user’s email. User Choice: The message with the token will be sent to the user’s mobile or email depending on the user’s choice. |
|
Allow Unlock |
Enable this setting if you want to provide users the facility to unlock their password instead of resetting it. This setting is applicable if the user's account is locked because of multiple invalid login attempts, and the user's password is not expired. |
|
Forgotten Password Recovery Mode |
Specify any of the following actions that needs to be taken when the user completes the forgotten password process: Allow user to set new password: The users are allowed to reset their password by using the Forgotten Password option. Send new password: The password is sent to the users by using the sending method specified in the New password Send Method setting. This password cannot be changed. Send new password and mark as expired: The password is sent to the users by using the method that is specified in the New password Send Method setting. When the users use that password he gets a password expiry message to reset that password and set their new password. |
|
New Password Send Method |
Select the appropriate option from the list to specify the method to send new password to the user after the user completes the forgotten password process.
|
|
Required LDAP Attributes |
Specify required LDAP attributes for challenge-response. Users provide these attributes as part of the forgotten password recovery process. The LDAP proxy user requires to compare LDAP rights to these attributes. |
|
Allow Forgotten Password when Locked |
You can enable this setting if you want to allow the user to use the forgotten password process when the user’s account is intruder locked only in LDAP. |