You can configure a forgotten password policy for a particular profile and the users of that group can reset their passwords by using the method that you define in the settings for that profile. The users can use the challenge-response and also use the one-time password (OTP) during forgotten password process, depending on the verification method that you define in the profile. For more information about one-time password, see Configuring One-Time Password.
The verification method that you require the users to use must be set to Required (placing the vertical bar to extreme right). You can also include any number of the optional method as required methods by specifying that number in Minimum Optional Required. For example, if you set the Verification method Challenge/Response Answers to Required and set OTP (Mobile Device) Verification to Optional with no value specified in Minimum Optional Required, then during forgotten password process the system requires that the users answer the challenge-response or to skip it using the one-time password for verification.
The following are the verification methods that can be used during a forgotten password process:
Previous Authentication: This verification method checks if a user has used the same browser previously for authentication. Self Service Password Reset Requires the users to use the same browser for forgotten password.
LDAP Attributes: This verification method requires the user to specify the values for all the LDAP attributes that are mentioned in the Required LDAP Attributes setting.
If you have upgraded Self Service Password Reset from an earlier version where LDAP attributes were required for forgotten password process, then ensure that you specify the LDAP attributes under the Required LDAP Attributes option and mark this verification method as Required.
Challenge/Response Answers: This verification method requires the users to answer the challenge-responses.
SMS/Email Token Verification: This verification method allows the user to use the token verification through SMS or email.
If you have upgraded Self Service Password Reset from an earlier version where the password send method was set as a token, then ensure that you mark this verification method as Required.
OTP (Mobile Device) Verification: This verification method requires the user to use the one-time password (OTP) during forgotten password process. For more information about OTP, see Configuring One-Time Password.
External Responses: This verification method allows the user to use the responses that are stored in the external web services server. This is applicable if you have specified the external web service server URL in Settings > Web Services > REST Clients > External Remote Responses REST Server URL.
Advanced Authentication: This verification method requires the users to use the authentication method that you configure in the Advanced Authentication setting. For more information about Advanced Authentication settings, see Section 11.0, Integrating Self Service Password Reset with NetIQ Advanced Authentication.
In a scenario where the verification method is challenge-response and OTP is optional, users can choose to skip enrolling for OTP. But during forgotten password process, if you enabled the OTP with the Force Setup-but allow user to skip setting, the users are prompted to enroll for OTP with an option to skip it. The Active Directory users are prompted to enroll for OTP before a password is reset and eDirectory users are prompted to enroll after a password is reset.
To configure the Forgotten Password policy for a profile:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor > Modules > Forgotten Password > Forgotten Password Profile > default.
(Conditional) If you want to create different profiles for a different set of users:
Click Edit List, then add the profile names to the list by using Add Profile.
In the Add Value field, enter the profile name.
The profile name must have the following format:
Start with a letter (a-Z)
Contain only letters, numbers, and hyphens
Length between 2 and 15 characters
You can include multiple profiles. During authentication, Self Service Password Reset searches for the default profile first, and then the other profiles in the order mentioned.
Select the appropriate profile name.
Self Service Password Reset does not allow changing the name of the profile.
Define the following setting for your environment:
Specify the query for the users who are allowed to use Forgotten Password. You can query by using Add Filter that includes the object class, and by using Add Group that includes the LDAP group.
Select one or more verification methods used during the forgotten password process. The users must satisfy each option set at Required, then the users select any of the remaining Optional methods until the users complete the minimum number of Optional methods.
Select the methods used for sending the token code or new password to the user. You can send the password through only email, only SMS messages, both, emails first, SMS messages first, or the users can choose the method.
You must perform additional configuration to send emails and SMS messages. For more information, see:
Allows unlock during the forgotten password process. If Enabled, and if the users’ accounts are locked due to too many invalid login attempts and the users’ passwords are not expired, then the users are given a chance to unlock their accounts instead of resetting their passwords. This only works if the users have populated the Self Service Password Reset challenge set.
If you are using the NMAS challenge set, you must enable the Enable NMAS Responses for Forgotten Password option to have the same functionality for the NMAS challenge set. For more information, see Configuring the LDAP eDirectory Settings.
Select an action to take when the users complete the forgotten password process.
Allows users to set a new password, after answering the challenge questions to prove their identity. The user can change the password without being required to provide the current password because the user has authenticated through answering the challenge questions. To use this option, you must require a challenge set and the user must have set up challenge-response by answering the challenge questions.
Select this option to send the password through the chosen Token Send Method.
Select this option to send the password through the chosen Token Send Method and to expire the old password.
Select the method to send new passwords to users when the Forgotten Password Success Action is set to Send new password. You can send the password through email only, SMS messages only, both, emails first, or SMS messages first.
Specify the required LDAP attributes for forgotten password authentication. The users must specify these attributes as part of the forgotten password authentication process. The LDAP Proxy User requires LDAP compare permission to these attributes.
Allows the users to use the forgotten password feature when the account is intruder locked in LDAP. This feature is not available when a user is using NMAS to store responses.
Click Save changes.