Users can change their passwords whenever they want by using Self Service Password Reset. Self Service Password Reset allows administrators to customize the password change experience for the users from the begging to the end. The Change Password module allows you to configure actions the users must perform before changing their password. It also allows you to configure tasks the users must perform after they changed their passwords. For example, users must provide their current passwords before they can change their passwords.
When the users click Change Password, the web page lists the prerequisites for users to change their password. If you want to change the text from the listed items, Self Service Password Reset allows you to do that. For more information, see the Password Rule Text setting in Configuring a Profile for a Password Policy.
To configure the Change Password settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Authenticated > Change Password.
Configure the following settings:
Specify the query for the users that Self Service Password Reset allows to change their passwords. You can query by using Add Filter to define the LDAP filter that includes the object class, and by using Add Group that includes the LDAP group.
Enable this option to forces users to log out (and send them to the logout URL) after a password change. For security reasons, enable this feature for all users especially if a user is using a single sign-on service. By default, Self Service Password Reset enables this option.
Specify the values Self Service Password Reset requires the users to enter before changing their passwords.
Select whether you want Self Service Password Reset to require the users to provide their current passwords on the Change Password page. You must enable this option if users are using a single sign-on service. In most cases, this is not required because the single sign-on service authenticates the users prior to accessing the Change Password page.
Specify the message to display to users before Self Service Password Reset allows them to change their passwords. The message can include HTML tags. If you leave this field blank, the Change Password Agreement page is not visible to users. You can use macros in this setting. For more information, see Configuring Macros for Messages and Actions.
You can also configure this setting in a different language. Click Add Locale, then select the required language from the list.
Specify the message that Self Service Password Reset displays to users when users complete the password change process. If you leave this setting blank, the user does not see the change password completion page. This message might include HTML tags. You can also use macros. For more information, see Configuring Macros for Messages and Actions.
You can also configure this setting in a different language. Click Add Locale, then select the required language from the list.
Specify the text (in HTML) Self Service Password Reset displays for the Password Guide page. This shows up as a password guide link in a pop-up dialog. Leave blank to not show the password guide link. You can use macros for this setting. For more information, see Configuring Macros for Messages and Actions.
You can also configure this setting in a different language. Click Add Locale, then select the required language from the list.
Enable this option to have Self Service Password Reset perform a replica sync that polls all of the configured replicas on the users’ LDAP Profile to determine if the LDAP directory updated the password change time. The particular method to determine the last password change time varies per LDAP vendor type.
You can choose to display the progress of the replica check to the users or not depending on the option you select.
Specify the minimum wait time (in seconds), during a password change, Self Service Password Reset waits for a password change to take effect. The system uses this time for background synchronization processes.
Specify the maximum time, in seconds, the system waits for the password to be synchronized to all configured LDAP servers during a password change action. This setting prevents the page from timing out when the synchronization takes a longer time.
Specify the number of seconds before the users’ passwords expire, which forces the users to change their passwords. If the users’ passwords expire within this time frame, the system behaves as if the users’ passwords had already expired.
Setting this value to a day prevents most cases when the users’ passwords expire while they are logged in. The recommend setting for this value is 86400 (1 day).
Specify the time in seconds that Self Service Password Reset sends the password expiry notification before the users’ passwords expire. If the users’ passwords expire within this time frame, the system warns the users during a CommandServlet, checkExpire, or checkAll operation.
To disable this feature set the time to 0 or less than expirePreTime. The recommended value for this setting is 432000 seconds (5 days).
Enable this option to have the system verify whether the users’ passwords are expired or about to expire while the users authenticate. If the password is expired, the system forwards the user to the Expired Password page.
Specify the actions to be taken when a user changes a password. The system invokes the configured actions immediately after the user changes the password. You can use macros within the action. For more information, see Configuring Macros for Messages and Actions.
When you add an action, following are the services available to set the actions:
You can select the HTTP method, add headers and specify the web service URL.
You can specify the LDAP attribute name, attribute value, and the type of the operation that is performed. The operation types are:
Replaces the existing values and include the new ones in the output.
Adds the new values along with the existing values in the output.
Removes the specified value in the output.
Enable this option to have the user web page display a link to users during the change password process that displays a list of auto-generated sample passwords that the configured password policies allow. The users have the option to select and use one of the values in the list. If you enable this option, Self Service Password Reset does not force the users to choose a password from the list.
Enable this option to display the strength meter, for the password strength, on the Change Password page. By default, Self Service Password Reset enables this option.
In the toolbar, click Save changes.