6.1 Configuring the Forgotten Password Module

Self Service Password Reset allows users to recover a forgotten password without contacting the help desk. The Forgotten Password module is a configurable feature. After enabling this feature, users see the Forgotten Password option on the user login web page.

The Forgotten Password module uses challenge-response authentication to let users recover their passwords. This feature enables prompting for challenge set or a one-time password (OTP) that allows a password change. Requiring a user to answer challenge questions, or entering an OTP before receiving the forgotten password provides an additional level of security.

To correctly configure the Forgotten Password module, you must define a Forgotten Password profile and configure the Forgotten Password settings.

6.1.1 Configuring the Forgotten Password Profile

You can configure a Forgotten Password profile and the users of that group can reset their passwords by using the method that you define in the settings for that profile. This section helps you define the default Forgotten Password profile. If you want to create different profiles for different user groups, you can use the Edit List option and create different profiles. For more information about creating and configuring the profiles see, Configuring Profiles.

The users can use the challenge-response and also use the one-time password (OTP) during forgotten password process, depending on the verification method that you define in the profile. For more information about one-time password, see Configuring One-Time Password.

To configure the Forgotten Password profile:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Modules > Public > Forgotten Password > Profiles > default > Definition.

  5. Configure the following settings for the Forgotten Password profile:

    Forgotten Password Profile Match

    Specify the set of users for a profile, so that the configuration setting that you specify for the profile is applicable for that set of users.

    You can use LDAP Group or LDAP filters to query the LDAP directory for users.

    Add Filter

    Select the appropriate profile from the list, then select the LDAP search filter. For example:

    (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
    Add Group

    Select the appropriate profile from the list, then specify the LDAP Group DN. For example:

    cn=admins,o=company or cn=administrators,cn=builtin,dc=example,dc=com
    Verification Methods

    Select one or more verification methods used during the forgotten password process. The users must satisfy each option set at Required, then the users select any of the remaining Optional methods until the users complete the minimum number of Optional methods. For more information, see Understanding the Verification Methods.

    Token Send Method

    Select the methods used for sending the token code or new password to the user. You can send the password through only email, only SMS messages, both, emails first, SMS messages first, or the users can choose the method.

    You must perform additional configuration to send emails and SMS messages. For more information, see:

    Allow Unlock

    Enable this option to allow users to unlock locked accounts during the Forgotten Password process. If Enabled, and if the users’ accounts are locked due to too many invalid login attempts and the users’ passwords are not expired, then the Forgotten Password process allows the users to unlock their accounts instead of resetting their passwords. This only works if the users have populated the Self Service Password Reset challenge set.

    If you are using the NMAS challenge set, you must enable the Enable NMAS Responses for Forgotten Password option to have the same functionality for the NMAS challenge set. For more information, see Configuring the LDAP eDirectory Settings.

    Forgotten Password Recovery Mode

    Select an action to take when the users complete the Forgotten Password process.

    Allow user to set new password

    Allows users to set a new password, after answering the challenge questions to prove their identity. The users can change their passwords without the Forgotten Password process requiring them to provide their current passwords because the users authenticated through answering the challenge questions. To use this option, you must require a challenge set and the user must have set up challenge-response by answering the challenge questions. For more information, see Configuring the Setup Security Questions Module.

    Send new password

    Select this option to send the password through the chosen Token Send Method.

    Send new password and mark as expired

    Select this option to send the password through the chosen Token Send Method and to expire the old password.

    New Password Send Method

    Select the method to send new passwords to users when the Forgotten Password Success Action is set to Send new password. You can send the password through email only, SMS messages only, both, emails first, or SMS messages first.

    Required LDAP Attributes

    Specify the required LDAP attributes for Forgotten Password authentication. The users must specify these attributes as part of the Forgotten Password authentication process. The LDAP Proxy User requires LDAP compare permission to these attributes.

    Allow Forgotten Password when Locked

    Allows the users to use the forgotten password feature when the account is intruder locked in LDAP. This feature is not available when a user is using NMAS to store responses.

  6. (Conditional) Configure the OAuth2 connection to an external application if you selected OAuth2 as a verification method. For more information, see Configuring the OAuth2 Verification Method for the Forgotten Password Module.

  7. In the toolbar, click Save changes.

6.1.2 Configuring the Forgotten Password Settings

To complete the configuration of the Forgotten Password module, you must also configure the Forgotten Password settings. The settings allows you to set up actions that the Forgotten Password process performs during the password recovery process.

NOTE:If you are using Active Directory when users change their passwords, Self Service Password Reset considers the password history only when the Minimum Password Age is set to 0 and the proxy is disabled. If Minimum Password Age is not 0, it is important that users change the password through the email token to the password history.

To configure the Forgotten Password settings:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Modules > Public > Forgotten Password > Settings.

  5. Configure the following settings:

    Enable Forgotten Password

    Enable this option to allow the users to recover forgotten passwords.

    Forgotten Password User Search Form

    Specify the attributes that users specify to authenticate, such as name or email. Ideally, the information the users specify is not publicly known.

    The system uses these values internally to search for the users who request the Forgotten Password recovery action.

    Forgotten Password User Search Filter

    Specify a filter to find users. Include each attribute configured in the Forgotten Password User Search Form in the search filter. Strings encoded with a percent sign (%) are replaced with values supplied by the user.

    For example, if the Forgotten Password User Search Form includes email and sn attributes, then the filter would be:

    (&(objectClass=person)(email=%email%)(sn=%sn%))
    Response Read Location

    Specify the location where the system stores the challenge-responses. If you select an option with multiple locations, the system reads each location until it finds a stored response.

    Response Write Location

    Specify the location where the system writes the responses. If you select an option with multiple locations, the system stores responses in each location when users configure their response answers.

    Response Storage Attribute

    Specify an attribute the system uses for storing responses when you want to store responses in the LDAP directory. The system stores responses in the LDAP directory in addition to any other configured storage repositories.

    Response Storage Hashing Method

    Select a hashing method the system uses to store responses from the list. By default, Self Service Password Reset uses PBKDF2WithHmacSHA1. The available options are:

    • None (Plaintext)

    • MD5

    • SHA1

    • SHA-1 with Salt

    • SHA-256 with Salt

    • SHA-512 with Salt

    • PBKDF2WithHmacSHA1

    • PBKDF2WithHmacSHA256

    • PBKDF2WithHmacSHA512

    • BCrypt

    • SCrypt

    Storing the responses as plain text facilitates synchronization or migration to other systems.

    NOTE:If an administrator changes this setting and uses the same browser to store the responses, then the changes are not effective. The administrator needs to start a new browser session for the changes to be made effective.

    Forgotten Password Post Actions

    Specify the name of the actions and define the following services to set the actions that the Forgotten Password module must execute after a user successfully completes the Forgotten Password process and the user's password is modified.

    You can also use macros. For more information, see Configuring Macros for Messages and Actions. Specify a descriptive name for the action, then click OK to display the available options.

  6. In the toolbar, click Save changes.

6.1.3 Understanding the Verification Methods

The verification method that you require the users to use must be set to Required (placing the vertical bar to extreme right). You can also include any number of the optional method as required methods by specifying that number in Minimum Optional Required. For example, if you set the verification method Challenge/Response Answers to Required and set OTP (Mobile Device) Verification to Optional with no value specified in Minimum Optional Required, then during forgotten password process the system requires that the users answer the challenge-response or to skip it using the one-time password for verification.

The following are the verification methods that can be used during a forgotten password process:

  • Previous Authentication: This verification method checks if a user has used the same browser previously for authentication. Self Service Password Reset Requires the users to use the same browser for the Forgotten Password module to work.

  • LDAP Attributes: This verification method requires the user to specify the values for all the LDAP attributes that you specified in the Required LDAP Attributes setting.

    If you have upgraded Self Service Password Reset from an earlier version where LDAP attributes were required for the Forgotten Password process, then ensure that you specify the LDAP attributes under the Required LDAP Attributes option and mark this verification method as Required.

  • Challenge/Response Answers: This verification method requires the users to answer the challenge-responses. For more information, see Configuring the Setup Security Questions Module.

  • SMS/Email Token Verification: This verification method allows the user to use the token verification through SMS or email.

    If you have upgraded Self Service Password Reset from an earlier version where the password send method was set as a token, then ensure that you mark this verification method as Required.

  • OTP (Mobile Device) Verification: This verification method requires the user to use the one-time password (OTP) during forgotten password process. For more information about OTP, see Configuring One-Time Password.

  • External Responses: This verification method allows the user to use the responses that are stored in the external web services server. This is applicable if you have specified the external web service server URL in Settings > Web Services > REST Clients > External Remote Responses REST Server URL.

  • OAuth2: This verification method allows you to create an OAuth2 connection between Self Service Password Reset and any application that supports OAuth2. For more information, see Configuring the OAuth2 Verification Method for the Forgotten Password Module.

  • Advanced Authentication: Self Service Password Reset deprecated this method of connecting to Advanced Authentication. If you have used this method in the past, it still works. However, if you want to configure a new deployment of Advanced Authentication with Self Service Password Reset, you must use the OAuth2 verification method. For more information, see Section 10.0, Integrating Self Service Password Reset with Advanced Authentication.

In a scenario where the verification method is challenge-response and OTP is optional, users can choose to skip enrolling for OTP. But during forgotten password process, if you enabled the OTP with the Force Setup-but allow user to skip setting, the login page prompts the users to enroll for OTP with an option to skip it. Self Service Password Reset prompts the Active Directory users to enroll for OTP before a password is reset and prompts eDirectory users to enroll after a password is reset.

You can customize the text and descriptions for these verification methods that the users see through the Display Text options in the Configuration Editor. Under Display, search for Field_VerificationMethodMethod and Description_VerificationMethodMethod where Method is the name of the verification method. For more information, see Section 3.0, Configuring Self Service Password Reset.

6.1.4 Configuring the OAuth2 Verification Method for the Forgotten Password Module

If you selected to use OAuth2 as a verification method for the Forgotten Password module, you must configure additional settings to create the OAuth2 connection. OAuth2 is an authorization framework that enables other applications to gain access to Self Service Password Reset through this secure protocol.

To properly configure the OAuth2 verification method you must obtain information from the application you are connecting to through this method. For example, if are using Advanced Authentication as the application for the OAuth2 verification method, you must obtain information from the application, this case Advanced Authentication to complete the configuration. Plus you must perform configuration steps in the connected application to complete the OAuth2 configuration.

To configure the OAuth2 verification method for the Forgotten Password module:

  1. Ensure that you have set the OAuth2 verification method to Required or Optional in the Forgotten Password profile.

  2. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  3. In the toolbar, click your name.

  4. Click Configuration Editor.

  5. Click Modules > Public > Forgotten Password > Profiles > OAuth.

  6. Use the following information to configure the OAuth settings:

    OAuth Login URL

    Specify the OAuth server login URL for the connected application. SSPR uses this is the URL to redirect the user to for authentication. For example:

    https://advanced-authentication.example.com/osp/a/TOP/auth/oauth2/grant
    OAuth Code Resolve Service URL

    Specify the OAuth Code Resolve Service URL for the connected application. Self Service Password Reset uses this web service URL to resolve the artifact returned by the OAuth identity server. For example:

    https://advance-authentication.example.com/osp/a/TOP/auth/oauth2/authcoderesolve
    OAuth Profile Service URL

    Specify the web service URL provided by the identity server to return attribute data about the user. This is the identity server from the connected application. For example:

    https://advanced-authentication.example.com/osp/a/TOP/auth/oauth2/getattributes
    OAuth Web Service Server Certificates

    Import the certificate for the OAuth web service server. This is the connected application’s OAuth web service server.

    OAuth Client ID

    Specify the OAuth client ID from the connected application. The OAuth identity service provider gives you this value.

    OAuth Shared Secret

    Specify the OAuth shared secret from the connected application. The OAuth identity service provider gives you this value.

    OAuth User Name/DN Login Attribute

    Specify the attribute to request from the OAuth server that Self Service Password Reset uses as the user name for local authentication. Self Service Password Reset then resolves this value the same as if the user had typed the password at the local authentication page.

    OAuth Inject User Name Value

    (Conditional) Specify the user name value to send as part of the grant or redirect request. The remote OAuth server must support the sign endpoint for this to work.

  7. In the toolbar, click Save changes.

  8. Configure the connected application to accept the OAuth2 connection by providing the OAuth URL endpoint from Self Service Password Reset. The URL base must be the value found in the Settings > Application > Application > Site URL with /public/oath at the end of the URL. For example:

    https://sspr.example.com/sspr/public/oauth