Self Service Password Reset allows users to recover a forgotten password without contacting the help desk. The Forgotten Password module is a configurable feature. After enabling this feature, users see the Forgotten Password option on the user login web page.
The Forgotten Password module uses challenge-response authentication to let users recover their passwords. This feature enables prompting for challenge set or a one-time password (OTP) that allows a password change. Requiring a user to answer challenge questions, or entering an OTP before receiving the forgotten password provides an additional level of security.
To correctly configure the Forgotten Password module, you must define a Forgotten Password profile and configure the Forgotten Password settings.
You can configure a Forgotten Password profile and the users of that group can reset their passwords by using the method that you define in the settings for that profile. This section helps you define the default Forgotten Password profile. If you want to create different profiles for different user groups, you can use the Edit List option and create different profiles. For more information about creating and configuring the profiles see, Configuring Profiles.
The users can use the challenge-response and also use the one-time password (OTP) during the forgotten password process, depending on the verification method that you define in the profile. For more information about one-time password, see Configuring One-Time Password.
You must define the verification methods you want your use to use during the Forgotten Password process. The users must satisfy each option you set to Required, then the users select any of the remaining Optional methods until the users complete the minimum number of Optional methods. For more information, see Understanding the Verification Methods.
To configure the Forgotten Password profile:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Public > Forgotten Password > Profiles > default > Definition.
Configure the settings for the Forgotten Password profile using the help.
(Conditional) Configure the OAuth2 connection to an external application if you selected OAuth2 as a verification method. For more information, see Configuring the OAuth2 Verification Method for the Forgotten Password Module.
In the toolbar, click Save changes.
To complete the configuration of the Forgotten Password module, you must also configure the Forgotten Password settings. The settings allows you to set up actions that the Forgotten Password process performs during the password recovery process.
NOTE:If you are using Active Directory when users change their passwords, Self Service Password Reset considers the password history only when the Minimum Password Age is set to 0 and the proxy is disabled. If Minimum Password Age is not 0, it is important that users change the password through the email token to the password history.
During the Forgotten Password process, Self Service Password Reset uses the challenge-response information for the users to secure this process. Self Service Password Reset allows you to store the challenge-response information in different security hashing methods. Fore more information, see Understanding Challenge-Response Storage Methods
in the Self Service Password Reset 4.2 Installation Guide.
To configure the Forgotten Password settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Public > Forgotten Password > Settings.
Configure the Forgotten Password settings using the help.
In the toolbar, click Save changes.
The verification method that you require the users to use must be set to Required (placing the vertical bar to extreme right). You can also include any number of the optional method as required methods by specifying that number in Minimum Optional Required. For example, if you set the verification method Challenge/Response Answers to Required and set OTP (Mobile Device) Verification to Optional with no value specified in Minimum Optional Required, then during forgotten password process the system requires that the users answer the challenge-response or to skip it using the one-time password for verification.
The following are the verification methods that can be used during a forgotten password process:
Previous Authentication: This verification method checks if a user has used the same browser previously for authentication. Self Service Password Reset Requires the users to use the same browser for the Forgotten Password module to work.
LDAP Attributes: This verification method requires the user to specify the values for all the LDAP attributes that you specified in the Required LDAP Attributes setting.
If you have upgraded Self Service Password Reset from an earlier version where LDAP attributes were required for the Forgotten Password process, then ensure that you specify the LDAP attributes under the Required LDAP Attributes option and mark this verification method as Required.
Challenge/Response Answers: This verification method requires the users to answer the challenge-responses. For more information, see Configuring the Setup Security Questions Module.
SMS/Email Token Verification: This verification method allows the user to use the token verification through SMS or email.
If you have upgraded Self Service Password Reset from an earlier version where the password send method was set as a token, then ensure that you mark this verification method as Required.
OTP (Mobile Device) Verification: This verification method requires the user to use the one-time password (OTP) during forgotten password process. For more information about OTP, see Configuring One-Time Password.
External Responses: This verification method allows the user to use the responses that are stored in the external web services server. This is applicable if you have specified the external web service server URL in Settings > Web Services > REST Clients > External Remote Responses REST Server URL.
OAuth2: This verification method allows you to create an OAuth2 connection between Self Service Password Reset and any application that supports OAuth2. For more information, see Configuring the OAuth2 Verification Method for the Forgotten Password Module.
Advanced Authentication: Self Service Password Reset deprecated this method of connecting to Advanced Authentication. If you have used this method in the past, it still works. However, if you want to configure a new deployment of Advanced Authentication with Self Service Password Reset, you must use the OAuth2 verification method. For more information, see Section 10.0, Integrating Self Service Password Reset with Advanced Authentication.
In a scenario where the verification method is challenge-response and OTP is optional, users can choose to skip enrolling for OTP. But during forgotten password process, if you enabled the OTP with the Force Setup-but allow user to skip setting, the login page prompts the users to enroll for OTP with an option to skip it. Self Service Password Reset prompts the Active Directory users to enroll for OTP before a password is reset and prompts eDirectory users to enroll after a password is reset.
You can customize the text and descriptions for these verification methods that the users see through the Display Text options in the Configuration Editor. Under Display, search for Field_VerificationMethodMethod and Description_VerificationMethodMethod where Method is the name of the verification method. For more information, see Section 3.0, Configuring Self Service Password Reset.
If you selected to use OAuth2 as a verification method for the Forgotten Password module, you must configure additional settings to create the OAuth2 connection. OAuth2 is an authorization framework that enables other applications to gain access to Self Service Password Reset through this secure protocol. For more information, see OAuth 2.0.
To properly configure the OAuth2 verification method you must obtain information from the application you are connecting to through this method. Here is a list of the information you must have from the connecting application:
Login URL from the OAuth server
OAuth code resolve service URL from the OAuth server
Web service URL of the identity server that contains attribute data about the users
OAuth web service server certificate
OAuth client from the OAuth identity service provider
OAuth shared secret from the OAuth identity service provider
OAuth user name or DN login attribute from the OAuth server
User name value to inject as part of the /grant redirect request
NOTE:The remote OAuth server must support the /sign endpoint for this to work.
For example, if are using Advanced Authentication as the application for the OAuth2 verification method, you must obtain information from Advanced Authentication to complete the configuration. Plus you must perform configuration steps in the connected application to complete the OAuth2 configuration.
To configure the OAuth2 verification method for the Forgotten Password module:
Ensure that you have set the OAuth2 verification method to Required or Optional in the Forgotten Password profile.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Public > Forgotten Password > Profiles > OAuth.
Use the information you obtained to configure the OAuth settings using the help.
In the toolbar, click Save changes.
Configure the connected application to accept the OAuth2 connection by providing the OAuth URL endpoint from Self Service Password Reset. The URL base must be the value found in the Settings > Application > Application > Site URL with /public/oath at the end of the URL. For example:
https://sspr.example.com/sspr