Using the Forgotten Password module, you can enable users to recover a forgotten password without contacting the help desk. After enabling this feature, the Forgotten Password option is displayed on the user login web page.
The Forgotten Password module uses different verification methods to let users recover their passwords. To know more about the verification methods, see Understanding Verification Methods.
For example, the administrator can set a challenge or a one-time password (OTP) for changing the password. It enforces the user to answer challenge questions or specifying an OTP to reset the forgotten password.
To enable this feature, perform the following actions:
When you configure a Forgotten Password profile, users of that group can reset their passwords by using the verification method that you define in that profile. You can define a default profile for all users. You can also create different profiles for different user groups.
Self Service Password Reset provides the following verification methods:
Previous Authentication: Checks if a user has used the same browser previously for authentication. Self Service Password Reset requires the users to use the same browser for the Forgotten Password module to work.
LDAP Attributes: Requires the user to specify the values for any LDAP attributes that you specified in the Required LDAP Attributes setting.
If you have upgraded Self Service Password Reset from an earlier version where LDAP attributes were required for the Forgotten Password process, then ensure that you specify the LDAP attributes under the Required LDAP Attributes option and mark this verification method as Required.
Challenge/Response Answers: Requires the users to answer the challenge-response questions.
SMS/Email Token Verification: Allows users to use the token verification through SMS or email.
If you have upgraded Self Service Password Reset from an earlier version where the password send method was set as a token, then ensure that you mark this verification method as Required.
OTP (Mobile Device) Verification: Requires the user to use the one-time password (OTP) during the forgotten password process.
External Responses: Allows the user to use the responses that are stored in the external web services server. This is applicable if you have specified the external web service server URL in Settings > Web Services > REST Clients > External Remote Responses REST Server URL.
OAuth2: Allows you to create an OAuth2 connection between Self Service Password Reset and any application that supports OAuth2.
Advanced Authentication: Self Service Password Reset deprecated this method of connecting to NetIQ Advanced Authentication. If you have used this method in the past, it still works. However, if you want to configure a new deployment of Advanced Authentication with Self Service Password Reset, you must use the OAuth2 verification method.
You can customize the text and descriptions for these methods that users see through Display Text options in the Configuration Editor. Under Display, search for Field_VerificationMethodMethod and Description_VerificationMethodMethod where Method is the name of the verification method.
In this Section
You can configure the existing profiles in the default section. To configure a default profile, perform the following actions:
Log in to Self Service Password Reset as an administrator.
In the top-right corner of the Dashboard screen, click the user name.
Click Configuration Editor.
Navigate to Modules > Public > Forgotten Password > Profiles > default > Definition.
Configure the following settings:
Forgotten Password Profile Match |
Add an LDAP filter to define the set of users that Self Service Password Reset assigns to this profile.
You can add a new group of users to the Forgotten Password profile.
|
Verification Methods |
The verification method that you require the users to use must be set to Required (placing the vertical bar to the extreme right). You can also include multiple optional methods as required methods by specifying that number in Minimum Optional Required. For example, if you set the verification method Challenge/Response Answers to Required and set OTP (Mobile Device) Verification to Optional with no value specified in Minimum Optional Required, then the users are required to answer the challenge-response or to skip it using the one-time password for verification during the forgotten password process. In a scenario where the verification method is challenge-response and OTP is optional, users can choose to skip enrolling for OTP. But during the forgotten password process, if you enabled OTP with the Force Setup-but allow user to skip setting, the login page prompts users to enroll for OTP with an option to skip it. Self Service Password Reset prompts the Active Directory users to enroll for OTP before a password is reset and prompts eDirectory users to enroll after the password is reset. For more information about verification methods, see Understanding Verification Methods. |
Token Send Method |
Select one of the following methods for sending the token code or a new password to a user:
|
Forgotten Password Recovery Mode |
Select one of the following recovery modes:
|
New Password Send Method |
Select one of the following methods for sending the new password to users if the Forgotten Password Success Action is set to Send new password:
|
Required LDAP Attributes |
Add the required LDAP attributes for forgotten password authentication. Users must provide these attributes as part of the forgotten password authentication process. Perform the following steps to add a new LDAP attribute:
|
Click Save changes.
Configure the OAuth2 connection to an external application if you select OAuth 2 as a verification method. For more information, see Configuring the OAuth2 Verification Method for the Forgotten Password Module.
Perform the following actions to configure OAuth settings:
Log in to Self Service Password Reset as an administrator.
In the top-right corner of the Dashboard screen, click the user name.
Click Configuration Editor.
Navigate to Modules > Public > Forgotten Password > Profiles > default > OAuth.
Configure the following OAuth settings:
OAuth Login URL |
Specify the OAuth server login URL. This URL is to redirect users for authentication.
|
OAuth Code Resolve Service URL |
Specify the OAuth Token / Code Resolve Service URL. This web service URL resolves the artifact sent by the OAuth identity server.
|
OAuth Profile Service URL |
Specify the web service URL provided by the identity server to send the attribute data of a user.
|
OAuth Web Service Server Certificate |
Click Import from Server to import the web server certificate. |
OAuth Client ID |
Specify the OAuth client ID used in the remote system for your service. The OAuth identity service provider provides you this ID.
|
OAuth Shared Secret |
Specify the OAuth shared secret used in the remote system for your service. The OAuth identity service provider provides you this value.
|
OAuth User Name/DN Login Attribute |
Specify the attributes to request from the OAuth server which Self Service Password Reset uses as the user name for local authentication.
|
OAuth Inject User Name Value |
Specify the user name value to send as part of the redirect request.
|
In the toolbar, click Save changes.
Log in to Self Service Password Reset as an administrator.
In the top-right corner of the Dashboard screen, click the user name.
Click Configuration Editor.
Navigate to Modules > Public > Forgotten Password > Profiles > default > Option.
Configure the following settings:
Field |
Description |
---|---|
Allow Intruder Unlock |
When a user forgets the password and performs many failed login attempts, the account is intruder locked. Enable this option to allow the user to unlock the account instead of resetting the password. |
Allow Forgotten Password when Locked |
Enable this option to allow users to use the Forgotten Password feature when the account is intruder locked in LDAP. This feature is not available when a user is using NMAS stored responses. |
Allow Token Resend |
Enable this option to allow users to send a token again, if the user did not receive it in first attempt. |
Minimum Password Lifetime Options |
These options manage the behavior of the password when a user tries to use the Forgotten Password feature while their password is within the minimum password policy lifetime window of their effective password policy. These options are only relevant if the user has an effective minimum password lifetime as part of their password policy. Select one of the following options:
|
In the toolbar, click Save changes.
Using Edit List, you can create a new Forgotten Password profile and add a list of forgotten password policies.
NOTE:It is recommended not to modify the default list unless it is critical to define different forgotten password behavior for different users.
Profile names must meet the following requirements:
Start with a letter (a-Z).
Contain only letters, numbers, and hyphens.
Length between 2 and 15 characters.
Perform the following steps to add a new profile:
Click Add Profile.
Specify the profile name in Forgotten Password Profile - Add Value.
Click OK.
For more information about profile selection by LDAP filter, see Forgotten Password Profile Match.
To complete the configuration of the Forgotten Password module, you must also configure the Forgotten Password settings. The settings allow you to set up actions that the Forgotten Password process performs during the password recovery process.
NOTE:If you are using Active Directory when users change their passwords, Self Service Password Reset examines the password history only when the Minimum Password Age is set to 0 and the proxy is disabled. If Minimum Password Age is not 0, it is important that users set a new password to complete Forgotten Password sequence.
During the Forgotten Password process, Self Service Password Reset uses the challenge-response information for the users to secure this process. Self Service Password Reset allows you to store the challenge-response information in different security hashing methods.
Log in to Self Service Password Reset as an administrator.
In the top-right corner of the Dashboard screen, click the user name.
Click Configuration Editor.
Click Modules > Public > Forgotten Password > Settings.
Configure the following Forgotten Password settings:
Enable Forgotten Password |
Enable this option to make forgotten password recovery available to users. |
Forgotten Password User Search Form |
Specify the form fields for the Activate User module. Self Service Password Reset requires users to enter each attribute. |
Forgotten Password User Search Filter |
Click Add Value and add an LDAP search filter in Edit Value - Forgotten Password User Search Filter. Self Service Password Reset uses this value to search for users during the forgotten password recovery. The LDAP search filter must include each attribute in Forgotten Password User Search Form. Self Service Password Reset replaces tokens made of a form item name (such as cn) enclosed with a percent sign %cn% with values provided by the user. For example, if the Activate User Form included the attributes cn and sn, then this filter might be appropriate: (&(objectClass=person)(cn=%cn%)(sn=%sn%) If you do not specify this setting, Self Service Password Reset automatically generates a search filter based on the required items in Forgotten Password User Search Form. |
Response Read Location |
Select the location from where Self Service Password Reset reads the responses. If you select an option with multiple values, Self Service Password Reset reads each location until it finds a stored response. By default, the Response Read Location is set to LDAP. Following are the available set of locations:
|
Response Write Location |
Select the location where Self Service Password Reset writes the responses. Self Service Password Reset writes to all storage methods when users configure their response answers. By default, the Response Read Location is set to LDAP. Following are the available set of locations:
IMPORTANT:It is not recommended to use the Local DB to store responses in a production environment. It is not possible to make the Local DB storage redundant and no optimal backup methods are available for the Local DB. |
Response Storage Hashing Method |
Select a method of hashing which Self Service Password Reset uses to store responses. Storing the responses as the plain text might facilitate synchronization or migration to other systems but is not secure. This setting controls how Self Service Password Reset writes the responses. Self Service Password Reset can read stored responses in other formats, and it cannot convert existing responses until a user receives the responses. Use the reporting engine to identify and count the hash types in use. By default, the Response Storage Hashing Method is set to PBKDF2WithHmacSHA512. |
Forgotten Password Post Actions |
These actions are executed after a user completes the forgotten password sequence successfully and the user's password has been modified. For example, if you set to update the phone number in LDAP action, the phone number of the user will get updated once the user completes the forgotten password sequence successfully.
|
Enable Bogus User Policy |
Enable this option to have forgotten password act as if the invalid user searches are valid, and display such users with a fake forgotten password policy. This policy prevents username discovery. |
If you select OAuth2 as a verification method for the Forgotten Password module, you must configure additional settings to create the OAuth2 connection. OAuth2 is an authorization framework that enables other applications to gain access to Self Service Password Reset through this secure protocol. For more information, see OAuth 2.0.
To configure the OAuth2 verification method properly, you must obtain information from the application you are connecting to through this method. Here is a list of the information you must get from the connecting application:
Login URL from the OAuth server
OAuth code resolve service URL from the OAuth server
Web service URL of the identity server that contains attribute data about the users
OAuth web service server certificate
OAuth client from the OAuth identity service provider
OAuth shared secret from the OAuth identity service provider
OAuth user name or DN login attribute from the OAuth server
User name value to inject as part of the /grant redirect request
NOTE:The remote OAuth server must support the /sign endpoint for this to work.
For example, if you are using Advanced Authentication as the application for the OAuth2 verification method, you must obtain information from Advanced Authentication to complete the configuration. Also, you must perform configuration steps in the connected application to finish the OAuth2 configuration.
To configure the OAuth2 verification method for the Forgotten Password module:
Ensure that you have set the OAuth2 verification method to Required or Optional in the Verification Methods of the Forgotten Password profile.
Log in to Self Service Password Reset as an administrator.
In the toolbar, click the user name.
Click Configuration Editor.
Click Modules > Public > Forgotten Password > Profiles > OAuth.
Use the information you obtained to configure the OAuth settings. For information about fields, see Configuring the OAuth Connection to an External Application.
In the toolbar, click Save changes.
Configure the connected application to accept the OAuth2 connection by providing the OAuth URL endpoint from Self Service Password Reset. The URL base must be the value found in the Settings > Application > Application > Site URL with /public/OAuth at the end of the URL. For example:
https://sspr.example.com/sspr/public/OAuth