6.1 Configuring Forgotten Password Module

Using the Forgotten Password module, you can enable users to recover a forgotten password without contacting the help desk. After enabling this feature, the Forgotten Password option is displayed on the user login web page.

The Forgotten Password module uses different verification methods to let users recover their passwords. To know more about the verification methods, see Understanding Verification Methods.

For example, the administrator can set a challenge or a one-time password (OTP) for changing the password. It enforces the user to answer challenge questions or specifying an OTP to reset the forgotten password.

To enable this feature, perform the following actions:

6.1.1 Configuring the Forgotten Password Profile

When you configure a Forgotten Password profile, users of that group can reset their passwords by using the verification method that you define in that profile. You can define a default profile for all users. You can also create different profiles for different user groups.

Understanding Verification Methods

Self Service Password Reset provides the following verification methods:

  • Previous Authentication: Checks if a user has used the same browser previously for authentication. Self Service Password Reset requires the users to use the same browser for the Forgotten Password module to work.

  • LDAP Attributes: Requires the user to specify the values for any LDAP attributes that you specified in the Required LDAP Attributes setting.

    If you have upgraded Self Service Password Reset from an earlier version where LDAP attributes were required for the Forgotten Password process, then ensure that you specify the LDAP attributes under the Required LDAP Attributes option and mark this verification method as Required.

  • Challenge/Response Answers: Requires the users to answer the challenge-response questions.

  • SMS/Email Token Verification: Allows users to use the token verification through SMS or email.

    If you have upgraded Self Service Password Reset from an earlier version where the password send method was set as a token, then ensure that you mark this verification method as Required.

  • OTP (Mobile Device) Verification: Requires the user to use the one-time password (OTP) during the forgotten password process.

  • External Responses: Allows the user to use the responses that are stored in the external web services server. This is applicable if you have specified the external web service server URL in Settings > Web Services > REST Clients > External Remote Responses REST Server URL.

  • OAuth2: Allows you to create an OAuth2 connection between Self Service Password Reset and any application that supports OAuth2.

  • Advanced Authentication: Self Service Password Reset deprecated this method of connecting to NetIQ Advanced Authentication. If you have used this method in the past, it still works. However, if you want to configure a new deployment of Advanced Authentication with Self Service Password Reset, you must use the OAuth2 verification method.

You can customize the text and descriptions for these methods that users see through Display Text options in the Configuration Editor. Under Display, search for Field_VerificationMethodMethod and Description_VerificationMethodMethod where Method is the name of the verification method.

In this Section

Configuring the Default Profile

You can configure the existing profiles in the default section. To configure a default profile, perform the following actions:

Configuring Definitions

  1. Log in to Self Service Password Reset as an administrator.

  2. In the top-right corner of the Dashboard screen, click the user name.

  3. Click Configuration Editor.

  4. Navigate to Modules > Public > Forgotten Password > Profiles > default > Definition.

  5. Configure the following settings:

    Forgotten Password Profile Match

    Add an LDAP filter to define the set of users that Self Service Password Reset assigns to this profile.

    1. Click Add Filter.

    2. Select the filter for profiles in LDAP Profile.

    3. Specify a valid LDAP filter in LDAP Search Filter.

    4. Specify the LDAP base DN in LDAP Base DN (Optional).

    5. Click View Matches.

    You can add a new group of users to the Forgotten Password profile.

    1. Click Add Group.

    2. Select the filter for filtering the profiles in LDAP Profile.

    3. Specify the LDAP base DN in LDAP Group DN.

    4. Click View Matches.

    Verification Methods

    The verification method that you require the users to use must be set to Required (placing the vertical bar to the extreme right). You can also include multiple optional methods as required methods by specifying that number in Minimum Optional Required.

    For example, if you set the verification method Challenge/Response Answers to Required and set OTP (Mobile Device) Verification to Optional with no value specified in Minimum Optional Required, then the users are required to answer the challenge-response or to skip it using the one-time password for verification during the forgotten password process.

    In a scenario where the verification method is challenge-response and OTP is optional, users can choose to skip enrolling for OTP. But during the forgotten password process, if you enabled OTP with the Force Setup-but allow user to skip setting, the login page prompts users to enroll for OTP with an option to skip it. Self Service Password Reset prompts the Active Directory users to enroll for OTP before a password is reset and prompts eDirectory users to enroll after the password is reset.

    For more information about verification methods, see Understanding Verification Methods.

    Token Send Method

    Select one of the following methods for sending the token code or a new password to a user:

    • Email-Send to the Email address

    • SMS- Send via SMS

    • User choice - If both SMS and email address are available, the user decides

    Forgotten Password Recovery Mode

    Select one of the following recovery modes:

    • Allow user to set password

    • Send new password

    • Send new password and mark as expired

    New Password Send Method

    Select one of the following methods for sending the new password to users if the Forgotten Password Success Action is set to Send new password:

    • Email-Send to the Email address

    • SMS- Send via SMS

    Required LDAP Attributes

    Add the required LDAP attributes for forgotten password authentication. Users must provide these attributes as part of the forgotten password authentication process. Perform the following steps to add a new LDAP attribute:

    1. Click Add Item.

    2. Specify a name for the attribute in Required LDAP Attributes - New Form.

    3. Click OK.

  6. Click Save changes.

Configuring the OAuth Connection to an External Application

Configure the OAuth2 connection to an external application if you select OAuth 2 as a verification method. For more information, see Configuring the OAuth2 Verification Method for the Forgotten Password Module.

Perform the following actions to configure OAuth settings:

  1. Log in to Self Service Password Reset as an administrator.

  2. In the top-right corner of the Dashboard screen, click the user name.

  3. Click Configuration Editor.

  4. Navigate to Modules > Public > Forgotten Password > Profiles > default > OAuth.

  5. Configure the following OAuth settings:

    OAuth Login URL

    Specify the OAuth server login URL. This URL is to redirect users for authentication.

    1. Click Add Value.

    2. Specify the login URL in Edit Value - OAuth Login URL.

      For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/grant.

    3. Click OK.

    OAuth Code Resolve Service URL

    Specify the OAuth Token / Code Resolve Service URL. This web service URL resolves the artifact sent by the OAuth identity server.

    1. Click Add Value.

    2. Specify the login URL in Edit Value - OAuth Code Resolve Service URL.

      For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/authcoderesolve.

    3. Click OK.

    OAuth Profile Service URL

    Specify the web service URL provided by the identity server to send the attribute data of a user.

    1. Click Add Value.

    2. Specify the login URL in Edit Value - OAuth Profile Service URL.

      For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes.

    3. Click OK.

    OAuth Web Service Server Certificate

    Click Import from Server to import the web server certificate.

    OAuth Client ID

    Specify the OAuth client ID used in the remote system for your service. The OAuth identity service provider provides you this ID.

    1. Click Add Value.

    2. Specify the OAuth client ID in Edit Value - OAuth Client ID.

    3. Click OK.

    OAuth Shared Secret

    Specify the OAuth shared secret used in the remote system for your service. The OAuth identity service provider provides you this value.

    1. Click Store Value.

    2. Specify the client secret from the OAuth server in New Password.

    3. Specify the same client secret in Confirm Password.

    4. Specify the length of the client secret.

    5. Click Store Password.

    OAuth User Name/DN Login Attribute

    Specify the attributes to request from the OAuth server which Self Service Password Reset uses as the user name for local authentication.

    1. Click Add Value.

    2. Specify the OAuth username/DN attributes in Edit Value - OAuth User Name/DN Login Attribute.

    3. Click OK.

    OAuth Inject User Name Value

    Specify the user name value to send as part of the redirect request.

    1. Click Add Value.

    2. Specify the OAuth inject username in Edit Value - OAuth Inject User Name Value.

      For example, @LDAP:DN@.

    3. Click OK.

  6. In the toolbar, click Save changes.

Configuring Options

  1. Log in to Self Service Password Reset as an administrator.

  2. In the top-right corner of the Dashboard screen, click the user name.

  3. Click Configuration Editor.

  4. Navigate to Modules > Public > Forgotten Password > Profiles > default > Option.

  5. Configure the following settings:

    Field

    Description

    Allow Intruder Unlock

    When a user forgets the password and performs many failed login attempts, the account is intruder locked.

    Enable this option to allow the user to unlock the account instead of resetting the password.

    Allow Forgotten Password when Locked

    Enable this option to allow users to use the Forgotten Password feature when the account is intruder locked in LDAP. This feature is not available when a user is using NMAS stored responses.

    Allow Token Resend

    Enable this option to allow users to send a token again, if the user did not receive it in first attempt.

    Minimum Password Lifetime Options

    These options manage the behavior of the password when a user tries to use the Forgotten Password feature while their password is within the minimum password policy lifetime window of their effective password policy.

    These options are only relevant if the user has an effective minimum password lifetime as part of their password policy.

    Select one of the following options:

    • Allow- Allow normal action (ignore minimum lifetime)

    • UnlockOnly- Allow only intruder password unlock

    • None- Prevent usage of forgotten password

  6. In the toolbar, click Save changes.

Creating a New Profile

Using Edit List, you can create a new Forgotten Password profile and add a list of forgotten password policies.

NOTE:It is recommended not to modify the default list unless it is critical to define different forgotten password behavior for different users.

Profile names must meet the following requirements:

  • Start with a letter (a-Z).

  • Contain only letters, numbers, and hyphens.

  • Length between 2 and 15 characters.

Perform the following steps to add a new profile:

  1. Click Add Profile.

  2. Specify the profile name in Forgotten Password Profile - Add Value.

  3. Click OK.

For more information about profile selection by LDAP filter, see Forgotten Password Profile Match.

6.1.2 Configuring the Forgotten Password Settings

To complete the configuration of the Forgotten Password module, you must also configure the Forgotten Password settings. The settings allow you to set up actions that the Forgotten Password process performs during the password recovery process.

NOTE:If you are using Active Directory when users change their passwords, Self Service Password Reset examines the password history only when the Minimum Password Age is set to 0 and the proxy is disabled. If Minimum Password Age is not 0, it is important that users set a new password to complete Forgotten Password sequence.

During the Forgotten Password process, Self Service Password Reset uses the challenge-response information for the users to secure this process. Self Service Password Reset allows you to store the challenge-response information in different security hashing methods.

  1. Log in to Self Service Password Reset as an administrator.

  2. In the top-right corner of the Dashboard screen, click the user name.

  3. Click Configuration Editor.

  4. Click Modules > Public > Forgotten Password > Settings.

  5. Configure the following Forgotten Password settings:

    Enable Forgotten Password

    Enable this option to make forgotten password recovery available to users.

    Forgotten Password User Search Form

    Specify the form fields for the Activate User module. Self Service Password Reset requires users to enter each attribute.

    Forgotten Password User Search Filter

    Click Add Value and add an LDAP search filter in Edit Value - Forgotten Password User Search Filter. Self Service Password Reset uses this value to search for users during the forgotten password recovery. The LDAP search filter must include each attribute in Forgotten Password User Search Form. Self Service Password Reset replaces tokens made of a form item name (such as cn) enclosed with a percent sign %cn% with values provided by the user.

    For example, if the Activate User Form included the attributes cn and sn, then this filter might be appropriate:

    (&(objectClass=person)(cn=%cn%)(sn=%sn%)

    If you do not specify this setting, Self Service Password Reset automatically generates a search filter based on the required items in Forgotten Password User Search Form.

    Response Read Location

    Select the location from where Self Service Password Reset reads the responses. If you select an option with multiple values, Self Service Password Reset reads each location until it finds a stored response. By default, the Response Read Location is set to LDAP.

    Following are the available set of locations:

    • LDAP

    • LDAP, Database

    • LDAP, Database, LocalDB

    • LDAP, LocalDB

    • LDAP, LocalDB, Database

    • Database

    • Database, LDAP

    • Database, LDAP, LocalDB

    • Database, LocalDB

    • Database, LocalDB, LDAP

    • LocalDB

    • LocalDB, Database

    • LocalDB, Database, LDAP

    • LocalDB, LDAP

    • LocalDB, LDAP, Database

    Response Write Location

    Select the location where Self Service Password Reset writes the responses. Self Service Password Reset writes to all storage methods when users configure their response answers. By default, the Response Read Location is set to LDAP.

    Following are the available set of locations:

    • LDAP

    • LDAP, Database

    • LDAP, LocalDB

    • LDAP, Database, LocalDB

    • Database

    • Database, LocalDB

    • LocalDB

    IMPORTANT:It is not recommended to use the Local DB to store responses in a production environment. It is not possible to make the Local DB storage redundant and no optimal backup methods are available for the Local DB.

    Response Storage Hashing Method

    Select a method of hashing which Self Service Password Reset uses to store responses. Storing the responses as the plain text might facilitate synchronization or migration to other systems but is not secure.

    This setting controls how Self Service Password Reset writes the responses. Self Service Password Reset can read stored responses in other formats, and it cannot convert existing responses until a user receives the responses. Use the reporting engine to identify and count the hash types in use. By default, the Response Storage Hashing Method is set to PBKDF2WithHmacSHA512.

    Forgotten Password Post Actions

    These actions are executed after a user completes the forgotten password sequence successfully and the user's password has been modified.

    For example, if you set to update the phone number in LDAP action, the phone number of the user will get updated once the user completes the forgotten password sequence successfully.

    1. Click Add Action and specify the name of the action in New Action.

    2. Click Actions to set the post actions

    3. Select any of the following action:

      • LDAP Action

      • Web Service Action

      Adding a New LDAP Action

      1. Specify the LDAP attribute in Attribute Name and click OK.

      2. Click the Edit icon to edit the LDAP Action.

      3. Specify the LDAP attribute value.

      4. Select the required action from the following Operation Type.

        • Replace (Remove all existing values)

        • Add (Append new value)

        • Remove (Remove specified value)

      5. Click OK.

      Adding a New Web Service Action

      1. Specify the web service URL in URL and click OK.

      2. Click the Edit icon to edit the Web Service Action.

      3. Select the required HTTP Method from the following:

        • Delete

        • Get

        • Post

        • Put

        • Patch

      4. Click Edit in HTTP Header to add a new header rule.

      5. Specify the web service URL in URL.

      6. Specify the username of the user that is configured for Business Central Server in Basic Auth Username.

      7. Specify the password of the user that is configured for Business Central Server in Basic Auth Password.

      8. Click Edit in Success Status Codes to edit the status success code.

      9. Click Import Certificate to import web service certificate.

      10. Click OK.

    Enable Bogus User Policy

    Enable this option to have forgotten password act as if the invalid user searches are valid, and display such users with a fake forgotten password policy. This policy prevents username discovery.

6.1.3 Configuring the OAuth2 Verification Method for the Forgotten Password Module

If you select OAuth2 as a verification method for the Forgotten Password module, you must configure additional settings to create the OAuth2 connection. OAuth2 is an authorization framework that enables other applications to gain access to Self Service Password Reset through this secure protocol. For more information, see OAuth 2.0.

To configure the OAuth2 verification method properly, you must obtain information from the application you are connecting to through this method. Here is a list of the information you must get from the connecting application:

  • Login URL from the OAuth server

  • OAuth code resolve service URL from the OAuth server

  • Web service URL of the identity server that contains attribute data about the users

  • OAuth web service server certificate

  • OAuth client from the OAuth identity service provider

  • OAuth shared secret from the OAuth identity service provider

  • OAuth user name or DN login attribute from the OAuth server

  • User name value to inject as part of the /grant redirect request

    NOTE:The remote OAuth server must support the /sign endpoint for this to work.

For example, if you are using Advanced Authentication as the application for the OAuth2 verification method, you must obtain information from Advanced Authentication to complete the configuration. Also, you must perform configuration steps in the connected application to finish the OAuth2 configuration.

To configure the OAuth2 verification method for the Forgotten Password module:

  1. Ensure that you have set the OAuth2 verification method to Required or Optional in the Verification Methods of the Forgotten Password profile.

  2. Log in to Self Service Password Reset as an administrator.

  3. In the toolbar, click the user name.

  4. Click Configuration Editor.

  5. Click Modules > Public > Forgotten Password > Profiles > OAuth.

  6. Use the information you obtained to configure the OAuth settings. For information about fields, see Configuring the OAuth Connection to an External Application.

  7. In the toolbar, click Save changes.

  8. Configure the connected application to accept the OAuth2 connection by providing the OAuth URL endpoint from Self Service Password Reset. The URL base must be the value found in the Settings > Application > Application > Site URL with /public/OAuth at the end of the URL. For example:

    https://sspr.example.com/sspr/public/OAuth