The Forgotten Password feature allows users to recover a forgotten password without contacting helpdesk. After enabling this feature, users get the Forgotten Password button on the login page.
You can also set up policies for Forgotten Password. This feature uses challenge-response authentication to let users recover their passwords. This feature enables prompting for challenge set and allowing a password change. Requiring a user to answer challenge questions before receiving forgotten password provides an additional level of security.
To make the Forgotten Password button work, ensure the following:
You have enabled the Forgotten Password feature in SSPR.
The user must do challenge-response setup before using the Forgotten Password feature.
For more information about how to configure challenge-request, see Section 3.6, Configuring Challenge-Response Authentication.
You can also set up actions that Forgotten Password performs during the password recovery process.
NOTE:(Only when the back-end directory is Active Directory) When users change their passwords, SSPR considers the password history only when the Minimum Password Age is set to 0 in Active Directory and proxy is disabled. If Minimum Password Age is non-zero, it is recommended that users change the password through the email token to the password history.
This section includes the following topics:
In Configuration Editor, click Modules > Forgotten Password.
Select the Enable Forgotten Password check box.
Click Actions > Save.
You can configure SSPR to select an action to take when the user completes the forgotten password process.
SSPR provides the following options:
Allow user to reset password: After answering challenge questions to prove their identity, users can change to a new password. Because the user has authenticated through answering the challenge questions, the user can change the password without being required to provide the current password. To use this option, you must require a challenge set and the user must have set up challenge-response by answering the challenge questions.
Email new password to user: After answering challenge questions, the user receives the new password in an email. To enable this option, configure SMTP email server.
For more information about how to configure email settings, see Section 3.7, Configuring Email Notification Settings.
SMS new password to user: After answering challenge questions, the user receives the new password through an SMS.
For more information about how to configure email settings, see Section 3.8, Configuring SMS Notification Settings.
Email and SMS new password to user: After answering challenge questions, the user receives both an email and an SMS containing the new password.
Perform the following steps:
In Configuration Editor, click Modules > Forgotten Password.
Select an action from the Forgotten Password Recovery Mode list.
Click Actions > Save.
Apart from enabling the Forgotten Password feature, configuring token setting, and configuring actions, you can configure various other settings for this feature.
In Configuration Editor, click Modules > Forgotten Password.
Click View > Always Show Advanced Settings to see and configure the advanced settings.
Configure the settings:
Setting |
Description |
---|---|
Forgotten Password User Search Form |
Specify form attributes that a user specifies to be authenticated such as name, email ID, and so forth. These details are confidential. System uses these values internally to search for the users who request for the forgotten password recovery action. |
Forgotten Password User Search Filter |
Specify a filter to find username. Each attribute configured in the Forgotten Password User Search Form should be included in the search filter. Strings encoded with a percent sign (%) is replaced with values supplied by the user. For example, if Forgotten Password User Search Form includes email and sn attributes, then the filter would be (&(objectClass=person)(email=%email%)(sn=%sn%)). |
Response Read Location |
Specify the location where challenge-responses are stored. If you select an option with multiple locations, the system reads each location until it finds a stored response. |
Response Write Location |
Specify the location to write the responses to. If you select an option with multiple locations, the system stores responses in each location when users configure their response answers. |
Response Storage Attribute |
Specify an attribute to use for storing responses when you want to store responses in the LDAP directory. The system stores responses in the LDAP directory in addition to any other configured storage repositories. |
Allow Unlock |
Select this check box if you want to allow user to unlock their account during forgotten password. Users can unlock their account instead of resetting passwords if the account is locked due to invalid login attempts, and the user's password is not expired. |
Required Attributes |
Specify required LDAP attributes for challenge-response. Users provide these attributes as part of the forgotten password recovery process. The LDAP proxy user requires compare LDAP rights to these attributes. |
Require Responses |
Select this check box if you want users to provide previously saved responses to proceed with the forgotten password recovery process. |
Token Send Method |
You can configure a method for sending token code or new password to the user. The available methods include:
|
Forgotten Password Recovery Mode |
Select an option from the list.
|
Responses Storage Hashing Method |
Select a hashing method used to store responses from the list. Storing the responses as plaintext facilitates synchronization or migration to other systems. |
New Password Send Method (Advanced) |
Select the appropriate option from the list to specify the method to send new password to the user after the user completes the forgotten password process.
|
Forgotten Password Post Actions (Advanced) |
Specify the name of the actions and define the following services to set the actions that must be executed after a user successfully completes the forgotten password process and the user's password gets modified. Macros can be used.
|
Click Actions > Save.