This mechanisms is soon to be replaced by a New Password Reset Configuration.
Reset password feature provides a possibility to user to reset his/her password. It is disabled by default. Following text describes how to enable this feature.
Enabling Reset Password
To enable reset password feature, it is needed to configure it in security policy referenced from system configuration. The first thing which has to be configured is the method using for reset password (security question, mail, sms). Configuration for notifications, generation of one time password and other things depends on the chosen method type.
Reset password by mail
Following is the configuration of security policy which enables reset password by mail.
In the example above, there is a credentialsReset section. In this section different methods for password reset can be configured, in this case mailReset means that the confirmation link is sent to the user's email. After clicking on the confirmation link, user is prompted for new password.
The confirmation link is generated and validated using value policy referenced from the attribute valuePolicyRef. The correlation between password reset and nonce generation settings is done through attribute additionalAuthenticationName. mailReset configuration has reference to the authentication method (attribute additionalAuthenticationName) used to confirm the password reset process. Concrete authentication method (mailAuthentication in this case) contains setting for generating and validating nonce.
After nonce is successfully generated it is sent in the validation link to the user's mail. To be able to send this confirmation link to the user, it is needed to configure notifications (in the system configuration). Example for such configuration is shown in the following sample:
While using custom body expression don't forget to generate the link. There is a method in midPoint function library which will generate the link - midpoint.createPasswordResetLink(userType).
Reset password and custom form
It isn't probably difficult to imagine that current reset password form doesn't satisfy everyone's needs. Using just email address (which in addition references to the concrete field and cannot be changed without changing the source code) to find an user which is requesting the password reset might not satisfy requirements. With introducing custom forms they can be used to specify custom form for user identification. All what is needed to be done is to add the reference to form in the reset password cofiguration as bellow:
See also