midPoint
Page tree
Skip to end of metadata
Go to start of metadata

This mechanisms is soon to be replaced by a New Password Reset Configuration.

 

Reset password feature provides a possibility to user to reset his/her password. It is disabled by default. Following text describes how to enable this feature. 

Enabling Reset Password

To enable reset password feature, it is needed to configure it in security policy referenced from system configuration. The first thing which has to be configured is the method using for reset password (security question, mail, sms). Configuration for notifications, generation of one time password and other things depends on the chosen method type. 

Reset password by mail

Following is the configuration of security policy which enables reset password by mail.

Reset password by mail configuration
<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
                xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
                xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
                xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
                oid="28bf845a-b107-11e3-85bc-001e8c717e5b"
                version="18">
   <name>Security Policy</name>
   <authentication>
      <mailAuthentication>
         <name>confirmationLink</name>
         <displayName>Additional mail authnetication</displayName>
         <mailNonce>mailNonce</mailNonce>
      </mailAuthentication>
   </authentication>
   <credentials>
      <nonce>
         <maxAge>PT2M</maxAge>
         <name>mailNonce</name>
         <valuePolicyRef oid="00000000-0000-1111-0000-000000000003" type="c:ValuePolicyType"><!-- Mail Nonce Policy --></valuePolicyRef>
      </nonce>
   </credentials>
   <credentialsReset>
      <mailReset>
         <name>Reset password using mail</name>
         <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
      </mailReset>
   </credentialsReset>
</securityPolicy>

In the example above, there is a credentialsReset section. In this section different methods for password reset can be configured, in this case mailReset means that the confirmation link is sent to the user's email. After clicking on the confirmation link, user is prompted for new password.

The confirmation link is generated and validated using value policy referenced from the attribute valuePolicyRef. The correlation between password reset and nonce generation settings is done through attribute additionalAuthenticationName. mailReset configuration has reference to the authentication method (attribute additionalAuthenticationName) used to confirm the password reset process. Concrete authentication method (mailAuthentication in this case) contains setting for generating and validating nonce

After nonce is successfully generated it is sent in the validation link to the user's mail. To be able to send this confirmation link to the user, it is needed to configure notifications (in the system configuration). Example for such configuration is shown in the following sample:

Example for notification configuration
<passwordResetNotifier>
    <recipientExpression>
    	<script>
			<code>return requestee.getEmailAddress()</code>
        </script>
    </recipientExpression>
    <bodyExpression>
        <script>
            <code>
                      
            	import com.evolveum.midpoint.notifications.api.events.ModelEvent
                modelEvent = (ModelEvent) event
                newUser = modelEvent.getFocusContext().getObjectNew();
                userType = newUser.asObjectable();
	
	            link = midpoint.createPasswordResetLink(userType)
		        bodyMessage = "Did you request password reset? If yes, click on the link bellow \n" + link
		  
		        return bodyMessage;
            </code>
        </script>
	</bodyExpression>
    <transport>mail</transport>
</passwordResetNotifier>

While using custom body expression don't forget to generate the link. There is a method in midPoint function library which will generate the link - midpoint.createPasswordResetLink(userType).

Reset password and custom form

It isn't probably difficult to imagine that current reset password form doesn't satisfy everyone's needs. Using just email address (which in addition references to the concrete field and cannot be changed without changing the source code) to find an user which is requesting the password reset might not satisfy requirements. With introducing custom forms they can be used to specify custom form for user identification. All what is needed to be done is to add the reference to form in the reset password cofiguration as bellow:

Reset password and custom form
 <credentialsReset>
      <mailReset>
         
			...

         <formRef oid="bb42fa87-b066-48a0-a960-c77fc8b53737" type="c:FormType"><!-- Reset password form --></formRef>
      </mailReset>
 </credentialsReset>

 

See also


 

  • No labels