Forgot Password page configuration

The Identity Management (IdM) tool contains the Forgot Password page function for end users.

There are three password reset mode methods: 

  • Enforce mode – Useful for most Active Directory and LDAP use cases. This mode enforces password history requirements like not using a previous password or does not allow frequent password updates.

  • Administrative mode – Useful for SQL-type data stores, in a Help Center environment, and if your data store supports password history checks.

  • Administrative mode with history check – Useful for SQL-type data stores, in a Help Center environment, and if your data store does not support password history checks.

This topic covers how to set up the Password Reset page using any of the above password reset modes.

Prerequisites

  • SecureAuth® Identity Platform release 21.04

  • Data store added to the Identity Platform

    Data store must have a service account set with write privileges to modify. This is needed to change user passwords.

  • If using an Active Directory, open the following outbound ports for password modification:

    • 139 – DFSN, NetBIOS session service, NetLogon

    • 445 – SMB / CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

    • 464 – Kerberos change / set password

  • (Optional) To use the Administrative Reset with History Check password reset mode, open the following outbound port for password modification:

    • 636 – SSL Outbound Port

  • (Optional) Configure Google Workspace (formerly G Suite) to synchronize directory passwords

  • Configured user authentication policy

Step A: Add and configure Password Reset page

Use the Internal Application Manager to add and configure the Password Reset page.

  1. On the left side of the Identity Platform, click Internal Application Manager.

    Screenshot of Internal Application Manager page.
  2. Click Add New Internal Application.

    The New Internal Application page displays.

    Screenshot of adding a new internal application.
  3. Set the following configurations.

    Internal Application Name

    Set the name of the Password Reset page.

    This name is shown on the page header and document title of the end user login pages.

    Note

    If you change this name, it will overwrite any value that is set on the Overview tab in the Classic Experience.

    Internal Application Description

    This is an internal description not shown to end users.

    Data Store

    Enter the data store to authenticate and allow user access to the Password Reset page.

    Groups

    Use one of the following options:

    • Slider in the On position (enabled): Allow users from every group in your selected data stores access to the Password Reset page.

    • Slider in the Off position (disabled): Enter the specific groups who are allowed access to the Password Reset page.

    Authentication Policy

    Select the user authentication policy for the Password Reset page.

    Authenticate User Redirect

    Select the Identity Management (IdM) category.

    Identity Management (IdM)

    Select Password Reset.

    Redirect To

    This field is automatically populated by the selection of Password Reset as an internal application.

    This is the page the end user lands on after login.

  4. Click Create Connection.

    This creates a new internal application with an attached user authentication policy from the new UI.

    internal_app_mgr_003_passwordreset.png
  5. Copy the login URL for your end users to access the Password Reset page.

    You'll need this information to share with your end users.

    You can find this on the main Internal Application Manager page or when you edit the Password Reset configuration in the Redirect Information section.

    Screenshot of the Internal Application Manager page highlighting the login URLs.
    Screenshot of internal application in edit mode, highlighting the login URL.

Step B: Finish configuration in the Classic Experience

Continue to the Classic Experience to finish the Password Reset page configurations. Use the configuration option that best fits the needs of your organization.

  1. To complete the Password Reset page configuration in the Classic Experience, do one of the following:

    • At the top of the page, click the link in the green confirmation message.

    • At the bottom of the page, click Go to the Classic Version... link.

    The link takes you to the Post Authentication tab in the Classic Experience.

  2. In the Password Reset section, click the Configure password reset page link.

    password_reset_classic_001.png
  3. In the Password Reset Functions section, set the Password Reset Mode to one of the following options:

    • Enforce Password Change Requirements (Enforce mode) – To enforce password history rules, it must use the current password. If the current password is not given, a random password is set, then used to change the current password.

      Note: Use this option for Active Directory and LDAP directory types and must have password history checks.

    • Administrative Password Reset (Admin mode) – This does not enforce password history rules. The current password is not required for this rule.

      Note: Use this option for SQL directory types and do not need or support password history checks.

    • Administrative Reset with History Check (Admin mode with history check) – Enforces password history rules and does not require current password. This mode is not guaranteed to work with non-AD LDAP data stores. For Active Directory, you need to open SSL outbound port 636.

      Note: This is not supported for eDirectory.

    password_reset_classic_002.png
  4. Continue with the rest of the configuration settings.

  5. In the Password Complexity section, configure the password rules that mirror the password complexity rules set in the data store.

    To display the password rules on the page, set Show Password Complexity Rules to True.

    Note

    If the Identity Platform does not have password complexity rules turned on, the password rules from the data store takes place.

    password_reset_classic_003.png
  6. In the Google Apps / iOS Provisioning section, set whether to enable iOS provisioning with G Suite and allow synchronization of password changes.

    For more information, see iOS G Suite Provision Configuration Guide.

    password_reset_classic_004.png
  7. Save your changes.