Documentation

Introduction

Use this guide to configure the Forgot Username page, where end-users can retrieve forgotten user IDs.

The Forgot Username tool enables an end-user to provide information associated with their directory account in order to reacquire their username to log into SecureAuth IdP realms.

Each SecureAuth IdP realm can include a Forgot Username URL Link (Overview tab) that displays on the initial login page. Clicking the link redirects end-users to the Forgot Username realm, at which the end-user enters information from a defined field (e.g. email address, phone number, etc.) to confirm the account identity.

Upon successful identity validation, the username is displayed on the page itself or sent to the user via email, as configured by the administrator.

Prerequisites

1. Create a New Realm for the Forgot Username function

2. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined
SecureAuth IdP Configuration Steps

Select the type of directory integration used for the Forgot Username realm and follow the appropriate steps

Data

This is a configuration example using an Active Directory integration and common data fields, so it is not universal for every enterprise data store, but may be used as a reference to other LDAP directory types

 

1. In the Membership Connection Settings section, change the searchFilter to accept the user's email address on the initial login page (instead of the username)

This would correspond to the field in the enterprise directory that contains the email address, e.g. (&(mail =%v)(objectclass=*))

2. Set the Search Attribute to the directory attribute that contains the user ID to be retrieved

Once the end-user authenticates, the ID from the Search Attribute is provided as the forgotten username

Move onto step 5

This is a configuration example using a SQL Data Store integration and common properties, so it is not universal for every enterprise data store, but may be used as a reference to other SQL-type data stores (Oracle, ASP.net, ODBC, others)

If configuring a realm with an ASP.net database integration, then follow these steps and refer to the ASP.net Required Steps section following step 4

SQL Data Store Configuration Steps

1. In the SQL data store, create new Stored Procedures that are specific for the Forgot Username realm, using email (or another preferred property) as the user ID

Using SecureAuth's provided Stored Procedures and Tables, replace the Stored Procedure name with a friendly name, e.g. replace GetUser with GetUserByEmail in sp_GetUser: sp_GetUserByEmail

This differentiates the Stored Procedure from the others that employ the username as the User ID

Replace UserName with Email1 in WHERE UserName = @UserName: WHERE Email1 = @UserName

This tells SecureAuth IdP to employ the user's email address stored in Email 1 as the user ID

CREATE PROC [dbo].[sp_GetUserByEmail] @UserName VARCHAR(60)
AS
BEGIN
    SELECT [UserName]
        ,ISNULL([GroupList], '')
        ,ISNULL([PwdLastSet],'1/1/1900')
        ,ISNULL([AccountStatus], '')
    FROM UserTable
    WHERE Email1 = @UserName
END

Shown as an example is the Get User Stored Procedure, which must be updated for this realm

The following Stored Procedures must be updated in the same manner, but with unique, friendly names:

  • Get User (new name: GetUserByEmail)
  • Get Profile (new name: GetProfileByEmail)
  • Update Profile (new name: UpdateProfileByEmail)
  • Validate / Get Password, required only if the user's password is required in the workflow to retrieve the forgotten username (new name: ValidatePasswordByEmail / GetPasswordByEmail)
CREATE PROC [dbo].[sp_GetProfileByEmail] @UserName VARCHAR(60)
AS
BEGIN
    SELECT UserName
        ,IsNull(FirstName, '') FirstName
        ,IsNull(LastName, '') LastName
        ,IsNull(Phone1, '') Phone1
        ,IsNull(Phone2, '') Phone2
        ,IsNull(Phone3, '') Phone3
        ,IsNull(Phone4, '') Phone4
        ,IsNull(Email1, '') Email1
        ,IsNull(Email2, '') Email2
        ,IsNull(Email3, '') Email3
        ,IsNull(Email4, '') Email4
        ,IsNull(AuxID1, '') AuxID1
        ,IsNull(AuxID2, '') AuxID2
        ,IsNull(AuxID3, '') AuxID3
        ,IsNull(AuxID4, '') AuxID4
        ,IsNull(AuxID5, '') AuxID5
        ,IsNull(AuxID6, '') AuxID6
        ,IsNull(AuxID7, '') AuxID7
        ,IsNull(AuxID8, '') AuxID8
        ,IsNull(AuxID9, '') AuxID9
        ,IsNull(AuxID10, '') AuxID10
        ,IsNull(pinHash, '') pinHash
        ,IsNull(Questions, '') Questions
        ,IsNull(Answers, '') Answers
        ,IsNull(ChallengeQuestion, '') ChallengeQuestion
        ,IsNull(ChallengeAnswer, '') ChallengeAnswer
        ,IsNull(CertResetDate, '1/1/1900') CertResetDate
        ,IsNull(CertCount, 0) CertCount
        ,IsNull(CertSerialNumber, '') CertSerialNumber
        ,IsNull(MobileResetDate, '1/1/1900') MobileResetDate
        ,IsNull(MobileCount, 0) MobileCount
        ,IsNull(ExtSyncPwdDate, '1/1/1900') ExtSyncPwdDate
        ,IsNull(HardwareToken, '') HardwareToken
        ,IsNull(iOSDevices, '') iOSDevices
        ,IsNull(OATHSeed, '') OATHSeed
        ,IsNull(OneTimeOATHList, '') OneTimeOATHList
        ,IsNull(GroupList, '') GroupList
    FROM UserTable
    WHERE Email1 = @UserName
 
 
    SELECT DigitalFP
    FROM UserFP
    WHERE Email1 = @UserName
 
 
    SELECT PNToken
    FROM UserPN
    WHERE Email1 = @UserName
 
 
    SELECT AccessHistory
    FROM UserAccessHistory
    WHERE Email1 = @UserName
 
 
    SELECT OATHToken
    FROM UserOT
    WHERE Email1 = @UserName
END
GO

Note the updates applied to this Stored Procedure from step 1

The following steps are completed in the SecureAuth IdP Web Admin

Data

 

2. In the Membership Connection Settings section, set the Get User SP to the friendly name of the Forgot Username-specific Get User Stored Procedure (configured in step 1), e.g. GetUserByEmail

3. Set the Validate / Get Password SP to the friendly name of the Forgot Username-specific Get / Validate Password Stored Procedure, e.g. GetPasswordByEmail

Step 4 is required only if the user's password is required in the Forgot Username realm login workflow

Profile Connection Settings

 

4. Set the Get Profile SP and the Update Profile SP to the friendly names of the Forgot Username-specific Get User Profile and Update User Profile Stored Procedures, e.g. GetProfileByEmail and UpdateProfileByEmail

ASP.net Required Configuration Steps

The following steps are for Forgot Username realms using ASP.net database as the directory source

Forgot Username with ASP.net database is supported by SecureAuth IdP versions 9.1+

SecureAuth IdP Configuration Steps
System Info

 

1. In the Links section, select Click to Edit Web Config File

Web Config Editor

 

2. Search for ASPNETMembershipProvider, and add the following line in the ASPNETDB section

searchFilter="email"

3. Search for ASPNETProfileProvider, and add the following line in the ASPNETDB section

searchFilter="email"

Click Save once the configurations have been completed and before leaving the Web Config Editor page to avoid losing changes

ASP.net DB Configuration Steps

 

 

3. If the LoweredEmail field is empty, then populate the field in the ASP.net database

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

5. Select Forgot Username from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin

6. An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/ForgotUsername.aspx)

Forgot Username

 

7. Choose the Username Delivery Option, which either is to Display on page or to Send in email to the field designated in the searchFilter / Stored Procedures (Email 1)

The username displayed on the page or sent in the email is the username stored in the directory attribute mapped to the Search Attribute field; or the User ID stored as the UserName in SQL-type data stores

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

 

8. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for Single Sign-on (SSO)

These are optional configurations

 To configure this realm's token/cookie settings, follow these steps:
Forms Authentication

 

1. If SSL is required to view the token, select True from the Require SSL dropdown

2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:

  • UseCookies enables SecureAuth IdP to always deliver a cookie
  • UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the token in a query string
  • AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings allow it
  • UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the browser's settings allow it, no matter the user's settings

3. Set the Sliding Expiration to True if the cookie remains valid as long as the user is interacting with the page

4. Set the Timeout length to determine for how many minutes a cookie is valid

No configuration is required for the Name, Login URL, or Domain fields

Machine Key

 

5. No changes are required in the Validation field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

6. No changes are required in the Decryption field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

No configuration is required for the Validation Key or Decryption Key fields

Authentication Cookies

 

7. Enable the cookie to be Persistent by selecting True - Expires after Timeout from the dropdown

Selecting False - Session Cookie enables the cookie to be valid as long as the session is open, and will expire once the browser is closed or the session expires

No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie, or the Clean Up Pre-Auth Cookie fields

Click Save once the configurations have been completed and before leaving the Forms Auth / SSO Token page to avoid losing changes

To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration

To configure this realm for Windows Desktop SSO, refer to Windows desktop SSO configuration

Best Practices
Client-side Form Modification

Follow these steps to alter the end-user login pages to read, "Email" (or whatever is preferred) instead of "Username" in the Forgot Username realm

These optional steps are completed in the Forgot Username realm (configured above)

Overview

 

1. In the Advanced Settings section, select Content and Localization

Verbiage Editor

 

2. Search for useridview_userIdLabel and change Username: to Email: (or the preferred verbiage), which displays on the initial login page, prompting the user for the User ID

3. Change the passwordview_userLabel from Username: to Email: (or the preferred verbiage), which displays on the subsequent login page, prompting the user for the password

This is only necessary if the realm's workflow has username and password on separate pages

The Username / Email field is greyed out and displays the information entered on the previous page

4. Search for useridview_usernameplaceholder and change Username to Email Address (or the preferred verbiage), which displays as a placeholder on the initial login page (with step 2) in the text box

Click Save once the configuration is complete and before leaving the Content and Localization page to avoid losing changes

Forgot Username Links

Follow the step to add the Forgot Username realm link to other SecureAuth IdP realms, which displays on login pages for end-users to quickly retrieve lost credentials

This optional step is NOT completed in the Forgot Username realm, but rather in other SecureAuth IdP realms

Overview

 

1. In the Page Content section, update the Forgot Username URL field and its Location on the login page within the other SecureAuth IdP realms in which the function is available

The URL would be: /SecureAuth[ForgotUsernameRealm#]

Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes