Documentation

Introduction

Use this guide to enable end-user or administrative (help desk) account unlock via the SecureAuth IdP Identity Management (IdM) Password Reset Tool.

This configuration option accurately displays the account's status on the Account Unlock page, and requires two chained realms.

In the other configuration option, administrators or end-users can unlock accounts, but the status always displays as "normal", even if the account is locked.

Both configuration options effectively unlock user accounts, but only this setup displays the account's current status on the page.

SecureAuth IdP provides configuration flexibility to allow users to reset known passwords, update forgotten passwords, unlock their own accounts, and / or unlock other users' accounts (help desk) via two methods: Enforce and Administrative.

Enforce Mode is appropriate for most Active Directory and other LDAP use cases, while Administrative Mode is more suited for SQL-type data stores that are targeted more for help desk utilization.

This guide provides configuration steps for both Enforce and Administrative modes, and for Help Desk Account Unlock and End-user Account Unlock. Help Desk Account Unlock allows administrators to unlock any user's account, and End-user Account Unlock allows users to unlock only their own accounts.

SecureAuth IdP also enables Reset Password + Account Unlock options. Refer to Reset Password Configuration Guide for the combined configuration.

Prerequisites

1. Enable the SecureAuth IdP directory Service Account to have the write privileges to modify in order to modify user account statuses

2. Create two (2) New Realms for the Account Unlock Page

Two realms are required to correctly display the user's account status and to effectively unlock the account

For the purpose of this guide, the realms are entitled Realm A and Realm B

Realm B is the realm used for user login

3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP (the same directory(s) must be configured in both realms)
  • Workflow – the way in which users access this application must be defined (specifically configured in Realm B)
  • Multi-Factor Methods – the Multi-Factor Authentication methods that are used to access this page (if any) must be defined (specifically configured in Realm B)
SecureAuth IdP Configuration Steps
Realm A Configuration Steps

Realm A is the account unlock realm, where end-users are redirected after authenticating in Realm B

Data

 

1. In the Membership Connection Settings section, select True from the Advanced AD User Check dropdown

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Workflow

 

2. In the Workflow section, under Password Settings, select Disabled from the Inline Password Change dropdown

Custom Identity Consumer

 

3. Select Token from the Receive Token dropdown

4. Select True from the Allow Transparent SSO dropdown

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Post Authentication

 

5. In the Post Authentication section, select Password Reset from the Authenticated User Redirect dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page

Password Reset

 

6. Click Configure password reset page

Password Reset Functions

Follow the configuration steps to enable Help Desk Account Unlock

Use Enforce Mode for Active Directory / LDAP directory types

7. Select Enforce Password Change Requirements from the Password Reset Mode dropdown

8. Select Enabled - change other user passwords from the Username Textbox dropdown

9. Select False from the Require Current Password dropdown

10. Select False from the Must Change Password at Next Logon dropdown

11. Select Show unlock button from the Unlock User Account dropdown

12. Select False from the Allow Password Change dropdown

This option disables Password Reset in the Account Unlock process

Refer to Reset Password Configuration Guide for the various password reset configuration options, including Password Reset + Account Unlock

13. Select False from the Validate Password Complexity dropdown

14. Select False from the Show Password Complexity Rules dropdown

15. Select Do not send from the Send Email dropdown

16. Select False from the Show Exception on Page dropdown

Use Administrative Mode for SQL directory types and for more help desk type configurations

7. Select Administrative Password Reset from the Password Reset Mode dropdown

8. Select Enabled - change other user passwords from the Username Textbox dropdown

9. Select False from the Must Change Password at Next Logon dropdown

10. Select Show unlock button from the Unlock User Account dropdown

11. Select False from the Allow Password Change dropdown

This option disables Password Reset in the Account Unlock process

Refer to Reset Password Configuration Guide for the various password reset configuration options, including Password Reset + Account Unlock

12. Select False from the Validate Password Complexity dropdown

13. Select False from the Show Password Complexity Rules dropdown

14. Select Do not send from the Send Email dropdown

15. Select False from the Show Exception on Page dropdown

(no step 16 – skip to step 17)

The Admin Mode with History Check is not supported for eDirectory.

7. Select Administrative Reset with History Check from the Password Reset Mode dropdown

8. Select Enabled - change other user passwords from the Username Textbox dropdown

9. Select False from the Must Change Password at Next Logon dropdown

10. Select Show unlock button from the Unlock User Account dropdown

11. Select False from the Allow Password Change dropdown

This option disables Password Reset in the Account Unlock process

Refer to Reset Password Configuration Guide for the various password reset configuration options, including Password Reset + Account Unlock

12. Select False from the Validate Password Complexity dropdown

13. Select False from the Show Password Complexity Rules

14. Select Do not send from the Send Email dropdown

15. Select False from the Show Exception on Page dropdown to display the reason(s) why a password change is not accepted

(no step 16 – skip to step 17)

Follow the configuration steps to enable End-user Account Unlock

Use Enforce Mode for Active Directory / LDAP directory types

7. Select Enforce Password Change Requirements from the Password Reset Mode dropdown

8. Select Disabled - change own password from the Username Textbox dropdown

9. Select False from the Require Current Password dropdown

10. Select True from the Must Change Password at Next Logon dropdown

11. Select Automatically from the Unlock User Account dropdown to unlock the user's account upon successful authentication; or select Show unlock button to provide the option to unlock the account

12. Select False from the Allow Password Change dropdown

This option disables Password Reset in the Account Unlock process

Refer to Reset Password Configuration Guide for the various password reset configuration options, including Password Reset + Account Unlock

13. Select False from the Validate Password Complexity dropdown

14. Select False from the Show Password Complexity Rules dropdown

15. Select Do not send from the Send Email dropdown

16. Select False from the Show Exception on Page dropdown

Use Administrative Mode for SQL directory types and for more help desk type configurations

7. Select Administrative Password Reset from the Password Reset Mode dropdown

8. Select Disabled - change own password from the Username Textbox dropdown

9. Select False from the Must Change Password at Next Logon dropdown

10. Select Automatically from the Unlock User Account dropdown to unlock the user's account with the password change; or select Show unlock button to provide the option to unlock the account

11. Select False from the Allow Password Change dropdown

This option disables Password Reset in the Account Unlock process

Refer to Reset Password Configuration Guide for the various password reset configuration options, including Password Reset + Account Unlock

12. Select False from the Validate Password Complexity dropdown

13. Select False from the Show Password Complexity Rules dropdown

14. Select Do not send from the Send Email dropdown

15. Select False from the Show Exception on Page dropdown

(no step 16 – skip to step 17)

The Admin Mode with History Check is not supported for eDirectory.

7. Select Administrative Reset with History Check from the Password Reset Mode dropdown

8. Select Disabled - change own password from the Username Textbox dropdown

9. Select False from the Must Change Password at Next Logon dropdown

10. Select Automatically from the Unlock User Account dropdown to unlock the user's account with the password change; or select Show unlock button to provide the option to unlock the account

11. Select False from the Allow Password Change dropdown

This option disables Password Reset in the Account Unlock process

Refer to Reset Password Configuration Guide for the various password reset configuration options, including Password Reset + Account Unlock

12. Select False from the Validate Password Complexity dropdown

13. Select False from the Show Password Complexity Rules dropdown

14. Select Do not send from the Send Email dropdown

15. Select False from the Show Exception on Page dropdown

(no step 16 – skip to step 17)

Click Save once the configurations have been completed and before leaving the Password Reset page to avoid losing changes

Forms Auth / SSO Token

 

17. Click View and Configure Forms Auth Keys / SSO Token

Machine Key

 

 

18. Click Generate New Keys and copy the new key values from the Validation Key and Decryption Key fields, which are used in the Realm B Configuration Steps below

Realm B Configuration Steps

Realm B is the login realm that redirects end-users to the account unlock page (Realm A)

This realm's URL is where end-users / administrators log in to unlock accounts, and this realm should include the preferred authentication workflow and required multi-factor methods

Data

 

1. In the Membership Connection Settings section, select False from the Advanced AD User Check dropdown

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Workflow

 

2. In the Workflow section, under Password Settings, select Disabled from the Inline Password Change dropdown

Custom Identity Consumer

 

3. Select Send Token Only from the Receive Token dropdown (default)

4. Select False from the Allow Transparent SSO dropdown (default)

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Post Authentication

 

5. In the Post Authentication section, select Use Custom Redirect from the Authenticated User Redirect dropdown

6. Set the Redirect To to Realm A's path, e.g. /SecureAuth12/AuthorizedPasswordReset.aspx

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

 

7. Click View and Configure Forms Auth Keys / SSO Token

Machine Key

 

8. Paste the Validation Key and Decryption Key values generated in Realm A into the fields

Do not click Generate New Keys

Authentication Cookies

 

9. Select False - Session Cookie from the Persistent dropdown

Click Save once the configurations have been completed and before leaving the Forms Auth page to avoid losing changes