Documentation

Table of Contents


Other Resources


The Identity Management (IdM) tool in SecureAuth® Identity Platform (formerly SecureAuth IdP) contains an account unlock feature with the Password Reset page.

This configuration option can unlock a user account, but it does not display the account's current status on the Account Unlock page. Instead, it shows that the user account is "normal".

To view the account's current status (like normal, locked, and so on) before and after unlocking the account on the Account Unlock page, see Unlock Account (show status) page configuration

There are three password reset mode methods: 

  • Enforce mode – Useful for most Active Directory and LDAP use cases. This mode enforces password history requirements like not using a previous password or does not allow frequent password updates.
  • Administrative mode – Useful for SQL-type data stores, in a Help Center environment, and if your data store supports password history checks.
  • Administrative mode with history check – Useful for SQL-type data stores, in a Help Center environment, and if your data store does not support password history checks.

Prerequisites

  • Data store with service account set with write privileges to modify (needed to change user account statuses)
  • A realm for the Account Unlock page with the following tabs configured before setting up the Post Authentication tab: 


Identity Platform configuration

You can allow end users to unlock their account or have administrators unlock user accounts in the Help Desk. 

Help Desk Account Unlock page configuration
  1. Go to the Data tab.
  2. In the Membership Connection Settings > Group Permissions section, set Advanced AD User Check to False.
  3. Save your changes. 
  4. Go to the Post Authentication tab. 
  5. In the Post Authentication section, set the following. 

    Authenticated User Redirect Set to Password Reset
    Redirect ToThis field is autopopulated with the post authentication .aspx page. This is appended to the domain name and realm number in the web address bar. For example, Authorized/PasswordReset.aspx. 

  6. Save your changes. 
  7. In the Password Reset section, click the Configure password reset page link. 
  8. In the Password Reset Functions section, set the Password Reset Mode to one of the following options:
    • Enforce Password Change Requirements (Enforce mode) – To enforce password history rules, it must use the current password. If the current password is not given, a random password is set, then used to change the current password.   
      Note: Use this option for Active Directory and LDAP directory types and must have password history checks.

    • Administrative Password Reset (Admin mode) – This does not enforce password history rules. The current password is not required for this rule. 
      Note: Use this option for SQL directory types and do not need or support password history checks. 

    • Administrative Reset with History Check (Administrative mode with history check) – Enforces password history rules and does not require current password. This mode is not guaranteed to work with non-AD LDAP data stores. For Active Directory, you need to open SSL Outbound Port 636. 
      Note: This is not supported for eDirectory. 

  9. Continue with the rest of the configuration settings. The settings are the same for all password reset modes, unless otherwise specified.   

    Username Textbox

    Set to Enabled - change other user passwords – Do not allow username search box. User can change their own password.

    Require Current Password

    Set to False.

    This field displays only when Password Reset Mode is set to Enforce Password Change Requirements.

    Must Change Password at Next Logon

    Set to False.

    Unlock User AccountSet to Show unlock button.
    Allow Password Change

    Set to False.

    This option disables password reset in the Account Unlock process. 

    For other password reset configuration options, including password reset with account unlock, see Reset Password configuration

    Validate Password Complexity

    Set to False

    Show Password Complexity Rules

    Set to False.

    Send Email

    Set to Do not send.

    Show Exception on Page

    Set to False.

  10. Save your changes. 
End user Account Unlock page configuration
  1. Go to the Data tab.
  2. In the Membership Connection Settings > Group Permissions section, set Advanced AD User Check to False.
  3. Save your changes. 
  4. Go to the Post Authentication tab. 
  5. In the Post Authentication section, set the following. 

    Authenticated User Redirect Set to Password Reset
    Redirect ToThis field is autopopulated with the post authentication .aspx page. This is appended to the domain name and realm number in the web address bar. For example, Authorized/PasswordReset.aspx. 

  6. Save your changes. 
  7. In the Password Reset section, click the Configure password reset page link. 
  8. In the Password Reset Functions section, set the Password Reset Mode to one of the following options:
    • Enforce Password Change Requirements (Enforce mode) – To enforce password history rules, it must use the current password. If the current password is not given, a random password is set, then used to change the current password.   
      Note: Use this option for Active Directory and LDAP directory types and must have password history checks.

    • Administrative Password Reset (Admin mode) – This does not enforce password history rules. The current password is not required for this rule. 
      Note: Use this option for SQL directory types and do not need or support password history checks. 

    • Administrative Reset with History Check (Administrative mode with history check) – Enforces password history rules and does not require current password. This mode is not guaranteed to work with non-AD LDAP data stores. For Active Directory, you need to open SSL Outbound Port 636. 
      Note: This is not supported for eDirectory. 

  9. Continue with the rest of the configuration settings. The settings are the same for all password reset modes, unless otherwise specified.   

    Username Textbox

    Set to Disabled - change own password – Do not allow username search box. User can change their own password.

    Require Current Password

    Set to False.

    This field displays only when Password Reset Mode is set to Enforce Password Change Requirements.

    Must Change Password at Next Logon

    For Enforce mode, set to True to bypass any minimum password age restrictions.

    For Admin mode and Admin mode with history check, set to False.

    Unlock User AccountSet to Automatically or Show unlock button.
    Allow Password Change

    Set to False.

    This option disables password reset in the Account Unlock process. 

    For other password reset configuration options, including password reset with account unlock, see Reset Password configuration

    Validate Password Complexity

    Set to False

    Show Password Complexity Rules

    Set to False.

    Send Email

    Set to Do not send.

    Show Exception on Page

    Set to False.

  10. Save your changes. 


Optional configurations for token or cookie settings and SSO

In the Forms Auth / SSO Token section, you can optionally configure the token or cookie settings, and single-sign on (SSO) for this realm.

To configure token or cookie settings, see Configure token or cookie settings

To configure this realm for SSO, see SecureAuth IdP single sign-on configuration

To configure this realm for Windows Desktop SSO, see Windows desktop SSO configuration


  • No labels