Password Reset Configuration before 4.6

Last modified 14 Apr 2022 12:32 +02:00

This mechanisms is soon to be replaced by a New Password Reset Configuration.

Reset password feature provides a possibility to user to reset his/her password. It is disabled by default. Following text describes how to enable this feature.

Enabling Reset Password

To enable reset password feature, it is needed to configure it in security policy referenced from system configuration. The first thing which has to be configured is the method using for reset password (security question, mail, sms). Configuration for notifications, generation of one time password and other things depends on the chosen method type.

Reset password by mail

Following is the configuration of security policy which enables reset password by mail.

Reset password by mail configuration
<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
                xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
                xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
                xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
                oid="28bf845a-b107-11e3-85bc-001e8c717e5b"
                version="18">
   <name>Security Policy</name>
   <authentication>
      <mailAuthentication>
         <name>confirmationLink</name>
         <displayName>Additional mail authnetication</displayName>
         <mailNonce>mailNonce</mailNonce>
      </mailAuthentication>
   </authentication>
   <credentials>
      <nonce>
         <maxAge>PT2M</maxAge>
         <name>mailNonce</name>
         <valuePolicyRef oid="00000000-0000-1111-0000-000000000003" type="c:ValuePolicyType"><!-- Mail Nonce Policy --></valuePolicyRef>
      </nonce>
   </credentials>
   <credentialsReset>
      <mailReset>
         <name>Reset password using mail</name>
         <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
      </mailReset>
   </credentialsReset>
</securityPolicy>

In the example above, there is a credentialsReset section. In this section different methods for password reset can be configured, in this case _mailReset _means that the confirmation link is sent to the user’s email. After clicking on the confirmation link, user is prompted for new password.

Deprecated From MidPoint 4.1 and will be removed in 4.5

Configuration attribute 'securityPolicy/authentication/mailAuthentication' is deprecated. Please use Flexible Authentication for configuration of authentication sequence for reset password. Also attribute 'securityPolicy/credentialsReset/mailReset' is deprecated.

From 4.1 midpoint support configuration for reset password via Flexible Authentication. We need configure authentication module for email nonce and authentication sequence for reset password. Finally, we set name of authentication sequence to securityPolicy/credentialsReset/authenticationSequenceName.

Example of new configuration
<securityPolicy>
...
   <authentication>
   ...
     <modules>
     ...
        <mailNonce>
            <name>MailNonce</name>
            <description> Authentication based on mail message with a nonce. Used for user registration.</description>
            <credentialName>mailNonce</credentialName>
        </mailNonce>
      </modules>
      ...
      <sequence>
        <name>userPasswordResetAuth</name>
        <description>Just a nonce mail to validate e-mail address.</description>
        <channel>
            <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#resetPassword</channelId>
            <urlSuffix>resetPassword</urlSuffix>
        </channel>
        <module>
            <name>MailNonce</name>
            <order>10</order>
            <necessity>sufficient</necessity>
        </module>
      </sequence>
   </authentication>
   <credentials>
      <nonce>
         <maxAge>PT2M</maxAge>
         <name>mailNonce</name>
         <valuePolicyRef oid="00000000-0000-1111-0000-000000000003" type="c:ValuePolicyType"><!-- Mail Nonce Policy --></valuePolicyRef>
      </nonce>
   </credentials>
   <credentialsReset>
      <authenticationSequenceName>userPasswordResetAuth</authenticationSequenceName>
   </credentialsReset>
</securityPolicy>

When we use nonceModule authentication module means that the confirmation link is sent to the user’s email. After clicking on the confirmation link, user is prompted for new password.

The confirmation link is generated and validated using value policy referenced from the attribute valuePolicyRef. The correlation between password reset and nonce generation settings is done through attribute additionalAuthenticationName. mailReset configuration has reference to the authentication method (attribute additionalAuthenticationName) used to confirm the password reset process. Concrete authentication method (mailAuthentication in this case) contains setting for generating and validating nonce_. _

After nonce is successfully generated it is sent in the validation link to the user’s mail. To be able to send this confirmation link to the user, it is needed to configure notifications (in the system configuration). Example for such configuration is shown in the following sample:

Example for notification configuration
<passwordResetNotifier>
    <recipientExpression>
    	<script>
			<code>return requestee.getEmailAddress()</code>
        </script>
    </recipientExpression>
    <bodyExpression>
        <script>
            <code>

            	import com.evolveum.midpoint.notifications.api.events.ModelEvent
                modelEvent = (ModelEvent) event
                newUser = modelEvent.getFocusContext().getObjectNew();
                userType = newUser.asObjectable();

	            link = midpoint.createPasswordResetLink(userType)
		        bodyMessage = "Did you request password reset? If yes, click on the link below \n" + link

		        return bodyMessage;
            </code>
        </script>
	</bodyExpression>
    <transport>mail</transport>
</passwordResetNotifier>

While using custom body expression don’t forget to generate the link. There is a method in midPoint function library which will generate the link - midpoint.createPasswordResetLink(userType).

Reset password with security questions

Following is the configuration of security questions for password reset.

Reset password by mail configuration
<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
                xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
                xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
                xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
                xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
                oid="2823445a-b107-11e3-85bc-001e8c717e5b">
    <name>Security Policy with configured security questions</name>
    <credentials>
        <password>
            ...
        </password>
        <securityQuestions>
            <name>userQuestions</name>
            <maxAge>P90D</maxAge>
            <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
            <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
            <lockoutDuration>PT15M</lockoutDuration>
            <valuePolicyRef oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="c:ValuePolicyType"/>
            <questionNumber>1</questionNumber>
            <question id="21">
                <identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
                <enabled>true</enabled>
                <questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
            </question>
        </securityQuestions>
    </credentials>
     <credentialsReset>
        <name>userPasswordReset</name>
        <securityQuestionReset>
            <name>Reset password using security question</name>
        </securityQuestionReset>
    </credentialsReset>
</securityPolicy>
Deprecated From MidPoint 4.1 and will be removed in 4.5

Configuration attribute 'securityPolicy/authentication/mailAuthentication' is deprecated. Please use Flexible Authentication for configuration of authentication sequence for reset password. Also attribute 'securityPolicy/credentialsReset/securityQuestionReset' is deprecated.

From 4.1 midpoint support configuration for reset password via Flexible Authentication. We need configure authentication module for security questions and authentication sequence for reset password. Finally, we set name of authentication sequence to securityPolicy/credentialsReset/authenticationSequenceName.

Example of new configuration
<securityPolicy>
...
   <authentication>
   ...
     <modules>
     ...
         <securityQuestionsForm>
            <name>SecQ</name>
            <description>This is interactive, form-based authentication by using security questions.</description>
            <credentialName>userQuestions</credentialName>
         </securityQuestionsForm>
      </modules>
      ...
      <sequence>
        <name>userPasswordResetAuth</name>
        <description>Just a nonce mail to validate e-mail address.</description>
        <channel>
            <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#resetPassword</channelId>
            <urlSuffix>resetPassword</urlSuffix>
        </channel>
        <module>
            <name>SecQ</name>
            <order>10</order>
            <necessity>sufficient</necessity>
        </module>
      </sequence>
   </authentication>
   <credentials>
      <nonce>
         <maxAge>PT2M</maxAge>
         <name>mailNonce</name>
         <valuePolicyRef oid="00000000-0000-1111-0000-000000000003" type="c:ValuePolicyType"><!-- Mail Nonce Policy --></valuePolicyRef>
      </nonce>
   </credentials>
   <credentialsReset>
      <authenticationSequenceName>userPasswordResetAuth</authenticationSequenceName>
   </credentialsReset>
</securityPolicy>

Reset password and custom form

It isn’t probably difficult to imagine that current reset password form doesn’t satisfy everyone’s needs. Using just email address (which in addition references to the concrete field and cannot be changed without changing the source code) to find an user which is requesting the password reset might not satisfy requirements. With introducing custom forms they can be used to specify custom form for user identification. All what is needed to be done is to add the reference to form in the reset password cofiguration as below:

Reset password and custom form
 <credentialsReset>
    <mailReset>

        ...

        <formRef oid="bb42fa87-b066-48a0-a960-c77fc8b53737" type="c:FormType"><!-- Reset password form --></formRef>
    </mailReset>
</credentialsReset>
Was this page helpful?
YES NO
Thanks for your feedback