Password Reset Configuration

Last modified 20 Mar 2024 11:47 +01:00
Self-service password reset feature
This page describes configuration of Self-service password reset midPoint feature. Please see the feature page for more details.
Missing/incomplete feature
This is a missing or incomplete feature of midPoint and/or of other related components. We are perfectly capable to implement, fix and finish the feature, just the funding for the work is needed. Please consider the possibility for supporting development of this feature by means of midPoint Platform subscription. If you already are midPoint Platform subscriber and this feature is within the goals of your deployment you may be able to use your subscription to endorse implementation of this feature.

Basic Mechanism

The idea is that all the password reset mechanisms have the same parts:

  • Request: user requests password reset. This may as simple as a "forgot password" button on a login screen. But there may be complicated methods, such as requesting password reset by asking a colleague or indirect helpdesk password reset scenarios.

  • Authentication: the user that requests password reset is authenticated. This may an complete out-of-band authentication (which effectively means no extra authentication is performed by midPoint). This may an usual authentication using a nonce send in an e-mail message. This may be authentication based on security questions. Or there may be other complex authentication schemes.

  • Source of new credentials specifies how a new credential value is determined. The new value may be entered by the user, randomly generated, determine by a key-exchange protocol and so on.

  • Delivery specifies how the new credential value is delivered to the user. The value may be simply displayed on the screen, sent in an e-mail or even distributed to several colleagues.


This change need to be reflected to the interfaces as well (IDM Model Interface, REST API). There needs to be several new methods:

  • Request method: the caller requests credential reset for a user. This starts the reset process:
    requestCredentialReset(user, credentalId, resetMethodId): CredentialResetContext

  • Authentication method. The caller is authenticated (if needed)

  • Execute method: the credential reset is executed, credentials are changes, deliver methods are carried out:
    executeCredentialReset(user, credentialId, resetMethodId, newCredentialValue)

The usual process would be request-authenticate-execute. However, for simple cases it may be possible to invoke just execute method.


The progress of the credential reset process may be stored in the user object.

See Also


This feature is related to the following compliance frameworks:

Was this page helpful?
Thanks for your feedback