Password Reset Configuration

Last modified 13 May 2022 14:36 +02:00
MidPoint 4.6 and later
This configuration is valid in midPoint 4.6 and later. For configuration before 4.6 please see Password Reset Configuration before 4.6.

Reset password feature provides a possibility to user to reset his/her password. It is disabled by default. Following text describes how to enable this feature.

Enabling Reset Password

To enable reset password feature, it is needed to configure it in security policy referenced from system configuration. The first thing which has to be configured is the authentication sequence using for reset password (security question nad mail). Configuration for notifications, generation of one time password and other things depends on the chosen method type.

Reset password by mail

From 4.1 midpoint support configuration for reset password via Flexible Authentication. We need configure authentication module for email nonce and authentication sequence for reset password. Finally, we set name of authentication sequence to securityPolicy/credentialsReset/authenticationSequenceName.

Example of new configuration
<securityPolicy>
...
   <authentication>
   ...
     <modules>
     ...
        <mailNonce>
            <name>MailNonce</name>
            <description> Authentication based on mail message with a nonce. Used for user registration.</description>
            <credentialName>mailNonce</credentialName>
        </mailNonce>
      </modules>
      ...
      <sequence>
        <name>userPasswordResetAuth</name>
        <description>Just a nonce mail to validate e-mail address.</description>
        <channel>
            <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#resetPassword</channelId>
            <urlSuffix>resetPassword</urlSuffix>
        </channel>
        <module>
            <name>MailNonce</name>
            <order>10</order>
            <necessity>sufficient</necessity>
        </module>
      </sequence>
   </authentication>
   <credentials>
      <nonce>
         <maxAge>PT2M</maxAge>
         <name>mailNonce</name>
         <valuePolicyRef oid="00000000-0000-1111-0000-000000000003" type="c:ValuePolicyType"><!-- Mail Nonce Policy --></valuePolicyRef>
      </nonce>
   </credentials>
   <credentialsReset>
      <authenticationSequenceName>userPasswordResetAuth</authenticationSequenceName>
   </credentialsReset>
</securityPolicy>

When we use nonceModule authentication module means that the confirmation link is sent to the user’s email. After clicking on the confirmation link, user is prompted for new password.

The confirmation link is generated and validated using value policy referenced from the attribute valuePolicyRef. The correlation between password reset and nonce generation settings is done through attribute additionalAuthenticationName. mailReset configuration has reference to the authentication method (attribute additionalAuthenticationName) used to confirm the password reset process. Concrete authentication method (mailAuthentication in this case) contains setting for generating and validating nonce_. _

After nonce is successfully generated it is sent in the validation link to the user’s mail. To be able to send this confirmation link to the user, it is needed to configure notifications (in the system configuration). Example for such configuration is shown in the following sample:

Example for notification configuration
<passwordResetNotifier>
    <recipientExpression>
    	<script>
			<code>return requestee.getEmailAddress()</code>
        </script>
    </recipientExpression>
    <bodyExpression>
        <script>
            <code>

            	import com.evolveum.midpoint.notifications.api.events.ModelEvent
                modelEvent = (ModelEvent) event
                newUser = modelEvent.getFocusContext().getObjectNew();
                userType = newUser.asObjectable();

	            link = midpoint.createPasswordResetLink(userType)
		        bodyMessage = "Did you request password reset? If yes, click on the link below \n" + link

		        return bodyMessage;
            </code>
        </script>
	</bodyExpression>
    <transport>mail</transport>
</passwordResetNotifier>

While using custom body expression don’t forget to generate the link. There is a method in midPoint function library which will generate the link - midpoint.createPasswordResetLink(userType).

Reset password and custom form

It isn’t probably difficult to imagine that current reset password form doesn’t satisfy everyone’s needs. Using just email address (which in addition references to the concrete field and cannot be changed without changing the source code) to find an user which is requesting the password reset might not satisfy requirements. With introducing custom forms they can be used to specify custom form for user identification. All what is needed to be done is to add the reference to form in the reset password cofiguration as below:

Reset password and custom form
 <credentialsReset>
    ...

    <formRef oid="bb42fa87-b066-48a0-a960-c77fc8b53737" type="c:FormType"><!-- Reset password form --></formRef>
</credentialsReset>