Sun ONE Identity Server 6.1 Administration Guide |
Chapter 8
Password Reset ServiceSun ONE Identity Server provides a Password Reset service to allow users to reset their password for access to a given service or application protected by Identity Server.The Password Reset service attributes, defined by the top-level administrator, control user validation credentials (in the form of secret questions), control the mechanism for new or existing password notification, and sets possible lockout intervals for incorrect user validation.
This chapter contains the following sections:
Registering the Password Reset ServiceThe Password Reset service does not need to be registered for the organization in which the user resides. If the Password Reset service does not exist in the organization in which the user resides, it will inherit the values defined for the service in the Service Configuration module.
To register the Password Reset Service for users in a different organization:
Configuring the Password Reset ServiceOnce the Password Reset service has been registered, the service must be configured by a user with administrator privileges. To configure the service:
- The Password Reset attributes appear in the Data frame allowing you to define requirements for the Password Reset service. Make sure that the Password Reset service is enabled (it is by default). At a minimum, the following attributes must be defined:
- User Validation
- Secret Question
- Bind DN
- Bind Password
The Bind DN attribute must contain a user with privileges for resetting the password (for example, Help Desk Administrator).
The remaining attributes are optional. Descriptions of the Password Reset attributes can be found in Password Reset Service Attributes or by clicking the Help link in the upper right corner of the console.
- Select the Personal Question Enabled attribute if the user is to define his/her unique personal questions. Once the attributes are defined, click Save.
Password Reset Lockout
The Password Reset service contains a lockout feature that will restrict users to a certain number of attempts to correctly answer their secret questions. The lockout feature is configured through the Password Reset service attributes. Descriptions of these attributes can be found in "Password Reset Service Attributes". Password Reset supports two types of lockout, memory lockout and physical lockout.
Memory Lockout
This is a temporary lockout and is in effect only when the value in the Password Reset Failure Lockout Duration (minutes) attribute is greater than zero and the Password Reset Failure Lockout Mode attribute is enabled. This lockout will prevent users from resetting their password through the Password Reset web application. The lockout lasts for the duration specified in Password Reset Failure Lockout Duration, or until the server is restarted.
Physical Lockout
This is a more permanent lockout. If the value set in the Password Reset Failure Lockout Count attribute is set to 0 and the Password Reset Failure Lockout Mode attribute is enabled, the users’ account status is changed to inactive when he or she incorrectly answers the secret questions.
Password Reset for End UsersThe following sections describe the user experience for the Password Reset service.
Customizing Password Reset
Once the Password Reset service has been enabled and the attributes defined by the administrator, users are able to log into the Identity Server console in order to customize their secret questions. For example:
- The user logs into the Identity Server console, providing Username and Password and is successfully authenticated.
- In the User Profile page, the user selects Password Reset Options. This displays the Available Questions Answer Screen.
- The user is presented with the available questions that the administrator defined for the service, such as:
- The user selects the secret questions, up to the maximum number of questions that the administrator defined for the organization (the maximum amount is defined the Password Reset Service). The user then provides answers to the selected questions. These questions and answers will be the basis for resetting the user’s password (see the following section). If the administrator has selected the Personal Question Enabled attribute, text fields are provided, allowing the user to enter a unique secret question and provide an answer.
Figure 8-1 Available Questions Answer Screen with Personal Question Enabled
- The user clicks Save.
Resetting Forgotten Passwords
In the case where users forget their password, Identity Server uses the Password Reset web application to randomly generate new passwords and notify the user of the new password. A typical forgotten password scenario follows:
- The user logs into the Password Reset web application from a URL given to them by the administrator. For example:
http://hostname:port/ampassword (for the default organization)
or
http://hostname: port/deploy_uri/ui/PWResetUserValidation?org=orgname, where orgname is the name of the organization.
- The user enters the user id.
- The user is presented with the personal questions that were defined in the Password Reset service and select by the user during customization. If the user has not previously logged into the User Profile page and customized the personal questions, the password will not be generated.
Figure 8-2 Password Questions for User Screen
Once the user answers the questions correctly, the new password is generated and emailed to the user. Attempt notification is sent to the user whether the questions are answered correctly or not. Users must have their email address entered in the User Profile page in order for the new password and attempt notification to be received.
Password PoliciesA secure password policy minimizes the risks associated with easily-guessed passwords by enforcing the following:
Directory Server provides several ways to set password policy at any node in a tree and there are several ways to set the policy. For details refer following Directory Server documentation:
http://docs.sun.com/source/816-6700-10/aci.html#14773
http://docs.sun.com/source/816-6698-10/useracct.html#14386