This section contains new information and documentation corrections for the Sun Identity Manager 8.1 Business Administrator’s Guide:
The following information will be added to the Security chapter:
Identity Manager now provides a Login Recovery authentication as an alternative to the Forgot Password security questions-based login. The Login Recovery authentication implements a message obfuscation option that renders all errors and successes with the same generic result message, which is done to resist account harvesting. Functionally, this login recovery method uses the same system as the Forgot my User Id method and both options share the same configuration attributes. However, the Login Recovery authentication also resets the user's password and emails both the login and the password to the user's email address. (ID-18052)
You can configure the Login Recovery method to replace the question-based login by redirecting the Forgot Password button or you can enable a new Login Recovery button on the login page. You configure both methods by modifying the System Configuration File.
To redirect the Forgot Password button to Login Recovery, configure the following:
ui.web.user.questionLogin.forceLoginRecovery = true ui.web.admin.questionLogin.forceLoginRecovery = true |
To use a Login Recovery button instead of the Forgot Password button, configure the following:
ui.web.user.disableLoginRecovery = false ui.web.admin.disableLoginRecovery = false ui.web.user.disableForgotPassword = true ui.web.admin.disableForgotPassword = true ui.web.user.disableForgotUserId = true ui.web.admin.disableForgotUserId = true |
An obfuscate messages option that helps the Login Recovery system resist account harvesting is enabled by default in the loginRecovery.jsp files. You can set this same option in the lookupUserId.jsp files.