Authentication on the Password Reset Portal differs from authentication on the Web Portal. Users can log in to Password Reset Portal using the following options:
Table 12: Authentication options
Login with passcode. |
Password reset (role-based), read-only. |
Password reset, read-only. |
Login using a secret password question. |
Password reset (role-based), read-only. |
Password reset, read-only. |
Login with user name and password. |
Specified in the web application configuration. |
Specified in the web application configuration. |
If Web Portal users forget their password, they can login in to the Password Reset Portal with the help of the password questions and set a new password.
To configure the use of password questions.
-
Start the Designer program.
-
Connect to the relevant database.
-
Configure the following configuration parameters:
NOTE: For more information about editing configuration parameters in the Designer, see the One Identity Manager Configuration Guide.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerDefinitions: Specify how many password questions and answers users must enter. Users who do not enter enough or any questions and answers, cannot reset their password.
NOTE: The value must not be less than the value in the QueryAnswerRequests configuration parameter.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerRequests: Specify how many password questions users have to answer before they can reset their password.
NOTE: The value must not be higher than the value in the QueryAnswerDefinitions configuration parameter.
-
QER | Person | PasswordResetAuthenticator | InvalidateUsedQuery: Specify whether users must enter new password questions and answers after successfully resetting their password. In this case, correctly answered questions are deleted.
Users can set the following default passwords.
Table 13: Password overview
Everyone |
Own password |
Person.DialogUserPassword |
Everyone |
User account password, which is
- Directly assigned to the current employee.
- OR -
- Assigned to the current employee's sub identity.
- OR -
- Assigned to the current employee's sponsored identity, service identity or group identity.
- OR -
- Assigned to one of the current user's shared user accounts.
|
AADUser.Password
ADSAccount.UserPassword
CSMUser.Password
EBSUser.Password
GAPUser.Password
LDAPAccount.UserPassword
NDOUser.Password
SAPUser.Password
UNSAccountB.Password
UNXAccount.UserPassword |
Members of the application role Base roles | Administrators |
Password for individual system users |
DialogUser.Password |
NOTE: The system user is not suggested for resetting the password in the following cases:
- If external password management is enabled for the system user.
- If the system user is enabled as service account.
- If the system user is used for automatic software updating of One Identity Manager web applications.
These cases are implemented in the QER_PasswordWeb_IsAllowSet script, which can be overwritten.
- If the system user is used for role-based login.
In this case, the system user is not accepted by the Password Reset Portal.
Table 14: Script for resetting passwords
QER_PasswordReset_IsAllowSet |
Specifies whether resetting a password in the Password Reset Portal is allowed. |
To prevent users from setting passwords by mistake, you can exclude certain password from being reset.
User cases for this may be passwords that are calculated from other values or passwords for target systems that are only connected as read-only.
NOTE: In "QER_PasswordWeb_IsAllowSet", the system user is prevented, by default, from resetting the password in the following cases.
- If external password management is enabled.
- If the system user is enabled as service account.
- If the system user is used for automatic software updating of One Identity Manager web applications.
To exclude passwords from being reset
- Open the Designer.
- Find "QER_PasswordReset_IsAllowSet".
- Use "QER_PasswordReset_IsAllowSet" as the basis for an overrideable script with the following parameters.
- Current user's UID_Person.
- Object's key (ObjectKey) offered for password reset.
- Password column name.
- Save the setting in the Designer.
- Compile the Password Reset Portal.