Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager Self Service Password Request Administration Guide

Compatibility_between_SS

Compatibility between SSPR features and supported authentication methods

The Self Service Password Request feature is delivered with the SSPR option license.

 

Authentication method

Reset password

Reset PIN

Q&A-based authentication

Authentication Manager

ü

ü

ü

Windows

ü
(with web portal)

Not available

Not available

Session

Not available

Not available

Not available

QRentry

ü

Not available

Not available

Public Access

ü
(with web portal)

Not available

Not available

 

Configuring SSPR

Configuring Self Service Password Request

Allowing users to reset their password or PIN

Subject

This section describes how to allow users to reset their password or PIN by themselves. You can enable this feature on any workstations secured by the One Identity EAM (Enterprise Access Management) solution. If Authentication Manager is installed on these workstations, mobile users can reset their access even if they are not connected.

IMPORTANT: To enable PIN reset, One Identity Authentication Manager is required.

Restriction

This feature runs only with the LDAP configuration storage mode.

Before Starting
  • Make sure that the Self Service Password Request feature is enabled, as detailed in One Identity EAM Installation Guide.
  • You have the following administration role:
    • In classic administration mode: Security object administrator.
    • In advanced administration mode, your role must contain the following rights: User security profile: Creation/Modification and Temporary password access: Change duration.
Procedure
  1. In EAM Console, create or select the user security profile that contains the users for whom you want to activate the self-service password and/or PIN reset feature.
  2. Click the Self Service Password Request tab and complete the tabbed panel as detailed below:

  1. The user can reset his password through the EAM portal or with Authentication Manager with an OTP. For more information on the OTP configuration, see One Identity EAM Console - Guide de l'administrateur.
  2. Availability drop-down list:
  • To enable PIN reset, select Always available.
  • To enable password reset only, you are advised to select Always available to allow users reset their password even if they are not connected to the network. If Authentication Manager is not installed on the workstations, select With Self Service Password Request server only.

 

NOTE: For a complete description of the Always available option, see Configuring Self Service Password Request at the end of the procedure.

  1. If you have selected Always available, you can make the help desk verify the identity of users when they reset their access by selecting the User must contact the help desk to gain password access check box.
  2. Complete the Questions area. For more details, see Configuring the questions proposed to the user.
  3. Complete the During authentication area. For more details, see Setting the Self Service Password Request policy.
  1. Click the Authentication tab, and make sure that the following options are selected:
  • Password and/or smart card authentication methods.
  • Use cache (if you have selected Always available at Configuring Self Service Password Request). For details on the Use cache option, please refer to One Identity EAM Console - Guide de l'administrateur.
  • If you have selected the User must contact the help desk to gain password access check box at Configuring Self Service Password Request, you can select the Allow temporary password access for and set a value in the <X> days when generating challenge drop-down list. This value applies when the user resets his/her password in disconnected mode. In this case, when the option is selected, the user can authenticate using the password authentication method for a given period, and you specify the default validity duration of the temporary password access when a challenge is given to a user (Generating a challenge to allow a user to reset his/her password or PIN).

NOTE: X> days when resetting user’s password: this option applies only when you force the user’s primary password (for details, see Enabling the temporary password access authentication method).

  1. Click Apply.
  2. Create or select the access point security profile that contains the user workstations for which you want to activate the self-service password/PIN reset feature and make sure that the following options are selected in the Security Services tab:
  • Password and/or smart card authentication methods.
  • Activate cache (if you have selected Always available). For details on the Activate cache option, please refer to One Identity EAM Console - Guide de l'administrateur.

  1. In the Self Service Password Request tab, type the address of an SSPR server in the bottom field and click Add to add it to the server list.

IMPORTANT: The position of servers in the list corresponds to the working order (if the first server does not respond, the second one is used, and so on).

  1. Click Apply.

 

The "Always available" option: technical details

To allow users to reset their password even if they are not connected to the network, they must have authenticated at least once on their workstation. This way, the password is stored in the user cache and used for session opening.

When the user resets his password, EAM manages the new password as follows:

  • If the user is connected to the network, the new password is directly updated in the directory.
  • If the user is not connected to the network, the password is temporary stored in the user cache. When the directory is available again, the user is prompted to re-authenticate and to change his/her password (which will then be changed in the directory).

Allowing_users_to_log_on

Allowing users to log on with a mobile device

Subject

This section explains how to configure a User Security profile to allow users to use QRentry for emergency access to their computers.

Before starting

You have the following administration role:

  • In classic administration mode: Security object administrator.
  • In advanced administration mode, your role must contain the following rights:
    • User Security Profile: creation/modification.
    • Mobile devices: Display mobile details.
    • Mobile devices: Management.
  • You have allowed users to enroll a mobile device: see QRentry - Guide de l’utilisateur.
Procedure
  1. In the EAM console, click the User Security Profile that contains the users for whom you want to allow the use of QRentry for computer access.
  2. Click the Mobile Device tab.
  3. Select and complete the Authentication Manager tabbed panel and click Apply.

    Example:

  1. The users associated with the selected User Security Profile can authenticate only when they are connected to the network.
  2. The users associated with the selected User Security Profile can use the QRentry remote control to manage (open, lock and close) their Windows session.

 

NOTE: For a complete description of this tabbed panel, please refer to the QRentry - Guide de l’utilisateur.

 

Enabling_the_questions_a

Enabling the questions and answers emergency access

Subject

If Authentication Manager is installed on the workstations, you can configure an emergency access based on questions and answers, which gives only access to the Windows session; users cannot access applications for which an authentication is needed.

This feature and the Password/PIN reset function cannot be enabled at the same time.

Before Starting
  • Make sure that the Self Service Password Request feature is enabled, as detailed in One Identity EAM Installation Guide.
  • You have the following administration role:
    • In classic administration mode: Security object administrator.
    • In advanced administration mode, your role must contain the following rights: User security profile: Creation/Modification and Temporary password access: Change duration.
Procedure
  1. In EAM Console, create or select the user security profile that contains the users for whom you want to enable the questions and answers emergency access.
  2. In the Authentication tab, and make sure the Password authentication method and the Use cache check box options are selected (for details on this check box, please refer to One Identity EAM Console - Guide de l'administrateur).

  1. Click the Self Service Password Request tab and complete the tabbed panel as detailed below.

  1. In the Availability drop-down list, select Always available.
  2. Select the Self Service Password Request opens Windows session check box.
  • The User must contact the help desk to gain password access option becomes unavailable.
  1. Complete the Questions area. For more details, see Configuring the questions proposed to the user.
  2. Complete the During authentication area, For more details, see Setting the Self Service Password Request policy.
  1. Click Apply.
  2. Create or select the access point security profile that contains the user workstations for which you want to activate questions and answers emergency access and make sure that the Password authentication method and Activate cache check box are selected (for details on this option, please refer to One Identity EAM Console - Guide de l'administrateur).

IMPORTANT: To enable this feature, the user must first authenticate at least once in connected mode.

 

 

Related Documents