Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager Self Service Password Request Administration Guide

Enabling_the_temporary_p

Enabling the temporary password access authentication method

Subject

The Temporary Password Access authentication method can be used within EAM configurations using strong multi-factor authentication. It allows you to authorize a user who authenticates using a token or a biometric device to temporarily use the password authentication method either by:

Enabling_the_Q_A_Method

Enabling the Q&A Method

Before starting

You have the following administration role:

  • In classic administration mode:
    • SSO Data Recoverer.
    • The SSO data recoverer right on your administration smart card.

  • In advanced administration mode, your role must contain the following rights:
    • User: Password modification.
    • Temporary password access: Deletion.
    • Temporary password access: Creation.

  • The user security profile associated with the user for whom you want to enable the temporary password access authentication method is configured as follows:
    • The password authentication method is cleared.
    • The Allow temporary password access check box is cleared.

Procedure
  1. In the tree structure of the Directory panel, select the wanted user and go to his User Security Profile.
  2. Click the Self Service Password Request tab.
  3. In the Properties area > Availability drop down list, select Always available.
  4. In the Questions area, click the Select button.
  5. Create a list of questions as described in Creating a list of questions. If the questions have already been created, go to the next step.
  6. In the During authentication area, click the Advanced button.

The Self Service Password Request Policy window appears.

  1. Select the Allow password access for check box and enter the number of days.
  2. Click OK and Apply to save the new settings.

 

Enabling_the_Help_desk_M

Enabling the Help desk Method

IMPORTANT: You will have to force a new primary password. Remember that:

  • The user's private accounts are lost in this process.
  • Performing this action automatically unlocks the user account (if the unlocking operation fails, you are not warned).
Before starting

You have the following administration role:

  • In classic administration mode:
    • SSO Data Recoverer.
    • The SSO data recoverer right on your administration smart card.
  • In advanced administration mode, your role must contain the following rights:
    • User: Password modification.
    • Temporary password access: Creation.
    • Temporary password access: Deletion.
  • The user security profile associated with the user for whom you want to enable the temporary password access authentication method is configured as follows:
    • The password authentication method is cleared.
    • The Allow temporary password access check box is selected and configured.

Procedure
  1. In the tree structure of the Directory panel, right-click the wanted user and select Force Password.

The Password tab appears.

  1. Fill-in the New password and Confirmation fields.
  2. (Optional) Select User must change password at next login.
  3. Select the User can connect using password authentication check box.
  4. If necessary, modify the value of the Authorization expires in field.

NOTE: The proposed value is read from the user security profile associated with the selected user.


  1. To avoid site replication problems if you use Active Directory: in the User is logged on computer field, type the name of the user's computer so that the password reset operation be done on a domain controller located on the same site as the computer (and not on the domain controller on which you are connected).

NOTE: For more information on domain controller selection, see One Identity EAM Console - Guide de l'administrateur.

  1. Click Apply and send the password to the selected user.

The tab shows the TPA expiration date. If the user connects with a token, the TPA is automatically deleted.

NOTE: To extend the TPA duration, clear the User can connect using password authentication check box and repeat the whole procedure.


 

Adminstering SSPR

Administering Self Service Password Request

Subject

SSPR administration is performed at the user object level. A dedicated tab allows you to manage the SSPR information for a user. You can perform the following operations:

  • Reset the password attempts for the user if he/she has reached the maximum number.
  • Reset the answers entered by a user.
  • Generating challenges to allow the user to reset his/her password or PIN.

Before Starting

To perform the tasks described in this section, you must have at least the following administration role:

  • In classic administration mode: Security object administrator or Rights administrator or SSO Data Recoverer.
  • In advanced administration mode, your role must contain the following rights: Self Service Password Request: Answer deletion and Self Service Password Request: Challenge generation and Self Service Password Request: Reset attempt counter.
Related Documents