User Password Reset Configuration Files
To set up basic user password reset features, you'll need at least the following configuration files:
selfservice-reset.json
You can find a template version of this file in the following directory:
openidm/samples/example-configurations/self-service
.ui-configuration.json
You can find this file in the default IDM project configuration directory,
openidm/conf
.
To set up self-service user password reset registration, enable the following boolean in ui-configuration.json
:
"passwordReset" : true,
You can include several features with user password reset, as shown in the following excerpts of the selfservice-reset.json
file:
If you've activated Google reCAPTCHA for user self-service registration, you'll see the following code block:
{ "name" : "captcha", "recaptchaSiteKey" : "<siteKey>", "recaptchaSecretKey" : "<secretKey>", "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify" },
As suggested by the code, you'd substitute the actual
siteKey
andsecretKey
assigned by Google for your domain. For more information, see "Configure Google reCAPTCHA".For password reset, IDM needs to verify user identities. To ensure that password reset links are sent to the right user, include the following code block:
{ "name" : "userQuery", "validQueryFields" : [ "userName", "mail", "givenName", "sn" ], "identityIdField" : "_id", "identityEmailField" : "mail", "identityUsernameField" : "userName", "identityServiceUrl" : "managed/user" },
This code lets IDM verify user identities by their username, email address, first name (
givenName
), or last name (sn
, short for surname).If you have included email verification, you must configure an outgoing email server. For details about the required addition to
selfservice-registration.json
, see "Configuring Emails for Password Reset".If you've configured security questions, users who self-register will have to create questions and answers during the self-registration process.
If the feature is enabled, users who've been reconciled from external data stores will also be prompted, once, upon their next login, to add security questions and answers. The relevant code block is shown here, which points IDM to other configuration files as discussed in links from this section.
{ "name" : "kbaSecurityAnswerDefinitionStage", "kbaConfig" : null },
Configuring Password Reset From the Admin UI
To configure Password Reset from the Admin UI, select Configure > Password Reset. When you select Enable Password Reset, you'll see a Configure Password Reset Form
that lets you specify the:
Identity Resource, typically
managed/user
Advanced Options, Snapshot Token, typically a JSON Web Token (JWT)
Advanced Options, Token Lifetime, with a default of 300 seconds
You can also add these settings to the following configuration file: selfservice-reset.json
. When you modify these settings in the Admin UI, IDM creates the file for you.