Password reset
IDM supports self-service user password reset. When enabled, users who forget their passwords can log in to the IDM End User UI, and can verify their identities with options such as email validation and security questions.
You can also generate random passwords when users are created. For more information, see Generating Random Passwords.
Password reset lets registered users reset their own passwords. The following stages can be included in a password reset process:
-
Captcha stage (optional)
-
User query stage (mandatory)
-
Email validation stage (optional)
-
KBA security answer verification stage (optional)
-
Password reset stage (mandatory)
If all of these stages are configured, the password reset configuration (in conf/selfservice-profile.json
looks similar to the following:
Example password reset configuration
{
"stageConfigs" : [
{
"name" : "captcha",
"recaptchaSiteKey" : "...",
"recaptchaSecretKey" : "...",
"recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify"
},
{
"name" : "userQuery",
"validQueryFields" : [
"userName",
"mail",
"givenName",
"sn"
],
"identityIdField" : "_id",
"identityEmailField" : "mail",
"identityUsernameField" : "userName",
"identityServiceUrl" : "managed/user"
},
{
"name" : "emailValidation",
"identityEmailField" : "mail",
"emailServiceUrl" : "external/email",
"emailServiceParameters" : {
"waitForCompletion" : false
},
"from" : "info@example.com",
"subject" : "Reset password email",
"mimeType" : "text/html",
"subjectTranslations" : {
"en" : "Reset your password",
"fr" : "Réinitialisez votre mot de passe"
},
"messageTranslations" : {
"en" : "...Click to reset your password...",
"fr" : "...Cliquez pour réinitialiser votre mot de passe..."
},
"verificationLinkToken" : "%link%",
"verificationLink" : "https://localhost:8443/#/passwordreset/"
},
{
"name" : "kbaSecurityAnswerVerificationStage",
"kbaPropertyName" : "kbaInfo",
"identityServiceUrl" : "managed/user",
"kbaConfig" : null
},
{
"name" : "resetStage",
"identityServiceUrl" : "managed/user",
"identityPasswordField" : "password"
}
],
"snapshotToken" : {
"type" : "jwt",
"jweAlgorithm" : "RSAES_PKCS1_V1_5",
"encryptionMethod" : "A128CBC_HS256",
"jwsAlgorithm" : "HS256",
"tokenExpiry" : "300"
},
"storage" : "stateless"
}