IDM 7.2.0

User password reset configuration files

To set up basic user password reset features, you’ll need at least the following configuration files:

  • selfservice-reset.json

    You can find a template version of this file in the following directory: openidm/samples/example-configurations/self-service.

  • ui-configuration.json

    You can find this file in the default IDM project configuration directory, openidm/conf.

To set up self-service user password reset registration, enable the following boolean in ui-configuration.json:

"passwordReset" : true,

You can include several features with user password reset, as shown in the following excerpts of the selfservice-reset.json file:

  • If you’ve activated Google reCAPTCHA for user self-service registration, you’ll see the following code block:

    {
        "name" : "captcha",
        "recaptchaSiteKey" : "<siteKey>",
        "recaptchaSecretKey" : "<secretKey>",
        "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify"
    },

    As suggested by the code, you’d substitute the actual siteKey and secretKey assigned by Google for your domain. For more information, see Google reCAPTCHA.

  • For password reset, IDM needs to verify user identities. To ensure that password reset links are sent to the right user, include the following code block:

    {
        "name" : "userQuery",
        "validQueryFields" : [
            "userName",
            "mail",
            "givenName",
            "sn"
        ],
        "identityIdField" : "_id",
        "identityEmailField" : "mail",
        "identityUsernameField" : "userName",
        "identityServiceUrl" : "managed/user"
    },

    This code lets IDM verify user identities by their username, email address, first name (givenName), or last name (sn, short for surname).

  • If you have included email verification, you must configure an outgoing email server. For details about the required addition to selfservice-registration.json, see Email for password reset.

  • If you’ve configured security questions, users who self-register will have to create questions and answers during the self-registration process.

    If the feature is enabled, users who’ve been reconciled from external data stores will also be prompted, once, upon their next login, to add security questions and answers. The relevant code block is shown here, which points IDM to other configuration files as discussed in links from this section.

    {
        "name" : "kbaSecurityAnswerDefinitionStage",
        "kbaConfig" : null
    },

Configuring password reset from the admin UI

To configure Password Reset from the admin UI, select Configure > Password Reset. When you activate Enable Password Reset, you’ll see a Configure Password Reset Form that lets you specify the:

  • Identity Resource, typically managed/user

  • Advanced Options, Snapshot Token, typically a JSON Web Token (JWT)

  • Advanced Options, Token Lifetime, with a default of 300 seconds

You can also add these settings to the following configuration file: selfservice-reset.json. When you modify these settings in the admin UI, IDM creates the file for you.

Copyright © 2010-2022 ForgeRock, all rights reserved.