Solutions

Link in Password Reset and User Registration emails in IDM/OpenIDM (All versions) does not work in Microsoft Outlook

Last updated Jun 24, 2019

The purpose of this article is to provide assistance if the link in the Password Reset and User Registration emails generated by IDM/OpenIDM does not work in Microsoft® Outlook®. This issue can affect all Outlook versions (2007, 2010, 2013, 2016, 2019 and Office 365).


Symptoms

The link included in the Password Reset and User Registration emails does not work when clicked in Outlook. It works when copied to a browser in Outlook 2007 or 2010.

Recent Changes

Configured the Password Reset and/or User Registration functionality.

Causes

There are limitations in Outlook regarding hyperlink length:

  • In Outlook 2007 and 2010, hyperlinks do not work if they exceed approximately 1030 characters. The URL is intact and can be copied to a browser.
  • In Outlook 2013, 2016, 2019 and Office 365, hyperlinks are truncated after a certain length (in excess of 2000 characters). Since the link has been truncated, it is unusable even if copied.

Solution

This issue can be resolved in a single node deployment by upgrading to IDM 5.5 or later (IDM 6.0.0.5 resolves this in a cluster environment); you can download this from BackStage. Once you have upgraded IDM, you can change the snapshotToken configuration within your Self Service configuration files (selfservice-reset.json and selfservice-registration.json) to use type: uuid and storage: local. For example, your configuration would look similar to this after the change:

"snapshotToken" : {
   "type" : "uuid",
   "keyPairAlgorithm" : "RSA",
   "keyPairSize" : 1024,
   "jweAlgorithm" : "RSAES_PKCS1_V1_5",
   "encryptionMethod" : "A128CBC_HS256",
   "jwsAlgorithm" : "HS256",
   "tokenExpiry" : 1800
 },
 "storage" : "local"

After these configuration changes, you will see much shorter links in the following format:

https://idm.example.com/ui/#passwordReset/&token=a009b272-2b23-4a8a-bd08-e89e4a32ef8b&code=12721e49-760e-4a20-81b8-48f8013e2cf8

See Integrator's Guide › Tokens and User Self-Service and Self-Service REST API Reference › The Self-Service Process Flow for further information.

Note

You should be aware of the following:

  • There is a known issue with the uuid type in multi-node deployments: OPENIDM-12796 (jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario). This is fixed in IDM 6.0.0.5.
  • Changes to the password reset or registration modules via the Admin UI may revert the changes made to the snapshotToken section in the configuration files and the token may change back to the long token format. If this occurs, check the configuration files (selfservice-reset.json and selfservice-registration.json) and update them again per the above example.

Workaround (Outlook 2007 and 2010 users)

A suggested workaround for this issue is to customize the email sent to end users to advise Outlook 2007 and 2010 users to copy and paste the link into their browser instead. The link should be left for users not affected by this issue. You can do this by changing the Email text for the Password Reset and/or User Registration emails.

The following example guides you through changing the Email text for the Password Reset email. The same concept applies to the User Registration email, which is found under Configure > User Registration:

  1. Navigate as follows in the admin UI: Configure > Password Reset and click the pencil icon against Email Validation.
  2. Remove the following text:
    <h3>Click to reset your password</h3><h4><a href="%link%">Password reset link</a></h4>
    And replace with your customized message, for example:
    <h3>Click to reset your password</h3><h4><a href="%link%">Password reset link</a></h4> <h4> If you are an Outlook 2007/2010 user, please copy and paste the following link into your browser to reset your password: %link%</h4>
    
  3. Save your changes.

The resulting email in this example will look like this:

Click to reset your password
Password reset link
If you are an Outlook 2007/2010 user, please copy and paste the following link into your browser to reset your password:
https://idm.example.com/ui/#passwordReset/&token=eyAidHlwIjogIkpXRSIsICJhbGciOiAiSFMyNTYiIH0.ZXlBaWRIbHdJam9nSWtwWFZDSXNJQ0psYm1NaU9pQWlRVEV5T0VOQ1F5MUlVekkxTmlJc0lDSmhiR2NpT2lBaVVsTkJNVjgxSWlCOS5OWEFHLUlBampRYW54eHpsYmFhTXNVYjBQWTNsZ05VbG9SYlFUOGVZYmVGbE5VcVdMR200SVNLM29MTzlSOTlwdWJleEFhVHRWRDFGOFRldzE0M2ZXLTWVBbVpSLXRjV19fOTVlODRwNWhVNnpxZkstVWZvSnVmNU5MVG82aXhvQmdqX2NvY3B3YnI3UEx6bDBfUEdTcU10k1VVdKbUN1RUdRUzRWSG56TGR2NGhWUm13OWh2MHRYWVhqTEJ2ZXRib1UwcHZjeFRQR254WmJ5TjlJajJBT0tIc21pbWQ0NWFwcFhYLXNzY0REX00uc3FGZjkxMDI3UWFIOUZzZFdQTlNpUS52SlM1czR2SUpxd0VuZno3c3Z6SXlDRL5ZjcwSmZnWFRGUThpeTJpMjJpWmxNNVFqSElveFZsVzd2SThKbndBUlVUOUNvV21kcm1HdDUtNHJTaHZ3UFRyVlZsVFYNmlMb0hyMVNHWEQ3S0VUOUxkbm9rYkxSLXJMOHA2NTF3SE1WNXdqWTFTYkkyVDM2dkw0RVQ0b3Z1UUd1Zm11UjV5anI1Z1RJSEZuR1hnMEZVNnBNQVllMFQxMTJQUWZTMGhfUEhiYXJUN2xCMktDN2t2WExlVFFhT1RtcHhWTkUbnlscmJEelRfcndQc0FqQXJTQURtREw0YlFBeExvZ21INk9nU2FBLWhDelNVOEhOa21OR3ZFaUY4eFZ2aUhwb2VHYkhJemExc1lVSzRicGFxVUk4TDVxaWl3STFWNEtIWllYUjZBMDRpcTAxXy1FQWpiVHNwZmVWR2o2YWhraHlYMU5IVW9XSkZCRkxzLXBuU2RraGQ3SDUxeEpfR19keVFQLndCaHhac3ZXOGUzN1I5UlgzTlpHbmc.wKygX_XVRDedaLX5ME5kjZlpo1InkT013zg38mE5E3Q&code=0b9b0e2e-6370-4f5e-9a68-73bb86f5d06f
Note

You can also change the email text by editing the PasswordResetConfigView.js and/or UserRegistrationConfigView.js files located in the /path/to/idm/ui/admin/default/org/forgerock/openidm/ui/admin/selfservice directory.

See Also

Authentication fails with IDM (All versions) integrated AM when session-jwt cookie size exceeds browser limits

How do I initiate the password reset functionality in IDM (All versions) and OpenIDM 4.x via the REST API?

Integrator's Guide › Web-Based User Interfaces

Related Training

N/A

Related Issue Tracker IDs

OPENIDM-12865 (jwt token fails in multi-node cluster scenario)

OPENIDM-12796 (jsonstorage "local" self-service with "uuid" option fails in multi-node cluster scenario)

OPENIDM-8138 (Describe how to set up stateful tokens for user self-service)

OPENIDM-6701 (Shortening the URL in validation emails)

USS-116 (RFE: Password reset URL should be shorter to ensure compatibility with Outlook 2007/2010)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...