Identity Director Administration Guide

This is not the latest version of Identity Director documentation.
View available documentation.

Configure Password Reset

At Setup > Login Page Services > Password Reset, enable users to reset their Active Directory password. This reduces the number of help desk password tickets and enhances productivity of the user. Users can reset their Active Directory password from the Microsoft Windows logon screen, or from the Identity Director Web Portal or Mobile client logon page, either via a wizard or via service delivery.

You can add code validation to password resets. This adds an extra check to authenticate the identity of the user who requests a password reset: a verification code is sent to the user e.g. by SMS or e-mail. Users then need to provide this verification code before they can proceed with a password reset. This ensures that passwords are reset as secure as possible.
Using organizational context, you can define to whom the Verification Code and/or Security Questions apply.
You can configure password complexity policies based on regular expressions, to ensure that passwords provided by your users meet the complexity requirements of your organization.
You can add translations for the labels and messages that appear to end users in the Web Portal.

The availability of this functionality may be subject to the license type used in your environment.
See Ivanti Identity Director Password Reset Guide for more information and scenarios.

Configuration

General tab

Field	Explanation and Tips
Password reset settings	Specify the availability of the password reset functionality. Select Windows logon screen to make the functionality available on the Windows logon screen. Password resets on the Windows logon screen is managed through the Windows Client. This requires that you install the Windows Client on each computer on which you want to offer the password reset functionality. Select Web Portal logon screen to make the password reset functionality available in the Web Portal. Select Include captcha validation to provide extra security. Captcha validation is only available for the Web Portal. Select Mobile clients to make the password reset functionality available in the mobile client.
Reset link text	Specify the text of the password reset link.
People identifier	Specify the identification method of users when they request a password reset.

Field

Explanation and Tips

Password reset settings

Specify the availability of the password reset functionality.

Select Windows logon screen to make the functionality available on the Windows logon screen. Password resets on the Windows logon screen is managed through the Windows Client. This requires that you install the Windows Client on each computer on which you want to offer the password reset functionality.
Select Web Portal logon screen to make the password reset functionality available in the Web Portal.
- Select Include captcha validation to provide extra security. Captcha validation is only available for the Web Portal.
Select Mobile clients to make the password reset functionality available in the mobile client.

Reset link text

Specify the text of the password reset link.

People identifier

Specify the identification method of users when they request a password reset.

Service	Specify the service that is delivered as part of the password reset (for example, the service Reset password based on user input that is provided with the Identity Director Password Reset Guide).
User instructions	Specify instructions when users click the password rest link.
Status page message	Specify status information.
Redirection URL	Specify a URL of choice after a password reset, rather than the default Web Portal sign-in page. In certain scenarios, for example when users access the Web Portal from a thin client, redirecting them to the default page may not be user-friendly. You can prevent this by specifying a different URL.

Password input

Specify if password input is provided through the wizard or through a service workflow.

Password attribute

Specify the service attribute that can store the password that the user provides.

This field is only available if input is provided through the wizard.
You can only select service attributes that are part of the service you selected in the Service field.

Password complexity hints

Configure a password complexity policy. This ensures that passwords provided by your users meet the complexity requirements of your organization.
This area is only available if input is provided through the wizard.

In the Regular expression field, configure the regular expression that determines the password complexity requirements. In the Web Portal, the provided password by the user is validated according to this regular expression.
- When you configure a regular expression, you can add flags to the pattern.
- You can split complex rules in multiple rules, to make it easier to configure the desired policy.
- Verify the regular expression in the Test field. Green and red coloring indicate if the text field is conform the configured regular expression.
In the Password complexity hints field, provide users with information about the characteristics of the new password. In the Web Portal and Windows Client, if the provided password matches a regular expression, the related complexity hint will be marked.

Verification Code tab

Field	Explanation and Tips
Enabled	Enable verification code validation.
Service	Specify the service that generates the code and sends it to the user, for example via SMS or e-mail. The delivery workflow of the specified service must contain a Provide Verification Code action. In this action, we recommend to specify a verification code of up to a maximum of 20 characters. Because the code is encrypted, longer codes may exceed the maximum value. This will result in an error and leave the transaction in a Pending state. If you use SMS for code validation, the mobile phone number of the user that requests the password reset must be registered in your environment. To generate a random PIN for this service, you can create a service attribute on the Attributes tab. It is best practice to leave the initial value blank, let its value be set by a Set Service Attribute action and use the function @[RANDOM(x,y)] in its Manual value field. This generates a random PIN every time the service is requested. You may also consider adding a Jump action to the workflow, so it jumps back to the Set Service Attribute action if the user provides an incorrect PIN. This generates a new random PIN.
Limit number of attempts	Limit the number of attempts a user can make to provide a verification code during a password reset. This ensures that password resets occur as secure as possible.
Maximum number of attempts	Configure the maximum number of attempts a user can make to provide a verification code during a password reset. This field is only available if you have selected the option Limit number of attempts. You can configure a number from 1-999. The number of attempts left is shown in the Web Portal and the Mobile Client. If the user exceeds the limit, the workflow action in the service that validates the verification code, fails automatically.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) that determine if the Verification Code applies to a user.

If you specify multiple Organizations, these are treated as 'AND': all must be true for the Verification Code to apply.
If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Verification Code to apply.
If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Verification Code to apply.

Organizational context diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

Generating verification code message	Specify status information that is displayed to the user about generation of the code.
Enter verification code message	Specify user instructions to validate the code. The password reset can only continue after a successful validation.
Invalid verification code message	Specify the message that is that is displayed to the user if the provided code is incorrect.
Exceeding maximum number of attempts message	Specify the message that is that is displayed to the user when he exceeds the limit. This field is only available if you have selected the option Limit number of attempts.
Validating verification code message	Specify status information about validation of the code.

Security Questions tab

Field	Explanation and Tips
Security questions	Specify the number of questions in the wizard. If this number exceeds the number of questions and answers stored in a user's Security Questions and Answers attribute (see below), the user will get an error and cannot complete the Password Reset service.
Questions attribute	This field shows the default people attribute Security Questions and Answers that stores the security questions and answers of the wizard. The attribute can be filled using the User Validation Service you specify on the Login Page Services page. If you configure a custom service to define security questions and answers, make sure it fills this attribute with the security questions and the answers that were provided by the user.

Field

Explanation and Tips

Security questions

Specify the number of questions in the wizard.

If this number exceeds the number of questions and answers stored in a user's Security Questions and Answers attribute (see below), the user will get an error and cannot complete the Password Reset service.

Questions attribute

This field shows the default people attribute Security Questions and Answers that stores the security questions and answers of the wizard. The attribute can be filled using the User Validation Service you specify on the Login Page Services page.

If you configure a custom service to define security questions and answers, make sure it fills this attribute with the security questions and the answers that were provided by the user.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) conditions that determine if the Security Questions apply to a user.

If you specify multiple Organizations, these are treated as 'AND': all must be true for the Security Questions to apply.
If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Security Questions to apply.
If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Security Questions to apply.

Organizational context diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

If you allow users to reset their password through a wizard, do not configure Active Directory to require a password change on next logon. This may lead to situations in which users can no longer sign in.

Translations tab

If you have enabled translations at Setup > Translations, you can add translations for the labels and messages that appear to end users in the Web Portal for password reset.

To add translations:

Alongside the default language, click to export its RESX to use as the basis of translations for the other supported languages.
The name of this file is passwordresetsettings.resx.
Save a renamed copy of this file and translate it as required.
Click to import the RESX of the language.
This ensures that custom labels are translated in the correct language.