Configure Password Reset

Specify the availability of the password reset functionality.

• Select Windows logon screen to make the functionality available on the Windows logon screen. Password resets on the Windows logon screen is managed through the Windows Client. This requires that you install the Windows Client on each computer on which you want to offer the password reset functionality.

Windows 10 users will only be able to access the Password Reset button from the logon screen, and not from the lock screen.

• Select Web Portal logon screen to make the password reset functionality available in the Web Portal.
  • Select Include captcha validation to provide extra security. Captcha validation is only available for the Web Portal.
• Select Mobile clients to make the password reset functionality available in the mobile client.

• Select Allow users to set their preferred verification method to allow users to choose how to verify their identity - either via Verification Code or Security Questions.

  • The checkbox is active only when both options are enabled.

  • When not checked, both options are enforced, first Verification Code and then Security Questions.
    The default setting, when first installing the product is to be left unchecked.

Specify the text of the password reset link.

Specify the identification method of users when they request a password reset.

Specify the service that is delivered as part of the password reset (for example, the service Reset password based on user input that is provided with the Identity Director Password Reset Guide).

Specify instructions when users click the password rest link.

Specify status information.

Specify a URL of choice after a password reset, rather than the default Web Portal sign-in page.

In certain scenarios, for example when users access the Web Portal from a thin client, redirecting them to the default page may not be user-friendly. You can prevent this by specifying a different URL.

Specify if you want the Finish button to be displayed at the end of the process. By default, this button will take users to the Web Portal login screen.

If you do not display the Finish button, no redirection (to the Web Portal login page or the Redirection URL) will occur.

Specify if password input is provided through the wizard or through a service workflow.

If you allow users to reset their password through a wizard, do not configure Active Directory to require a password change on next logon. This may lead to situations in which users can no longer sign in.

Specify the service attribute that can store the password that the user provides.

• This field is only available if input is provided through the wizard.
• You can only select service attributes that are part of the service you selected in the Service field.

Enable verification code validation.

Specify the service that generates the code and sends it to the user, for example via SMS or e-mail.

• The delivery workflow of the specified service must contain a Provide Verification Code action. In this action, we recommend to specify a verification code of up to a maximum of 20 characters. Because the code is encrypted, longer codes may exceed the maximum value. This will result in an error and leave the transaction in a Pending state.
• If you use SMS for code validation, the mobile phone number of the user that requests the password reset must be registered in your environment.
• To generate a random PIN for this service, you can create a service attribute on the Attributes tab. It is best practice to leave the initial value blank, let its value be set by a Set Service Attribute action and use the function @[RANDOM(x,y)] in its Manual value field. This generates a random PIN every time the service is requested.
  
  You may also consider adding a Jump action to the workflow, so it jumps back to the Set Service Attribute action if the user provides an incorrect PIN. This generates a new random PIN.

Limit the number of attempts a user can make to provide a verification code during a password reset. This ensures that password resets occur as secure as possible.

Specify the maximum number of attempts a user can make to provide a verification code during a password reset. This field is only available if you have selected the option Limit number of attempts.

• You can configure a number from 1-999.
• The number of attempts left is shown in the Web Portal and the Mobile Client.
• If the user exceeds the limit, the workflow action in the service that validates the verification code, fails automatically.

Specify the Organization(s) or Organizational attribute(s) that determine if the Verification Code applies to a user.

• If you specify multiple Organizations, these are treated as 'AND': all must be true for the Verification Code to apply.
• If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Verification Code to apply.
• If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Verification Code to apply.

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

Specify status information that is displayed to the user about generation of the code.

Specify user instructions to validate the code.

• The password reset can only continue after a successful validation.

Specify the message that is that is displayed to the user if the provided code is incorrect.

Specify the message that is that is displayed to the user when he exceeds the limit. This field is only available if you have selected the option Limit number of attempts.

Specify status information about validation of the code.

Enable the Security Questions method for user validation

Specify the number of questions in the wizard.

If this number exceeds the number of questions and answers stored in a user's Security Questions and Answers attribute (see below), the user will get an error and cannot complete the Password Reset service.

This field shows the default people attribute Security Questions and Answers that stores the security questions and answers of the wizard. The attribute can be filled using the User Validation Service you specify on the Login Page Services page.

• If you configure a custom service to define security questions and answers, make sure it fills this attribute with the security questions and the answers that were provided by the user.

The number of permitted attempts to answer the questions correctly before the account gets locked out. By default, this value will be 0 (=no limit) and the options Lockout time in minutes and Cool down time in minutes will be grayed out.
After each attempt, the user will be notified about the current status with the message “You have X attempts left to answer the security questions before account lockout.” This message is not configurable.
The number of attempts is counted for all questions globally.
Examples:

• 4 questions configured
• Attempts to answer before lockout is set to 3

The maximum number of attempts will be reached when the user:

• answers 1 out of 4 questions incorrectly in 3 runs of questions, or
• answers 3 out of 4 questions incorrectly in 1 run of questions.

(other combinations are possible)

Specify the times (in minutes) that the account will be locked out after reaching the configured number of Attempts to answer before lockout. During this time, the respective account will not be able to try again to reset the password.

If the Attempts to answer before lockout is set to 0, this field will be grayed out.

Specify the time (in minutes) after which the lockout counter is reset. After this cool down time has expired, the counter for Attempts to answer before lockout is reset and the next incorrect answer to a security question is considered to be the first attempt again.
If the Attempts to answer before lockout is set to 0, this field will be grayed out.

Specify the message that is displayed to the end user when the maximum number of attempts has been reached. You can use parameters to include the number of minutes the account lockout is in effect.

Example: You can start again in {0} minutes.

The message can be included in translations.

Specify the Organization(s) or Organizational attribute(s) conditions that determine if the Security Questions apply to a user.

• If you specify multiple Organizations, these are treated as 'AND': all must be true for the Security Questions to apply.
• If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Security Questions to apply.
• If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Security Questions to apply.

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

Enable password history option.

Specify the number of passwords that will be stored in Identity Director, to check that users don’t reuse their old passwords.

The history is designed to be populated by the passwords set by users. If the password is changed manually from AD, or if the option Provided through service workflow is used as a reset method, Identity Director has no way of knowing about the values used as a part of those operations.
Identity Director is not integrated at a history level with AD or other provider nor does it enforce its history on any other software system.

Specify the message that will be displayed to the end user when an old password is reused. You can use parameters to include the number of old passwords that cannot be reused.
Example: Your new password cannot be same as any of your last {0} passwords. Please choose a new password.

The message can be included in translations.

Specify the Organization(s) or Organizational attribute(s) that determine if the Password History applies to a user.

• If you specify multiple Organizations, these are treated as 'AND': the user must be in all organizations for the Password History to apply.
• If you specify multiple Organizational attributes, these are treated as 'AND': all attributes must apply to the user for the Password History to apply.
• If you specify both Organizations and Organizational attributes, these are treated as 'OR': the user must either be in all organizations OR all organizational attributes must apply to the user for the Password History to apply.

When an Organization or Organizational attribute is specified here, all the users who match the conditions are subject to collecting their password and enforcing the history.
If an organization is removed from the conditions, the history of users who no longer match the conditions will be lost, because there is no way of knowing how many times the password has changed for those users while Identity Director was not aware of it.

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify if they meet the specified conditions.

This is the default profile that defines the password complexity policy. If no other profiles are defined or they are defined but a user is not added to them, the password rules defined here will apply to that user.

In the Regular expression field, configure the regular expression that determines the password complexity requirements. In the Web Portal, the password provided by the user is validated according to this regular expression.

• When you configure a regular expression, you can add flags (also known as modifiers) to the pattern.
• You can split complex rules into multiple rules, to make it easier to configure the desired policy.

Verify the regular expression in the Test field.

• Green and red coloring indicate if the text field is conforming the configured regular expression.

When designing a regular expression, keep in mind that iOS users might encounter errors if certain special characters are not escaped correctly using \, which quotes the following character. Characters that must be quoted to be treated as literals are * ? + [ ( ) { } ^ $ | \ . /

In the Password complexity hints field, provide users with information about the characteristics of the new password. In the Web Portal and Windows Client, if the provided password matches a regular expression, the related complexity hint will be marked.

Click this button to add a new profile with its own password complexity policy.
Every user added in a new profile will override the default and use the rules here for the password complexity. If more than one profile applies to that user, the cumulative complexity will apply.

Cumulative complexity explained

• Profile 'Engineering' has the organization Engineering defined, with a complexity of minimum 8 digits.
• Profile 'Management' has the organization Management defined, with a complexity of 12 digits and a special character.
• User John is in both.

In this case John, will have to specify a password that consists of 12 digits and a special character.

Same as above.

Same as above.

Specify the Organization(s) that determine if the Complexity Profile applies to a user. This is a mandatory field. However, a profile without rules can be added.

Logic of qualification explained

• Multiple organizations are interpreted as OR. If a person is in ANY of the organizations listed for the profile, then that person qualifies for the complexity policy of the profile.
• The operator NOT () can also be used for an organization, to increase flexibility.

Example:

A profile with the configuration as shown above:

• applies to users in the organization 'United Kingdom'.
• does not apply to users in the organization 'United Kingdom\LDN\London'.

By default, with this configuration, the Default Password Complexity Profile applies to that last group of users.
You can also specify a separate profile that applies to users in the organization 'United Kingdom\LDN\London'.