This is not the latest version of Identity Director documentation.
View available documentation.

Configure Password Reset

At Setup > Login Page Services > Password Reset, enable users to reset their Active Directory password. This reduces the number of help desk password tickets and enhances productivity of the user. Users can reset their Active Directory password from the Microsoft Windows logon screen, or from the Identity Director Web Portal or Mobile client logon page, either via a wizard or via service delivery.

  • You can add code validation to password resets. This adds an extra check to authenticate the identity of the user who requests a password reset: a verification code is sent to the user e.g. by SMS or e-mail. Users then need to provide this verification code before they can proceed with a password reset. This ensures that passwords are reset as secure as possible.
  • Using organizational context, you can define to whom the Verification Code and/or Security Questions apply.
  • You can configure password complexity policies based on regular expressions, to ensure that passwords provided by your users meet the complexity requirements of your organization.
  • You can add translations for the labels and messages that appear to end users in the Web Portal.

Configuration

Field

Explanation and Tips

Password reset settings

Specify the availability of the password reset functionality.

  • Select Windows logon screen to make the functionality available on the Windows logon screen. Password resets on the Windows logon screen is managed through the Windows Client. This requires that you install the Windows Client on each computer on which you want to offer the password reset functionality.

Windows 10 users will only be able to access the Password Reset button from the logon screen, and not from the lock screen.

  • Select Web Portal logon screen to make the password reset functionality available in the Web Portal.
    • Select Include captcha validation to provide extra security. Captcha validation is only available for the Web Portal.
  • Select Mobile clients to make the password reset functionality available in the mobile client.

  • Select Allow users to set their preferred verification method to allow users to choose how to verify their identity - either via Verification Code or Security Questions.

    • The checkbox is active only when both options are enabled.

    • When not checked, both options are enforced, first Verification Code and then Security Questions.
      The default setting, when first installing the product is to be left unchecked.

Reset link text

Specify the text of the password reset link.

People identifier

Specify the identification method of users when they request a password reset.

Service

Specify the service that is delivered as part of the password reset (for example, the service Reset password based on user input that is provided with the Identity Director Password Reset Guide).

User instructions

Specify instructions when users click the password rest link.

Status page message

Specify status information.

Redirection URL

Specify a URL of choice after a password reset, rather than the default Web Portal sign-in page.

In certain scenarios, for example when users access the Web Portal from a thin client, redirecting them to the default page may not be user-friendly. You can prevent this by specifying a different URL.

Display the Finish button

Specify if you want the Finish button to be displayed at the end of the process. By default, this button will take users to the Web Portal login screen.

If you do not display the Finish button, no redirection (to the Web Portal login page or the Redirection URL) will occur.

Password input

Specify if password input is provided through the wizard or through a service workflow.

If you allow users to reset their password through a wizard, do not configure Active Directory to require a password change on next logon. This may lead to situations in which users can no longer sign in.

Password attribute

Specify the service attribute that can store the password that the user provides.

  • This field is only available if input is provided through the wizard.
  • You can only select service attributes that are part of the service you selected in the Service field.

Field

Explanation and Tips

Enabled

Enable authenticator applications validation.

Enabling this option will allow users to select authenticator apps as their preferred verification method in the Web Portal.

  • The option to allow end users to choose their preferred verification method is enabled from the General tab.

Field

Explanation and Tips

Enabled

Enable verification code validation.

Service

Specify the service that generates the code and sends it to the user, for example via SMS or e-mail.

  • The delivery workflow of the specified service must contain a Provide Verification Code action. In this action, we recommend to specify a verification code of up to a maximum of 20 characters. Because the code is encrypted, longer codes may exceed the maximum value. This will result in an error and leave the transaction in a Pending state.
  • If you use SMS for code validation, the mobile phone number of the user that requests the password reset must be registered in your environment.
  • To generate a random PIN for this service, you can create a service attribute on the Attributes tab. It is best practice to leave the initial value blank, let its value be set by a Set Service Attribute action and use the function @[RANDOM(x,y)] in its Manual value field. This generates a random PIN every time the service is requested.

    You may also consider adding a Jump action to the workflow, so it jumps back to the Set Service Attribute action if the user provides an incorrect PIN. This generates a new random PIN.

Limit number of attempts

Limit the number of attempts a user can make to provide a verification code during a password reset. This ensures that password resets occur as secure as possible.

Maximum number of attempts

Specify the maximum number of attempts a user can make to provide a verification code during a password reset. This field is only available if you have selected the option Limit number of attempts.

  • You can configure a number from 1-999.
  • The number of attempts left is shown in the Web Portal and the Mobile Client.
  • If the user exceeds the limit, the workflow action in the service that validates the verification code, fails automatically.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) that determine if the Verification Code applies to a user.

  • If you specify multiple Organizations, these are treated as 'AND': all must be true for the Verification Code to apply.
  • If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Verification Code to apply.
  • If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Verification Code to apply.

Organizational context diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

Generating verification code message

Specify status information that is displayed to the user about generation of the code.

Enter verification code message

Specify user instructions to validate the code.

  • The password reset can only continue after a successful validation.

Invalid verification code message

Specify the message that is that is displayed to the user if the provided code is incorrect.

Exceeding maximum number of attempts message

Specify the message that is that is displayed to the user when he exceeds the limit. This field is only available if you have selected the option Limit number of attempts.

Validating verification code message

Specify status information about validation of the code.

Field

Explanation and Tips

Enabled

Enable the Security Questions method for user validation

Number of security questions

Specify the number of questions in the wizard.

If this number exceeds the number of questions and answers stored in a user's Security Questions and Answers attribute (see below), the user will get an error and cannot complete the Password Reset service.

Questions attribute

This field shows the default people attribute Security Questions and Answers that stores the security questions and answers of the wizard. The attribute can be filled using the User Validation Service you specify on the Login Page Services page.

  • If you configure a custom service to define security questions and answers, make sure it fills this attribute with the security questions and the answers that were provided by the user.

Attempts to answer before lockout

The number of permitted attempts to answer the questions correctly before the account gets locked out. By default, this value will be 0 (=no limit) and the options Lockout time in minutes and Cool down time in minutes will be grayed out.
After each attempt, the user will be notified about the current status with the message “You have X attempts left to answer the security questions before account lockout.” This message is not configurable.
The number of attempts is counted for all questions globally.
Examples:

  • 4 questions configured
  • Attempts to answer before lockout is set to 3

The maximum number of attempts will be reached when the user:

  • answers 1 out of 4 questions incorrectly in 3 runs of questions, or
  • answers 3 out of 4 questions incorrectly in 1 run of questions.

(other combinations are possible)

Lockout time in minutes

Specify the times (in minutes) that the account will be locked out after reaching the configured number of Attempts to answer before lockout. During this time, the respective account will not be able to try again to reset the password.

If the Attempts to answer before lockout is set to 0, this field will be grayed out.

Cool down time in minutes

Specify the time (in minutes) after which the lockout counter is reset. After this cool down time has expired, the counter for Attempts to answer before lockout is reset and the next incorrect answer to a security question is considered to be the first attempt again.
If the Attempts to answer before lockout is set to 0, this field will be grayed out.

Exceeding the maximum number of attempts message

Specify the message that is displayed to the end user when the maximum number of attempts has been reached. You can use parameters to include the number of minutes the account lockout is in effect.

Example: You can start again in {0} minutes.

The message can be included in translations.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) conditions that determine if the Security Questions apply to a user.

  • If you specify multiple Organizations, these are treated as 'AND': all must be true for the Security Questions to apply.
  • If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Security Questions to apply.
  • If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Security Questions to apply.

Organizational context diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

Identity Director can keep track of the password history, to manage password reuse. The history itself is contained within Identity Director and does not come from integrations with various providers, such as Microsoft AD, Okta, etc.

Field

Explanation and Tips

Enabled

Enable password history option.

Number of passwords remembered

Specify the number of passwords that will be stored in Identity Director, to check that users don’t reuse their old passwords.

The history is designed to be populated by the passwords set by users. If the password is changed manually from AD, or if the option Provided through service workflow is used as a reset method, Identity Director has no way of knowing about the values used as a part of those operations.
Identity Director is not integrated at a history level with AD or other provider nor does it enforce its history on any other software system.

Best practices dictate using only Identity Director & user input as a method for choosing the password for best results.
However, a failsafe has been implemented to capture external events:

In case the password has been reset by another method, this feature will look also at the login events.
Every time the user successfully logs in, Identity Director cross references the password used with the data already stored.
If no match is found, the new password is stored.

Password reused message

Specify the message that will be displayed to the end user when an old password is reused. You can use parameters to include the number of old passwords that cannot be reused.
Example: Your new password cannot be same as any of your last {0} passwords. Please choose a new password.

The message can be included in translations.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) that determine if the Password History applies to a user.

  • If you specify multiple Organizations, these are treated as 'AND': the user must be in all organizations for the Password History to apply.
  • If you specify multiple Organizational attributes, these are treated as 'AND': all attributes must apply to the user for the Password History to apply.
  • If you specify both Organizations and Organizational attributes, these are treated as 'OR': the user must either be in all organizations OR all organizational attributes must apply to the user for the Password History to apply.

When an Organization or Organizational attribute is specified here, all the users who match the conditions are subject to collecting their password and enforcing the history.
If an organization is removed from the conditions, the history of users who no longer match the conditions will be lost, because there is no way of knowing how many times the password has changed for those users while Identity Director was not aware of it.

Organizational context diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify if they meet the specified conditions.

Field

Explanation and Tips
Diagnostics
(Organizational picker) 		Add an organization to load its active profiles and to test the configured password complexity rules.
Active Profiles After the organization context has been set, this will display the profiles that apply for that organization.
Test Your Password Insert the desired password to test out the rules.
As each one of the rules is fulfilled, the check mark next to it will change color.
This allows you to test out in real time the validity of the password policy for a given organization inside you company before saving the configuration.

Default Password Complexity Profile

This is the default profile that defines the password complexity policy. If no other profiles are defined or they are defined but a user is not added to them, the password rules defined here will apply to that user.
Regular expression

In the Regular expression field, configure the regular expression that determines the password complexity requirements. In the Web Portal, the password provided by the user is validated according to this regular expression.

  • When you configure a regular expression, you can add flags (also known as modifiers) to the pattern.
  • You can split complex rules into multiple rules, to make it easier to configure the desired policy.

Verify the regular expression in the Test field.

  • Green and red coloring indicate if the text field is conforming the configured regular expression.

When designing a regular expression, keep in mind that iOS users might encounter errors if certain special characters are not escaped correctly using \, which quotes the following character. Characters that must be quoted to be treated as literals are * ? + [ ( ) { } ^ $ | \ . /
Password complexity hints

In the Password complexity hints field, provide users with information about the characteristics of the new password. In the Web Portal and Windows Client, if the provided password matches a regular expression, the related complexity hint will be marked.
Add complexity profile

Click this button to add a new profile with its own password complexity policy.
Every user added in a new profile will override the default and use the rules here for the password complexity. If more than one profile applies to that user, the cumulative complexity will apply.

  • Profile 'Engineering' has the organization Engineering defined, with a complexity of minimum 8 digits.
  • Profile 'Management' has the organization Management defined, with a complexity of 12 digits and a special character.
  • User John is in both.

In this case John, will have to specify a password that consists of 12 digits and a special character.

Regular expression

Same as above.

Password complexity hints

Same as above.

Add Organization

Specify the Organization(s) that determine if the Complexity Profile applies to a user. This is a mandatory field. However, a profile without rules can be added.

  • Multiple organizations are interpreted as OR. If a person is in ANY of the organizations listed for the profile, then that person qualifies for the complexity policy of the profile.
  • The operator NOT (NOT button) can also be used for an organization, to increase flexibility.

Example:

United Kingdom, NOT United Kingdom\LDN\London

A profile with the configuration as shown above:

  • applies to users in the organization 'United Kingdom'.
  • does not apply to users in the organization 'United Kingdom\LDN\London'.

By default, with this configuration, the Default Password Complexity Profile applies to that last group of users.
You can also specify a separate profile that applies to users in the organization 'United Kingdom\LDN\London'.

Behavior and details

  • You can add as many rules per complexity profile as you want, including for the Default Password Complexity Profile.
    The resulting rules make up the final policy and all of them must apply to the new password the user will set.
    Please note, that using too many complexity rules may affect the user experience.
  • You can add as many complexity profiles as you want.
  • No organizational context can be added for the Default Password Complexity Profile.
  • You can also use the regular expressions to define dictionaries of certain words that you do not allow for password usage such as “Password” or the user’s employee ID number.

If you have enabled translations at Setup > Translations, you can add translations for the labels and messages that appear to end users in the Web Portal for password reset.

To add translations:

  1. Alongside the default language, click Download resx service properties to export its RESX to use as the basis of translations for the other supported languages.
    The name of this file is passwordresetsettings.resx.
  2. Save a renamed copy of this file and translate it as required.
  3. Click Import resx file to import the RESX of the language.
    This ensures that custom labels are translated in the correct language.

Each supported language uses the default language if you do not upload a RESX file.
Click Reapply default language to reapply the default language.
Click Download resx service properties to export the RESX of the language to make adjustments to the translation.

 

See also