Configure Unlock Account

At Setup > Login Page Services > Unlock Account, enables users to unlock their Active Directory account. This reduces the number of help desk account unlock tickets and enhances productivity of the user. Users can unlock their Active Directory account from the Microsoft Windows logon screen, or from the Identity Director Web Portal or Mobile client logon page, either via a wizard or via service delivery.

  • You can add code validation to unlock accounts. This adds an extra check to authenticate the identity of the user who requests to unlock his account: a verification code is sent to the user e.g. by SMS or e-mail. Users then need to provide this verification code before they can proceed to unlock their account. This ensures that unlocking of accounts occurs as secure as possible.
  • Using organizational context, you can define to whom the Verification Code and/or Security Questions apply.
  • You can add translations for the labels and messages that appear to end users in the Web Portal.

The availability of this functionality may be subject to the license type used in your environment.

Configuration

General tab

Field

Explanation and Tips

Unlock account settings

Specify the availability of the Unlock Account functionality.

  • Select Windows logon screen to make the functionality available on the Windows logon screen. Unlock Account on the Windows logon screen is managed through the Windows Client. This requires that you install the Windows Client on each computer on which you want to offer the Unlock Account functionality.
  • Select Web Portal logon screen to make the Unlock Account functionality available in the Web Portal.
    • Select Include captcha validation to provide extra security. Captcha validation is only available for the Web Portal.
  • Select Mobile clients to make the Unlock Account functionality available in the mobile client.

Unlock link text

Specify the text of the Unlock Account link.

People identifier

Specify the identification method of users when they request to unlock their account.

Service

Specify the service that is delivered as part of the Unlock Account .

User instructions

Specify instructions when users click the Unlock Account link.

Status page message

Specify status information.

Redirection URL

Specify a URL of choice after an Unlock Account, rather than the default Web Portal sign-in page.

In certain scenarios, for example when users access the Web Portal from a thin client, redirecting them to the default page may not be user-friendly. You can prevent this by specifying a different URL.

Display the Finish button

Specify if you want the Finish button to be displayed at the end of the process. By default, this button will take users to the Web Portal login screen.

If you do not display the Finish button, no redirection (to the Web Portal login page or the Redirection URL) will occur.

User input

Specify if user input is provided through the wizard or through a service workflow.

Service attribute

Specify the service attribute that can store the input that the user provides.

  • This field is only available if input is provided through the wizard.
  • You can only select service attributes that are part of the service you selected in the Service field.

Authenticator Apps tab

Field

Explanation and Tips

Enabled

Enable authenticator applications validation.

Enabling this option will allow users to select authenticator apps as their preferred verification method in the Web Portal.

  • The option to allow end users to choose their preferred verification method is enabled from the General tab.

Verification Code tab

Field

Explanation and Tips

Enabled

Enable verification code validation.

Service

Specify the service that generates the code and sends it to the user, for example via SMS or e-mail.

  • The delivery workflow of the specified service must contain a Provide Verification Code action. In this action, we recommend to specify a verification code of up to a maximum of 20 characters. Because the code is encrypted, longer codes may exceed the maximum value. This will result in an error and leave the transaction in a Pending state.
  • If you use SMS for code validation, the mobile phone number of the user that requests to unlock his account must be registered in your environment.
  • To generate a random PIN for this service, you can create a service attribute on the Attributes tab. It is best practice to leave the initial value blank, let its value be set by a Set Service Attribute action and use the function @[RANDOM(x,y)] in its Manual value field. This generates a random PIN every time the service is requested.

    You may also consider adding a Jump action to the workflow, so it jumps back to the Set Service Attribute action if the user provides an incorrect PIN. This generates a new random PIN.

Limit number of attempts

Limit the number of attempts a user can make to provide a verification code during an Account Unlock. This ensures that unlocking of accounts occurs as secure as possible.

Maximum number of attempts

Configure the maximum number of attempts a user can make to provide a verification code during an Unlock Account. This field is only available if you have selected the option Limit number of attempts.

  • You can configure a number from 1-999.
  • The number of attempts left is shown in the Web Portal and the Mobile Client.
  • If the user exceeds the limit, the workflow action in the service that validates the verification code, fails automatically.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) that determine if the Verification Code applies to a user.

  • If you specify multiple Organizations, these are treated as 'AND': all must be true for the Verification Code to apply.
  • If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Verification Code to apply.
  • If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Verification Code to apply.

Organizational context Diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

Generating verification code message

Specify status information that is displayed to the user about generation of the code.

Enter verification code message

Specify user instructions to validate the code.

  • Unlock Account can only continue after a successful validation.

Invalid verification code message

Specify the message that is displayed to the user if the provided code is incorrect.

Exceeding maximum number of attempts message

Specify the message that is displayed to the user when he exceeds the limit. This field is only available if you have selected the option Limit number of attempts.

Validating verification code message

Specify status information that is displayed to the user about validation of the code.

Security Questions tab

Field

Explanation and Tips

Security questions

Specify the number of questions in the wizard.

If this number exceeds the number of questions and answers stored in a user's Security Questions and Answers attribute (see below), the user will get an error and cannot complete the Unlock Account service.

Questions attribute

This field shows the default people attribute Security Questions and Answers that stores the security questions and answers of the wizard. The attribute can be filled using the User Validation Service you specify on the Login Page Services page.

  • If you configure a custom service to define security questions and answers, make sure it fills this attribute with the security questions and the answers that were provided by the user.

Select organizational context

Specify the Organization(s) or Organizational attribute(s) conditions that determine if the Security Questions apply to a user.

  • If you specify multiple Organizations, these are treated as 'AND': all must be true for the Security Questions to apply.
  • If you specify multiple Organizational attributes, these are treated as 'AND': all must be true for the Security Questions to apply.
  • If you specify both Organizations and Organizational attributes, these are treated as 'OR': either all organizations OR all organizational attributes must be true for the Security Questions to apply.

Organizational context diagnostics

After you specify organizational context, the first (max) 100 people that meet the conditions are listed here.
You can also search for a specific person, to verify they meet the conditions.

 

Translations tab

If you have enabled translations at Setup > Translations, you can add translations for the labels and messages that appear to end users in the Web Portal for Unlock Account.

To add translations:

  1. Alongside the default language, click Download resx service properties to export its RESX to use as the basis of translations for the other supported languages.
    The name of this file is unlockaccountsettings.resx.
  2. Save a renamed copy of this file and translate it as required.
  3. Click Import resx file to import the RESX for the language.
    This ensures that custom labels are translated in the correct language.

Each supported language uses the default language if you do not upload a RESX file.
Click Reapply default language to reapply the default language.
Click Download resx service properties to export the RESX of the language to make adjustments to the translation.

 

See also