CzechIdM password reset module [pwd-reset]
The module provides functionality of password reset or, in other words, recovery of forgotten password.
How does it work?
Process of restoring your forgotten password
Users can restore their forgotten password via password rest module. User can start the process on CzechIdM´s login page by clicking on "Forgotten password" link. In next step user is required to enter account identifier. For now, identity email or login are supported and admin can use configuration property to select which of theese (or both) can be used. User then confirms password reset request by clicking on submit button.
CzechIdM then generates validation token and stores it in password reset request along with time of creation. Validation token is then being sent to user via notification. Administrator can edit the notification using standard CzechIdM notification functionality. Notification is sent to topic "passwordResetRequestCreated" with SUCCESS level.
After clicking on link, which contains verification token in GET parameters, user is asked to fill in new password. If password change succeeds (password validation is OK and user can change their own password), then user can log in to CzechIdM with new password.
Reset password in user´s system accounts
Password reset module changes users passwords only in CzechIdM account. To reset passwords in end system accounts you need to have acc module enabled and do a little bit of configuration. Actually the only thing you need to configure is to set IdentityPasswordProvisioningProcessor to respond to PASSWORD_RESET event type. You can do it by setting
idm.sec.acc.processor.identity-password-provisioning-processor.eventTypes=PASSWORD,PASSWORD_RESET
Now IdM will also reset password on all user accounts which support it.
Installation
Download the openam distribution package. The package contains a backend folder. Your IdM Tomcat installation we call IDM in the following example.
- Copy content of the backend folder into your tomcat IdM installation - [IDM]/WEB-INF/lib
- Set correct access rights to the files if needed (
chown tomcat:tomcat [IDM]/WEB-INF/lib/*) - Restart the IdM application server (
service tomcat restart) - Log in to CzechIdM as an privileged user and go to Settings → Modules and enable the pwd-reset module.
- Go to the configuration and configure required properties (see below).
Configuration
The module provides following configuration properties:
| Property | Description |
|---|---|
| idm.sec.reset.password.allowed.attrs | REQUIRED. List of identity attributes (separated by comma) which can be used by user to identify their account when reseting password (username and email are available for now) |
| idm.sec.reset.password.token.ttl | How many minutes is verification token valid (default is 60 minutes) |