Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tutorial:adm:modules_pwdreset [2019/11/07 14:30]
doischert 		tutorial:adm:modules_pwdreset [2023/11/09 11:57] (current)
polakb
Line 4: Line 4:
  
 ===== How does it work? ===== ===== How does it work? =====
-{{ :devel:adm:modules:pwd_reset_activity_diagam.png?800 |}} 
  
 +{{  :devel:adm:modules:pwd_reset_activity_diagam.png?800  }}
  
 ===== Process of restoring your forgotten password ===== ===== Process of restoring your forgotten password =====
-Users can restore their forgotten password via the password reset module. User can start the process on CzechIdM´s login page by clicking on "Forgotten password" link. In next step user it is required to enter an account identifier.  
  
-{{ :tutorial:adm:reset_form_eng.png }}+Users can restore their forgotten password via the password reset module. User can start the process on CzechIdM´s login page by clicking on "Forgotten password" link. In next step user it is required to enter an account identifier. 
 + 
 +{{  .:reset_form_eng.png  }}
  
 For now, the identity's email or login are supported and admin can use a configuration property to select which of these (or both) can be used. User then confirms password reset request by clicking on submit button. CzechIdM then generates validation token and stores it in the password reset request along with the time of creation. Validation token is then being sent to user via notification. Administrator can edit the notification using standard CzechIdM notification functionality. Notification is sent to topic "passwordResetRequestCreated" with SUCCESS level. For now, the identity's email or login are supported and admin can use a configuration property to select which of these (or both) can be used. User then confirms password reset request by clicking on submit button. CzechIdM then generates validation token and stores it in the password reset request along with the time of creation. Validation token is then being sent to user via notification. Administrator can edit the notification using standard CzechIdM notification functionality. Notification is sent to topic "passwordResetRequestCreated" with SUCCESS level.
  
-{{ :tutorial:adm:email_pwd_eng.png }}+{{  .:email_pwd_eng.png  }}
  
 After clicking on the link, which contains verification token in GET parameters, user is asked to fill in new password. If the password change succeeds (password validation is OK and user can change their own password), then the user can log in to CzechIdM with a new password. After clicking on the link, which contains verification token in GET parameters, user is asked to fill in new password. If the password change succeeds (password validation is OK and user can change their own password), then the user can log in to CzechIdM with a new password.
  
-{{ :tutorial:adm:set_pwd_eng.png }}+{{  .:set_pwd_eng.png  }} 
 ===== Password generating ===== ===== Password generating =====
-Password reset module has a process for generating new password by default based on a password policy for IdM. The form for password generating is a part of the password change component. To generate password to an end system it is necessary to enable the event type ''PASSWORD_GENERATE'' for processor in acc (processor.identity-password-provisioning-processor).  
  
-Password generating is available by permission ''IDENTITY PASSWORDRESET'' (and also APP_ADMIN).+Password reset module has a process for generating new password by default based on a password policy for IdM. The form for password generating is a part of the password change component. To generate password to an end system it is necessary to enable the event type ''PASSWORD_GENERATE'' for processor in acc (processor.identity-password-provisioning-processor).
  
-<note important> +Password generating is available by permission ''IDENTITY PASSWORDRESET'' (and also APP_ADMIN).
-By default, the "Password generate" form displays all end system accounts, but the password **will not** be provisioned to the end system accounts. So remember to add the event type ''PASSWORD\_GENERATE'' to the configuration property ''idm.sec.acc.processor.identity-password-provisioning-processor.eventTypes'' (as written aboveto avoid confusion. +
-</note>+
  
 +<note important> By default, the "Password generate" form displays all end system accounts, but the password **will not** be provisioned to the end system accounts. So remember to add the event type ''PASSWORD\_GENERATE'' to the configuration property ''idm.sec.acc.processor.identity-password-provisioning-processor.eventTypes'' (as written above) to avoid confusion. </note>
 ===== Reset password in user´s system accounts ===== ===== Reset password in user´s system accounts =====
 +
 Password reset module changes user's passwords only to their CzechIdM account. To reset passwords to end system accounts you need to have the acc module enabled and do a little bit of configuration. You need to set IdentityPasswordProvisioningProcessor and PasswordValidateProcessor to respond to PASSWORD_RESET event type. You can do it by setting Password reset module changes user's passwords only to their CzechIdM account. To reset passwords to end system accounts you need to have the acc module enabled and do a little bit of configuration. You need to set IdentityPasswordProvisioningProcessor and PasswordValidateProcessor to respond to PASSWORD_RESET event type. You can do it by setting
  
Line 34: Line 35:
 idm.sec.acc.processor.identity-password-provisioning-processor.eventTypes=PASSWORD,PASSWORD_RESET,PASSWORD_GENERATE idm.sec.acc.processor.identity-password-provisioning-processor.eventTypes=PASSWORD,PASSWORD_RESET,PASSWORD_GENERATE
 idm.sec.acc.processor.identity-password-validate-processor.eventTypes=PASSWORD,PASSWORD_RESET idm.sec.acc.processor.identity-password-validate-processor.eventTypes=PASSWORD,PASSWORD_RESET
 +
 </code> </code>
  
Line 40: Line 42:
 <code> <code>
 idm.sec.core.processor.identity-password-change-notification.eventTypes=PASSWORD,PASSWORD_RESET idm.sec.core.processor.identity-password-change-notification.eventTypes=PASSWORD,PASSWORD_RESET
 +
 </code> </code>
  
Line 45: Line 48:
  
 ===== Installation ===== ===== Installation =====
 +
 Download the module distribution package. The package contains a backend folder. Your IdM Tomcat installation we call IDM in the following example. Download the module distribution package. The package contains a backend folder. Your IdM Tomcat installation we call IDM in the following example.
 +
   - Copy the content of the backend folder into your tomcat IdM installation - [IDM]/WEB-INF/lib   - Copy the content of the backend folder into your tomcat IdM installation - [IDM]/WEB-INF/lib
   - Set correct access rights to the files if needed (''chown tomcat:tomcat [IDM]/WEB-INF/lib/*'')   - Set correct access rights to the files if needed (''chown tomcat:tomcat [IDM]/WEB-INF/lib/*'')
   - Restart the IdM application server (''service tomcat restart'')   - Restart the IdM application server (''service tomcat restart'')
-  - Log in to CzechIdM as a privileged user and go to Settings -> Modules and enable the pwd-reset module.+  - Log in to CzechIdM as a privileged user and go to Settings → Modules and enable the pwd-reset module.
   - Go to the configuration and configure required properties (see below).   - Go to the configuration and configure required properties (see below).
-  - Add the event types ''PASSWORD\_RESET'' and ''PASSWORD\_GENERATE'' for processors as [[tutorial:adm:modules_pwdreset#reset_password_in_user_s_system_accounts|described above]], if you want to reset and provision generated passwords for end system accounts (typically, you do).+  - Add the event types ''PASSWORD\_RESET''  and ''PASSWORD\_GENERATE''  for processors as [[.:modules_pwdreset#reset_password_in_user_s_system_accounts|described above]], if you want to reset and provision generated passwords for end system accounts (typically, you do).
  
 ===== Configuration ===== ===== Configuration =====
 +
 The module provides following configuration properties: The module provides following configuration properties:
-^ Property                                                    ^ Description                                                                                                                                                                                        ^ + 
-| idm.pub.pwdreset.allowed.attrs                              | REQUIRED. List of identity attributes (separated by comma) which can be used by user to identify their account when reseting password (username, email and personal number are available for now)  | +^Property  ^Description  | 
-| idm.sec.pwdreset.token.ttl                                  | How many minutes is verification token valid (default is 60 minutes)                                                                                                                               +|idm.pub.pwdreset.allowed.attrs  |REQUIRED. List of identity attributes (separated by comma) which can be used by user to identify their account when reseting password (username, email and personal number are available for now)  | 
-| idm.pub.pwdreset.identity.passwordReset.public.idm.enabled  | Boolean value to enable/disable password reset and password generate for CzechIdM system. Default value is true (password reset and password generate is enabled).                                                                             +|idm.sec.pwdreset.token.ttl  |How many minutes is verification token valid (default is 60 minutes)  
-| idm.sec.pwdreset.debug                                      | Debug password reset, if value is true token will be visible in notification in IdM.                                                                                                              |+|idm.pub.pwdreset.identity.passwordReset.public.idm.enabled  |Boolean value to enable/disable password reset and password generate for CzechIdM system. Default value is true (password reset and password generate is enabled).  
 +|idm.sec.pwdreset.debug  |Debug password reset, if value is true token will be visible in notification in IdM.  | 
 +|idm.sec.pwdreset.token.length  |Length of generated verification tokens - Default is 25  |
  
 ===== Video Guide ===== ===== Video Guide =====
 +
 [[https://www.youtube.com/watch?v=bxhVHXo-A-k&index=2&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb|How to reset password]] - czech language [[https://www.youtube.com/watch?v=bxhVHXo-A-k&index=2&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb|How to reset password]] - czech language
 +
 +===== FAQ =====
 +
 +==== How to allow password reset in CAS? ====
 +
 +For CAS docker set env variables:
 +<code>
 +
 +- CAS_CUSTOM_FRONTEND_PASSWORDRESET_DISPLAY=true
 +- CAS_CUSTOM_FRONTEND_PASSWORDRESET_LINK=<idm url>/#/password-reset
 +
 +</code>
 +
 +
 +
 +
  • by doischert