Ubisecure Password application is included in the Ubisecure SSO installation package. During a standard installation the software is partially installed. The application is not ready for use without explicit activation and further configuration.
...
Info |
---|
Starting from SSO 8.9.0 the IDP metadata is automatically updated from the IDP metadata endpoint once every 60 seconds. The metadata file |
Figure 1. Select SAML 2.0 to save IDP metadata file. |
Then generate the SP identity and metadata. Use your public visible hostname in the Generate command URL parameter.
...
In Ubisecure Server Management, select System → Password. If there are no applications under Password, select first New Application and enter name Password and select OK. After Password is visible in the list, then select it and by clicking Activate. Upload the generated ubilogin-sso/password.xml
file from the pop-up window. After setting everything, the window should look following:
Figure 2. Select Activate to upload SAML Metadata of the Password application |
Configure Mail Settings
Ubisecure Password application uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml
file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.
Code Block | ||||
---|---|---|---|---|
| ||||
<context-param> <param-name>mail.smtp.host</param-name> <param-value>smtp-gw.example.com</param-value> </context-param> <context-param> <param-name>mail.smtp.from</param-name> <param-value>password@example.com</param-value> </context-param> |
OR
If the SMTP server requires further values, such as authentication credentials, configure tomcat server mail/Session ( ubilogin -sso\ubilogin\config\tomcat\conf\context.xml
) like below. (In this case, the configuration instruction above can be ignored).
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version='1.0' encoding='utf-8'?> <Context reloadable="false" useHttpOnly="true" swallowOutput="true"> <Manager pathname="" /> <Resource name="mail/Session" auth="Container" type="javax.mail.Session" mail.smtp.host="host" mail.from="example@example.com" mail.user="example" mail.smtp.port="465" mail.smtp.auth="true" mail.smtp.user="example" password="password" mail.smtp.starttls.enable="true" mail.smtp.socketFactory.class="javax.net.ssl.SSLSocketFactory"/> </Context> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<context-param> <param-name>mail-session</param-name> <param-value>mail/Session</param-value> </context-param> <resource-ref> <res-ref-name>mail/Session</res-ref-name> <res-type>javax.mail.Session</res-type> <res-auth>Container</res-auth> </resource-ref> |
...
As an optional step, you can enable debug logging by adding a value in the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml
file.
...
language | text |
---|---|
theme | Default |
debug logging following the instructions in Password application logging.
Let user define password during password reset
It is possible to let user enter an own password in accordance with password policy settings by supplying the argument policy.password.resetWithUserDefinedPwd=true
, to the authentication method's configuration string.
Hide information about user account status
...
Select Groups → Password Users→ Dynamic Members → Add → Service(Ubilogin Directory , Select Template(All users) → OK
Figure 3. Password Users group controls access to the Password application |
Password reset with AD
The minimum length for the system generated password must be specified in the method's configuration string settings. The default length is 6 characters, which may be less than group policy defined minimum lengths.
Figure 4. Method configuration for policy.password.length=8 |
Future changes to password length policies in AD must be updated manually to this value.
...
The password change application is found at the address: https://idp.example.com/password/change
Figure 5. Password reset |
Selecting the authentication method
...
Use the above links within user applications, or include links to these activities from the login UI. Instructions for adding links to the login UI are found in Login screens - SSO .
Figure 6. Example links added to login UI help box |
Ubisecure Password application uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.
Security consideration
LDAPS should always be used for the connection to the user repository where a password reset is done.
See Configuring the connection for basic LDAP integration - SSO for LDAP connection configuration.