Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Ubisecure Password Reset application is included in the Ubisecure SSO installation package. During a standard installation the software is partially installed. The application is not ready for use without explicit activation and further configuration.

Add SSO Server Certificate to Java Trust Store

Password Reset connects to the TLS secured SSO endpoints, so the SSO server certificate need to added to the trust store of the Java Runtime Environment.

How to add the SSO server certificate to JRE trust store.

Enable Password Reset Web Application

The Password Reset application is disabled by default. To enable it:

  • Run ubilogin-sso/ubilogin/tools/activate-password-reset.[sh|cmd]
  • Update Tomcat ubilogin-sso/ubilogin/config/tomcat/update.[sh|cmd]

The activate-password-reset script creates a new file ubilogin-sso/ubilogin/custom/password-reset/conf/server-context.xml, which contains the server context description for password-reset web application, and will be included in config/tomcat/conf/server.xml file during tomcat installation and update. Note that if a custom version of server.xml is replaced in config/tomcat/conf/, the inclusion of custom/password-reset/conf/server-context.xml during tomcat install or update may not work, because it depends on a certain XML comment tags to be found in the server.xml.

If a customized version of ubilogin-sso/ubilogin/config/tomcat/conf/server.xml is used, then it is necessary to add the following line in the customized server.xml.

<Context path="/password-reset" docBase="${catalina.base}/webapps/password-reset"/>

Running the activate-password-reset script does also the following:

  • Enables the password method password.1 for Password Reset
  • Creates a new OTP (One Time Password) method smtp-otp.unregistered.1 of type Unregistered SMTP method
    • By default the OTP method uses "mail/Session" mail context for sending the SMTP message, that can be defined in ubilogin/custom/tomcat/mail-resources.xml
  • Enables the OTP method smtp-otp.unregistered.1 for Password Reset

Enable a password method for Password Reset

To enable a password method password.x for resetting passwords with Password Reset application, do the following in SSO Management Console:

  • Navigate to the Password Reset site.
    • Select System → Password Reset
  • Add the password.x method to the Password Reset site.
    • Select Site Methods → Add Method… → password.x → OK
  • Add the password.x method to the allowed methods of Password Reset application.
    • Select Applications →  Password ResetAllowed Methods → password.xUpdate

Enable an OTP method for Password Reset

Password Reset supports using Unregistered SMTP OTP and Unregistered SMS OTP method for authenticating users who have initiated the password reset.

To enable an OTP method x-otp.unregistered.y for authenticating password reset users, do the following in SSO Management Console:

  • Navigate to the Password Reset site.
    • Select System → Password Reset
  • Add the x-otp.unregistered.y method to the Password Reset site.
    • Select Site Methods → Add Method… → x-otp.unregistered.y → OK
  • Add the x-otp.unregistered.y method to the allowed methods of Password Reset application.
    • Select Applications →  Password ResetAllowed Methods → x-otp.unregistered.yUpdate
  • Add the x-otp.unregistered.y method to the allowed methods of Password Reset Users group.
    • Select Groups →  Password Reset UsersAllowed Methods → x-otp.unregistered.yUpdate

(Optional) Define the OTP method used for authenticating Password Reset users

The OTP method used for authenticating users for password reset is set by configuration parameter password.reset.otpGrantTypes for the password method, which contains the grant types of the required OTP method. Each OTP method maps to a specific grant type (that is used as a grant_type attribute for OAuth 2.0 token requests). The currently supported grant types for Password Reset are:

  • http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp for Unregistered SMTP OTP
  • http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp for Unregistered SMS OTP

This parameter optional. If omitted the default value is http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp.

Note that the respective OTP method must also be enabled for Password Reset application and Password Reset Users group, as instructed above in Enable an OTP method for Password Reset.

Example 1: To use SMS OTP with password.x, set following configuration string in password.x:

password.reset.otpGrantTypes = http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp

Require more than one OTP method before allowing password reset

It's also possible to define a comma-separated list of required grant types in password.reset.otpGrantTypes, which means that user must be authenticated with all OTP methods before password reset is allowed. The OTP methods are executed in sequence so that the method which is first in the list, if done first. Only after one is finished, the next in the list is executed.

Example 2: To use first Unregistered SMTP OTP and then Unregistered SMS OTP with password.x, set following configuration string in password.x:

password.reset.otpGrantTypes = http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp, http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp

(Optional) Force system generated passwords

In some environments it may be a requirement, that users are not allowed to reset passwords themselves, but instead the password must be generated by the system. That's possible with Password Reset by setting following configuration string in the password method.

policy.password.resetWithUserDefinedPwd=false

This parameter optional. If omitted the default value is true.

(Optional) Define the account attribute used for sending email with Unregistered SMTP OTP method

The name of the account attribute, whose value is used for sending the email when using Unregistered SMTP OTP method, can be set for the password method or its directory service by setting a configuration string directory.attribute.mail

This parameter is optional. If omitted the default value depends on the type of the directory service.

The parameter supports setting multiple values as a white-space separated list. The first attribute in the list is the primary attribute which is used if it contains a value. Only if the primary attribute doesn't contain a value, is the secondary attribute used.

directory.attribute.mail=mail secondaryMail

(Optional) Define the account attribute used for sending SMS with Unregistered SMS OTP method

The name of the account attribute, whose value is used for sending the SMS when using Unregistered SMS OTP method, can be set for the password method or its directory service by setting a configuration string directory.attribute.mobile

This parameter is optional. If omitted the default value depends on the type of the directory service.

The parameter supports setting multiple values as a white-space separated list. The first attribute in the list is the primary attribute which is used if it contains a value. Only if the primary attribute doesn't contain a value, is the secondary attribute used.

directory.attribute.mobile=mobile secondaryMobile




  • No labels

Ubisecure Privacy Policy & Cookie Statement