5.3 Password Management Configuration

This section describes how to configure password self-service and user authentication features to your Identity Manager User Application. Topics include:

5.3.1 About Password Management Features

The password management features supported by an Identity Manager User Application encompass user authentication and password self-service. When you put these features into use, they enable your application to:

  • Prompt for login information (username and password) to authenticate against Novell eDirectory™

  • Provide users with password change self-service

  • Provide users with forgotten password self-service (including prompting for challenge responses, displaying a password hint, or allowing a password change, as needed). You can configure forgotten password self-service to run inside the firewall (the default), or you can configure it to run outside the firewall.

  • Provide users with challenge question self-service

  • Provide users with password hint self-service

Required Setup in eDirectory

Before you can use most of the password self-service and user authentication features, you need to do the following in eDirectory:

  • Enable Universal Password

  • Create one or more password policies

  • Assign the appropriate password policies to users

A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing user passwords. Novell Identity Manager takes advantage of NMAS™ (Novell Modular Authentication Service) to enforce password policies that you assign to users in eDirectory.

You can use Novell iManager to perform the required setup steps. For example, here’s how someone defined the DocumentationPassword Policy in iManager.

Figure 5-2 Sample Password Policy

Illustration

This password policy specifies:

  • Universal Password settings

    Figure 5-3 Sample Universal Password Settings

    Illustration
  • Settings to deal with forgotten-password situations

    Figure 5-4 Sample Password Policy

    Illustration
  • Assignments that apply the policy to specific users

    Figure 5-5 Sample Policy Assignments

    Illustration

For more information on setting up Universal Password and password policies in eDirectory, see the Novell Identity Manager Administration Guide.

Case-Sensitive Passwords

By default passwords are not case-sensitive. You can create a password policy that allows case-sensitive passwords. You can specify the Allow the password to be case-sensitive in the Password Policies > Universal Password > Advanced Password Rules. If you enable case-sensitive password, you must also enable the Allow user to retrieve password setting. It is enabled by default, but you can verify it through the iManager Password Policies > Universal Password > Configuration Options tab.

Password Policy Compliance

If you enable Universal Password, it is recommended that you also configure the system to verify that existing passwords comply with the password policy. You can configure this through iManager. In iManager, go to Passwords > Password Policies > Universal Password > Configuration Options. Make sure the following option is selected: Verify whether existing passwords comply with password policy (verification occurs on login). This ensures that users created through the User Application are forwarded to the Change Password page to enter a password that complies with the Identity Manager password policy.

5.3.2 Configuring Challenge Response

The Challenge Response self-service page lets users:

  • Set up the valid responses to administrator-defined challenge questions, and set up user-defined challenge questions and responses

  • Change the valid responses to administrator-defined challenge questions, and change user-defined challenge questions and responses

HINT:If you have localized the Challenge Response questions in iManager set the Login Configuration setting Enable Locale Check to True.

Figure 5-6 Challenge Response Example

Requirements

The Challenge Response requirements are described Table 5-6.

Table 5-6 Challenge Response Requirements

Topic

Requirements

Password policy

A password policy with forgotten password enabled and a challenge set.

Universal Password

Does not require Universal Password to be enabled.

eDirectory configuration

Requires that you grant supervisor rights to the LDAP Administrator for the container in which the logged-in user resides. Granting these privileges allows the user to write a challenge response to the secret store.

For example, suppose the LDAP realm administrator is cn=admin, ou=sample, n=novell and you log in as cn=user1, ou=testou, o=novell. You need to assign cn=admin, ou=sample, n=novell as a trustee of testou, and grant supervisor rights on [All attribute rights].

Using the Challenge Response Feature

To use the Challenge Response feature, you need to know about the following:

How Challenge Response Is Used During Login

During the login process, the Login page automatically redirects to Challenge Response whenever the user needs to set up challenge questions and responses (for example, the first time a user attempts to log in to the application after an administrator assigns the user to a password policy in iManager. The password policy must have forgotten password enabled and include a challenge set).

How Challenge Response Is Used in the User Application

By default, the User Application provides users with self-service for changing challenge questions and responses.

Configuring Challenge Response

The Challenge Response Configuration settings (on the Administration tab) are described in the following table.

Table 5-7 Challenge Response Configuration Settings

Setting

Description

Mask Response Text

Choosing Yes means that user-entered response text is masked with asterisk (*) characters.

5.3.3 Configuring Forgotten Password

This feature uses challenge/response authentication to let users get information about their passwords. The result, which depends on the assigned password policy, can include:

  • Displaying the user’s password hint on the screen

  • E-mailing the hint to the user

  • E-mailing the password to the user

  • Prompting the user to reset (change) the password

Forgotten password self-service is typically available to users inside your corporate firewall through the deployed User Application WAR, but you can also configure your system so that the forgotten password management features are stored in a separate password management WAR. You can then deploy the password management WAR on a separate system that can be located inside or outside your corporate firewall. To learn how to setup Forgot Password outside the core User Application WAR, see Section 2.5, Configuring Forgotten Password Self-Service.

Requirements

The Forgot Password feature requirements are listed in Table 5-8.

Table 5-8 Forgotten Password Requirements

Topic

Requirements

Password policy

Requires a password policy with forgotten password enabled and with a challenge set.

When using password policies, you also need to configure the following settings on the Password Policy page in iManager to ensure that the User Application prompts the user to change the password on first login.

  • Force user to configure Challenge Questions and/or Hint upon authentication must be enabled. This setting is on the Forgotten Password panel, under Authentication.

  • Verify whether existing passwords comply with the password policy (verification occurs on login) must be enabled. This setting is on the Universal Password Policy panel, under Configuration Options>Authentication.

  • Limit the number of grace logins allowed (0-254) must be enabled. You can accept the default value of 6. This setting is on Universal Password panel, under Advanced Password Rules>Password Lifetime. This setting is required to support the Create User action. The Create User action expires the user’s password and sets the grace login value to 1, so that the user is forced to change the password on first login.

Universal Password

Does not require Universal Password to be enabled, unless you want to support resetting the password or e-mailing the password to the user.

Using the Forgot Password Feature

To use the Forgot Password feature, you need to know about the following:

How the Forgot Password feature Is Used During Login

During the login process, the Login page redirects to the Forgot Password page if the user clicks the Forgot Password link. When Forgot Password displays, it does the following:

  1. Prompts for username.

  2. Redirects to the Challenge/Response page to perform challenge/response authentication for that user.

  3. Performs the forgotten password action specified in the authenticated user’s assigned password policy. It does one of the following:

    • Redirects to the Change password page so the user can reset their password

    • E-mails the password or hint to the user

    • Displays the hint

Configuring Your Environment for E-mail Actions

If you want to support the Forgot Password e-mail actions, you need to make sure your e-mail notification server is set up properly:

  1. Use a Web browser to access iManager on your eDirectory server and log in as an administrator.

  2. Go to Roles and Tasks > Passwords and select Email Server Options.

  3. Specify the appropriate settings, then click OK.

Forgot Password uses two e-mail templates. In iManager, you find them in Roles and Tasks > Passwords > Edit Email Templates. They are named:

  • Password hint request

  • Your password request

You can change the content of these templates as needed for your application, but don’t change the structure. The Forgot Password page determines, based on the user’s preferred locale, whether to display a localized e-mail template.

Forgot Password Configuration Settings

You set the Forgot Password page configuration settings in the Administration tab. They are described in Table 5-9.

Table 5-9 Forgot Password Configuration Settings

Configuration Setting

Description

Login Sequence

The NMAS login sequence to use. In this version, only Challenge Response is supported.

LDAP secure port

The secure LDAP port to use. The default is 636.

Allow Wild Cards in Login

Select True if you want users to be able to type a wildcard character when entering the username. (The default is false.) If set to True, Display DN Information must also be True.

When True, the user is able to type a few characters of a username followed by a wild card character and the Forgot Password page returns a list of DNs that match the user-entered string.

Display DN Information

Select True when you want the Forgot Password page to display DN values. This can be used in conjunction with Allow Wild Cards in Login. If set to False, no DN context information is displayed.

Generic Password Policy User DN

Specify the DN of an existing Identity Vault user established to prevent unauthorized users from accessing your system by guessing valid usernames.

By default, if the user enters an invalid name, the User Application displays the message User not Found. Under some circumstances an unauthorized user might be able to guess a valid name and answer the challenge questions correctly. One way to prevent this is to specify this value. See Setting Up a Generic Password Policy User DN for additional required configuration steps.

Encoding

The character encoding to use. The default is utf-8.

Display Hint in Password Reset

Select True (the default) to display the user’s password hint on the Password Reset screen.

Select False to avoid displaying the user’s password hint on the Password Reset screen.

Setting Up a Generic Password Policy User DN

To support the Generic Password Policy User DN, you need to set up a user in the users container for this purpose. This user should:

  • Have a password that is difficult to guess.

  • Have his or her e-mail address assigned to a User Application Administrator.

You must set up:

  • A Challenge Set for this user and establish only Admin defined questions.

  • A Password Policy that uses this Challenge Set. The Password Policy should have ForgotPassword enabled

You must log in to the User Application as this user at least once to supply the answers to the Admin-defined questions.

Finally, log in to the User Application as the User Application administrator and go to the Forgot Password configuration page of the Administration tab. Specify false for Allow Wild Cards in Login and Display DN Information. Specify this newly established user as the Generic Password Policy User DN.

5.3.4 Configuring Login

The Login page performs a very robust user authentication supported by Identity Manager (through Universal Password, password policies, and NMAS). The Login page redirects to the other password pages as needed during the login process.

Illustration

Requirements

The Login page requirements are listed in Table 5-10 below.

Table 5-10 Login Requirements

Topic

Requirements

Password policy

This page does not require a password policy, unless you want to use advanced password rules or let users click the Forgot Password link.

Universal Password

This page does not require Universal Password to be enabled, unless you want to use a password policy with advanced password rules.

SSL

This page uses SSL, so make sure that your application server is properly configured to support SSL connections to your LDAP realm.

Use the Password Module Setup Login Action to configure the following settings:

Table 5-11 Login Configuration Settings

Configuration Setting

Description

Allow ID Wildcard

If True, users can specify the first few characters of a username and a list of usernames that include those characters is displayed so the use can select the user to login as.

Enable Forgot Password Link

If True, the User Application Login page displays the Forgot Password link.

Forgot Password Link

This value defines the name and path to the Forgot Password page. This initial value is established during installation. If you do not use an external password management WAR, you can leave the default value.

For more information, see Section 2.5, Configuring Forgotten Password Self-Service.

Forgot Password Return Link

Like the Forgot Password Link, this value is set during installation and you do not need to make any changes if you do not use an external password management WAR.

If you do use an external password WAR, use this setting to specify the URL that the Forgot Password page can use to return to the User Application when the user clicks Submit. The return link should take the form of:

protocol://servername:port/userappcontext

For example, https://idmhost:8080/IDMProv

For more information, see Section 2.5, Configuring Forgotten Password Self-Service.

Enable SSO

If True, the Username and password are stored in the session and can be accessed by other properly configured portlets. The username is stored in the SSO User ID Key and the password in the SSO Password Key

SSO User ID Key

If Enable SSO is True the username is stored in the session using this key.

SSO Password Key

if Enable SSO is True the password is stored in the session using this key.

Enable Hint Migration

If True, any existing hints are moved from the nsimHint to the nsimPasswordReminder.

Enable Locale Check

If True, and the user has not set their locale preferences, the User Application displays a page that allows them to set their preferred locale.

Enable Password Autocomplete

If True and supported by the browser, the user’s browser opens a window asking if the user wants to save the login credentials.

If False (the default), the user does not receive a browser prompt to save the login credentials.

Using the Login Page

To use the Login page, you need to know about the following:

How Login Redirects to Other Pages

At runtime, the Login page redirects to other password pages, depending on what’s needed to complete the login process. Table 5-12 directs you to descriptions.

Table 5-12 Login Directions to Other Pages

If the user

Login redirects to

Clicks the link Forgot Password

Forgot Password page

Needs to set up challenge questions and responses

Challenge response page

Needs to set up a password hint

Hint Definition page

Needs to reset an invalid password

Change password page

Using Grace Logins

If you use a grace login, the Login page displays a warning message that asks you to change your password and indicates the number of grace logins that remain. If you are on your last login, the Login page redirects you to the Change Password page.

5.3.5 Configuring Password Sync Status

Password Sync Status lets users check the progress of the password change process on connected systems. You can specify a different image to represent each connected system. To set up password sync status checking:

  • Define the connected applications whose status the user should be able to view during the synchronization process. You define the connected applications in the Password Sync Status Application Settings described in Table 5-14.

  • Define the settings for the password sync status page displayed to users. These settings are described in Table 5-13, Password Sync Status Client Settings.

By default, the User Application Administrator can view the password sync status of other users when the User Application Administrator accesses the Password Sync Status page, shown in Figure 5-7. The administrator can access the sync status for another user by specifying the other user’s DN, then clicking Check Sync Status.

Figure 5-7 Password Sync Status

In addition to the User Application Administrator, you can define a set of users to perform the Check Sync Status for other users (for troubleshooting or other purposes). The members of a group called PasswordManagement are also automatically allowed to view the password synchronization status of other users. This group does not exist by default. If you choose to create this group, it must be:

  • Named PasswordManagement.

  • Given privileges to the Identity Vault. The group must have rights to read the user’s eDirectory object attribute for users whose password synchronization status they need to view.

Table 5-13 Password Sync Status Client Settings

Configuration Setting

Description

Password Sync Buffer Time (milliseconds)

The password sync status checking compares time stamps across different Identity Vaults and connected systems. This buffer time is intended to account for differences between the system times on these different machines. This time is added to the time stamp on the user object’s password change attribute to determine if a change has occurred. It is used like this: The Password Sync Status process uses the buffer time as follows:

  • If the time stamp value (password sync time) in DirXML-PasswordSyncStatus for the connected system is older than the last password change time stamp (pwdChangedTime attribute of user object) + password sync buffer time, then the status is considered old and the system continues polling for an updated status for the connected system.

  • If the time stamp value in DirXML-PasswordSyncStatus for the connected system is newer than the last password change time stamp + password sync buffer time, then the password sync functionality returns the status code or message and displays the updated status of the connected system.

  • The last password change time stamp is populated to the user object after the user’s password change. This functionality is available in NMAS 3.1.3 and higher.

Image Per Row

The number of application images to display per row in the Identity Self-Service Password Sync Status page.

Individual Application Timeout (milliseconds)

The amount of time that the Password Sync Status process waits for a response for each connected application’s status before checking for the next one.

All Application Timeout (milliseconds)

This value indicates the amount of time allowed for the entire password sync status process (of all connected systems) to complete. Before this timeout is reached, the password sync process continues to poll until all status values are updated or this timeout is reached. When the timeout status is reached, the system displays an error message to the user that indicates that a timeout condition has been reached.

Process Count

The number of times each connected system is checked for the password sync status.

Pass Phrase

If the DirXML-PasswordSyncStatus contains a password hash, then the value entered in this field is compared to that value. If they are not equal, the User Application displays an invalid hash message.

Application Image Size Limit (bytes)

Lets you set the maximum size (in bytes) of the application image that can be uploaded. You specify this image in the Application Image setting described in Table 5-14.

The password Sync Status Application Settings are described in Table 5-14.

Table 5-14 Password Sync Status Application Settings

Configuration Setting

Description

Password Synchronization Application Name

The name used to describe the connected application. You can enter the application name in multiple locales.

To add a language (locale):

  1. Click Add Language (+).

  2. Type the Application Name for the desired localized languages in the appropriate field.

  3. Click Save.

If you do not specify localized application names, the value specified in the Password Synchronization Application Name is used.

Application DirXML-PasswordSyncStatus GUID

You can get the driver GUID by browsing the attributes on the driver object in one of two ways:

  • Click the browse button next to this field. This browse button obtains only GUIDs of drivers in the current driverset that the User Application driver resides in.

  • Use iManager to browse for the driver (use the General - Other tab, used when modifying the object) and manually copy and paste the GUID into this field.

Application Image

The name of the connected application Image to upload. The Application Image size can be configured from the Application Image Size Limit field in the Password Sync Status Client Settings section. Supported file types are .bmp, .jpeg, .jpg, .gif, and .png.

Application Filter

Optional. Specify an LDAP filter that allows or prohibits users’ viewing the application name on their Check Password Synchronization pages.

You can use any standard LDAP filter.

Dependent Driver

Optional. Specify any additional driver this application depends on.

If any driver in the dependent driver chain is not visible to the user, the driver specified by Application DirXML-PasswordSyncStatus GUID is also not visible to the user.

If any driver in the dependent driver chain fails to check password sync status, the driver specified by Application DirXML-PasswordSyncStatus GUID also fails to check password sync status.

You can get the driver GUID by browsing the attributes on the driver object in one of two ways:

  • Use the object selector button beside the Dependent Driver field.

    This method saves the application driver's fully distinguished name (FDN). When a user checks password sync status, this FDN is compared to the value of the FDN field in the DirXML-Associations attribute of the user object. If the two FDNs do not match, this application is not visible to the user. If there is a match, and if the DirXML-Associations attribute's driver status field is not 0 and the driver data field is not null, this application is visible to the user.

  • Manually enter the GUID for the dependent driver.

    Use this method when this application driver is not from the current driverset that the User Application driver resides in. This method does not save an FDN. When a user checks password sync status, FDNs are not compared, and this dependent driver is visible to the user unless you apply an Application Filter that excludes the user.

5.3.6 Configuring Password Hint Change

This self-service page lets users set up or change their password hints, which can be displayed or e-mailed as a clue in forgotten password situations.

Figure 5-8 Define Password Hint Sample

Requirements

The Password Hint Change requirements are listed in Table 5-15.

Table 5-15 Password Hint Change Requirements

Topic

Requirements

Universal Password

Does not require Universal Password to be enabled.

Using the Password Hint Change Page

To use the Password Hint Change page, you need to know about the following:

How Password Hint Change Is Used During Login

During the login process, the Login page automatically redirects to the Password Hint Change page whenever users need to set up their password hints. For example, the first time a user attempts to log in to the application after an administrator assigns the user to a password policy in iManager, the password policy has forgotten password enabled and has the action set to Email hint to user or Show hint on page.

Using Password Hint Change in the User Application

By default, the User Application provides users with self-service for changing a password hint.

5.3.7 Configuring Change Password

This self-service page lets users change (reset) their Universal Passwords, according to the assigned password policy. It uses that policy to display the rules that the new password must conform to.

If Universal Password is not enabled, this page changes the user’s eDirectory (simple) password, as permitted in the user's Password Restrictions.

Figure 5-9 Change Password

There are no Password Change configuration settings.

Requirements

The Change Password page requirements are listed in Table 5-16.

Table 5-16 Change Password Requirements

Topic

Requirements

Directory Abstraction Layer configuration

No directory abstraction layer configuration is required for this page.

Password policy

This page does not require a password policy, unless you want to use advanced password rules (with Universal Password enabled).

Universal Password

To use this page for a Universal Password, the setting Allow user to initiate password change must be enabled in the Advanced Password Rules of the user's assigned password policy.

To use this page for an eDirectory (simple) password, the setting Allow user to change password must be enabled in the user’s Password Restrictions.

Using the Change Password Page

To use the Change Password page, you need to know about the following:

How Change Password Is Used During Login

During the login process, the Login page automatically redirects to the Change Password page whenever the user needs to reset an invalid password. For example, the first time a user attempts to log in to an application after an administrator implements a password policy that requires users to reset their passwords.

The Forgot Password page also redirects to Change Password automatically if the user’s assigned password policy specifies reset password as the action for forgotten password situations.

Using Change Password in the User Application

By default, the User Application provides users with the password change self-service using the Change Password page.