Page Comparison

The WSO2 Identity Server allows authorized administrative persons to trigger a password reset for a given user account. This may be required for the following reasonssituations:

1. User forget The user forgets the credentials and make makes a request to administration the administrator for a password reset
2. Credentials may get exposed to outsiders hence, the user needs to reset the password and lock the account, till then , that no one else can loginlog in.

In such situations, the user has the option of contacting the admin and based on the validity of the request, the admin can force a password reset for the user account. Once it is initiated, at the point of login, the basic authenticator processes the login request and prompts the corresponding dialogs or error messages based on account status. First, you must configure the

The below steps describe how you can configure WSO2 Identity Server for forced password reset as described below.for forced password reset:

Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory.

Configure the relevant property values for the email server that you need to configure for this service under the <adapterConfig type="email"> tag.

Code Block

language	xml

<adapterConfig type="email">
    <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
    based authentication rather username/password authentication -->
   	<property key="mail.smtp.from">abcd@gmail.com</property>
   	<property key="mail.smtp.user">abcd</property>
   	<property key="mail.smtp.password">xxxx</property>
   	<property key="mail.smtp.host">smtp.gmail.com</property>
   	<property key="mail.smtp.port">587</property>
   	<property key="mail.smtp.starttls.enable">true</property>
   	<property key="mail.smtp.auth">true</property>
   	<!-- Thread Pool Related Properties -->
   	<property key="minThread">8</property>
   	<property key="maxThread">100</property>
   	<property key="keepAliveTimeInMillis">20000</property>
   	<property key="jobQueueSize">10000</property>
</adapterConfig>

Tip

Tip: The email template used to send this email notification is the AdminForcedPasswordReset template for password recovery via recovery email, and the AdminForcedPasswordResetWithOTP template for password recovery via OTP (one-time password).

You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

Start the Identity Server and log in to the management console with admin/ admin credentials.
Create a new user with the username "tom" and update his user profile with a valid email address and other information.
Create a new role called "test role" with login permissions and assign it to the new user, "tom".
Tip
Tip: You can verify this by logging in to the dashboard as Tom. The log in attempt should be successful. Log out and log back in with admin credentials.
Click on Resident under Identity Providers found in the Main tab.
Expand the Account Management Policies tab.
Expand the Password Reset tab. You will see the following options for forced password reset:
Table of Contents
minLevel 4

...

Enabling this option will send an email to the user with a one time password that the user can use to login once to the account after which, the user will be prompted to set a new password. The email template for this option can be configured in the email-admin-config.xml file found in the [IS_HOME]/repository/conf/email/ directory under the AdminForcedPasswordResetWithOTP tag.

Configure the properties mentioned above, start the IS server and navigate to the relevant interface.
Select Enable Password Reset via OTP from the three options listed, and click Update.

Once the option is selected, admin users can force a password reset flow by updating the http://wso2.org/claims/identity/adminForcedPasswordReset claim to true for the relevant users. To do this, follow the steps below:

Discover the UserProfileMgtService admin service. For information on how to do this, see Calling Admin Services.
Create a new SOAP-UI project by importing above the WSDL: https://localhost:9443/services/UserProfileMgtService?wsdl.

Use the setUserProfile method to send a soap request to update the http://wso2.org/claims/identity/adminForcedPasswordReset claim of the project.

Code Block

title	Sample SOAP Request

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mgt="http://mgt.profile.user.identity.carbon.wso2.org" xmlns:xsd="http://mgt.profile.user.identity.carbon.wso2.org/xsd">
    <soapenv:Header/>
    <soapenv:Body>
        <mgt:setUserProfile>
            <mgt:username>tom</mgt:username>
            <mgt:profile>
                <xsd:fieldValues>
                    <xsd:claimUri>http://wso2.org/claims/identity/adminForcedPasswordReset</xsd:claimUri>
                    <xsd:fieldValue>true</xsd:fieldValue>
                </xsd:fieldValues>
                <xsd:profileName>default</xsd:profileName>
            </mgt:profile>
        </mgt:setUserProfile>
    </soapenv:Body>
</soapenv:Envelope>

Add new a new basic authorization from the SOAP-UI request window and enter valid credentials to authenticate with the identity server.

Log out of the dashboard and attempt to login log in again as the user you created above, "Tom". The login attempt will fail and a password reset will be prompted in the form of an error message saying "Login failed! Please recheck the username and password and try again".
Log in to the email account you provided in Tom's user profile. You will see a new email with an OTP (one-time password) provided to log in to the account.
Use the OTP provided in the email to log in as Tom. You will be redirected to the password reset UI where you are prompted to set a new password. Enter the relevant details to set a new password.
You can now log in to the dashboard successfully as Tom using the new password.

...

Versions Compared

Old Version 1

New Version 2

Key