Skip to content

Configuring OpenIDM Password Reset

Bill Nelson Jun 1, 2015 7:38:41 PM
keyboard with password reset buttons

ForgeRock OpenIDM is a powerful account management and data synchronization tool that provides many robust features out of the box.  Some of these features must be enabled, however, before they can be used.  Once such feature allows a user to reset their password in the OpenIDM Web UI by responding to challenge questions.

The OpenIDM Web UI provides an out of the box experience for resetting an OpenIDM user’s password based on a user’s response to challenge questions. This functionality is disabled by default and must be enabled in the ui-configuration.json file before attempting to perform this operation in the WebUI.

The following instructions describe how to enable this functionality and test the password reset flow and have been tested with OpenIDM version 3.1.0.

Configure Password Reset

1.  In a terminal window, change to the OpenIDM configuration folder

$ cd openidm/conf

2.  Edit the ui-configuration.json file

3.  Modify the value of the “securityQuestions” attribute from “false” to “true” as follows:

{
 "configuration" : {
 "selfRegistration" : false,
 "securityQuestions" : true,
 "siteIdentification" : false,
 "lang" : "en",

4.  (OPTIONAL)  The minimum length for responses to security questions is 16 characters.  This is defined by the securityAnswer policy in the openidm/conf/policy.json file.  You can modify the minimum number of characters associated with this policy by editing the minLength parameter in the minimum-length policyID as follows:

"name" : "securityAnswer",
 "policies" : [
    {
              "policyId" : "required-if-configured",
              "params" : {
                     "configBase" : "ui/configuration",
                     "baseKey" : "configuration.securityQuestions",
                    "exceptRoles" : [
                             "system",
                             "openidm-admin"
                    ]
             }
 },
 {
              "policyId" : "minimum-length",
              "params" : {
                      "minLength" : 4
               }
 },

Note:  Modifications to files in the conf folder are hot swappable; this means that your changes are now in effect without the need to restart OpenIDM.  Assuming you have not made any errors in configuring either of these two files (you can confirm by looking for errors in the openidm/logs/openidm0.log.0 file), then you have now enabled password reset for the WebUI.  Before this feature can be used, however, a user must first enter responses to challenge questions.

Enter Responses to Challenge Questions

4.  Go to OpenIDM user interface (http://openidm.example.com:8080/openidmui/index.html#login/). You will now see a “Reset your password” link available in the login form.

PasswordResetLink

5.  Log in as an existing user (i.e. bill.nelson@example.com).

6.  Select the “Change Security Data” link.

7.  Enter your current password in the form provided and select the “Continue” button.

EnterPassword

8.  Enter and confirm your password in the fields provided.

9.  Select a security question and provide an answer in the space provided.

SecurityQuestions

10.  Select the “Update” button and then log out of the user interface.

Note:  You can now test the password reset functionality.

Test Password Reset Functionality

11.  Return to OpenIDM user interface (http://openidm.example.com:8080/openidmui/index.html#login/).

12.  Select the “Reset your password link”.

PasswordResetLink

13.  Enter your username (i.e. bill.nelson@example.com) and click the “Submit” button.

forgotPassword

14.  You should see the security question that you selected in step 9 appear.  Provide the response that you entered in step 9 and click the “Submit” button.

Note: Case matters!

15.  If you responded to your security question properly, then you will now see form elements appear allowing you to enter and confirm a new password.

ChallengeResponse

16.  When you click the “Update” button, the new password will be applied to your OpenIDM object and you will be automatically logged in to the end user interface.

 

Leave a Comment