--- title: Configuring user self-service description: The PingFederate server provides end users with the ability to self-service their own profiles. component: pingdirectory version: 11.0 page_id: pingdirectory:delegated_admin_application_guide:pd_da_config_user_self_service canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/delegated_admin_application_guide/pd_da_config_user_self_service.html revdate: March 14, 2024 section_ids: about-this-task: About this task steps: Steps example: Example: result: Result: example-2: Example: --- # Configuring user self-service The PingFederate server provides end users with the ability to self-service their own profiles. ## About this task To enable users created by delegated administrators to manage their own profiles through the PingFederate local identity profile-management feature, you need to perform additional configuration steps in both PingDirectory and PingFederate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Import the PingFederate LDAP Data Interchange Format (LDIF) *(tooltip: \
\

An IETF standard file format for representing LDAP directory content and modifications to directory content. Typically used to import and export LDAP-based directory information.\

\
)* first in PingDirectoryProxy and then in PingDirectory. Constructed attributes need to be created only in PingDirectoryProxy. Creating and rebuilding indexes (part of the self-service configuration) is done on PingDirectory. | ## Steps 1. Configure PingFederate for profile management. To allow users to change their passwords, enable **Allow Password Changes** in the HTML Form Adapter. You must make this change if you want to create passwords that the user must change on the first use. For example PingFederate configuration steps, see [Customer IAM configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_customer_iam_config.html) in the PingFederate documentation. [Setting up PingDirectory for customer identities](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_setting_up_pd_for_customer_identit.html) in the PingFederate documentation includes some of the following required steps on the PingDirectory server. 2. To create passwords that the user must change on the first use after account creation or a password reset, configure a PingDirectory password policy to force users to change their passwords. ### Example: This policy requires that you enable **Allow Password Change**s as mentioned above. ``` dsconfig set-password-policy-prop --policy-name "Default Password Policy" \ --set force-change-on-add:true --set force-change-on-reset:true ``` ### Result: With these changes, when a user signs on to the PingFederate self-service page, the page prompts the user to change their password. 3. Import the required additional Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* schema provided by PingFederate into PingDirectory. 1. On the PingFederate server, copy the LDIF file `local-identity-pingdirectory.ldif` from the following location: `/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif`. 2. Use the `scopy` command to securely copy the LDIF file to your local machine. 4. Update the LDAP schema. 1. Sign on to the PingDirectory admin console. 2. Go to **LDAP Schema → Schema Utilities**. 3. Click **Import Schema Element**. 4. Copy the schema changes from the file `/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif`. 5. Paste the schema changes into the text area. 6. Click **Import**. 5. Create an equality index for the pf-connected-identity attribute. ```shell $ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name pf-connected-identity \ --set index-type:equality ``` 6. After adding the index, use the rebuild-index utility to build the indexes. ### Example: The following sample builds the required index. ```shell $ bin/rebuild-index \ --baseDN "dc=example,dc=com" \ --index pf-connected-identity ``` 7. Configure PingDirectory Server Composed Attributes. In previous versions of Delegated Admin, the remaining configuration was achieved by setting a constructed attribute on the user REST resource type. In the latest version, composed attribute plugins should be used instead as they provide the following advantages: * The populate-composed-attribute-values tool can be used to enable self-service for any existing users. * Self-service is enabled for any users not created through the Delegated Admin app. Configure two Composed Attribute Plugins as follows: | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | *\* and *\* must be replaced with the search base distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* and structural object class of your REST Resource Type. | ```shell $ bin/dsconfig create-plugin \ --plugin-name pf-connected-identities \ --type composed-attribute \ --set enabled:true \ --set attribute-type:objectClass \ --set value-pattern:pf-connected-identities \ --set target-attribute-exists-during-initial-population-behavior:merge-existing-and-composed-values \ --set "include-base-dn:" \ --set "include-filter:(objectClass=)" $ bin/dsconfig create-plugin \ --plugin-name pf-connected-identity \ --type composed-attribute \ --set enabled:true \ --set attribute-type:pf-connected-identity \ --set "value-pattern:auth-source=pf-local-identity:user-id={entryUUID}" \ --set "include-base-dn:" \ --set "include-filter:(objectClass=)" ``` If you configure composed attribute plugins as described after upgrading an existing deployment, then you should remove the old constructed attribute configuration as follows. ```shell $ bin/dsconfig set-rest-resource-type-prop --type-name users \ --remove auxiliary-ldap-objectclass:pf-connected-identities \ --remove post-create-constructed-attribute:pf-connected-identity \ --remove update-constructed-attribute:pf-connected-identity ``` 8. (Optional) Enable self-service for any existing users not already linked to PingFederate. ```shell $ bin/populate-composed-attribute-values -h -p -D "cn=Directory Manager" -w ```