--- title: Configuring self-service password management description: In the IdP Adapters window, create or modify an instance of the HTML Form Adapter to enable a customized self-service password management capability. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_self_servic_password_management canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_self_servic_password_management.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: August 9, 2023 section_ids: about-this-task: About this task steps: Steps result: Result related-links: Related links --- # Configuring self-service password management In the **IdP Adapters** window, create or modify an instance of the HTML Form Adapter to enable a customized self-service password management capability. ## About this task PingFederate offers self-service username password management for users to change their network password. This optional capability is integrated into the HTML Form Adapter and the Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* Username password credential validator (PCV) *(tooltip: \
\

Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate.\

\
)*. You can configure PingFederate to generate notification messages when users successfully change the password associated with their accounts through the HTML Form Adapter or when their passwords are about to expire. If you are validating credentials through the PingOne for Enterprise Directory PCV, you can also enable the change password capability. Notifications for change password and password expiry are not supported at this point. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For self-service password management to work correctly with PingDirectory, you must grant the service account the `password-reset` privilege. In PingDirectory use the `ldapmodify` command to apply the following change:``` dn: uid=pfadmin,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset ``` | ## Steps 1. In the PingFederate administrative console, go to **Authentication > Integration > IdP Adapters**. 2. To create a new HTML Form Adapter instance, click **Create New Instance**. To reuse one, select an existing HTML Form Adapter instance. If you are reusing an existing HTML Form Adapter instance, skip to [\[pf\_substep\_enableUsernameRecovery\]](#pf_substep_enableUsernameRecovery) to configure your adapter instance to enable self-service password management. 3. On the **Type** tab, configure your adapter instance settings. Click **Next**. 4. On the **IdP Adapter** tab: 1. In the **Password Credential Validator Instance** section, select the PCV instance as the credential validator. 2. (Optional) Update any default values or options. 3. Select the **Allow Password Changes** checkbox. ![Screen capture of the IdP Adapter tab and adapter instance configuration for self-service password management. The Allow Password Changes checkbox is selected.](_images/mgg1639698719149.png) 4. Configure your adapter instance options. For more information, see the following table. | Option | Effects | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Change Password Notification** | Select if you want PingFederate to generate a notification message for the user who has successfully changed their password through the HTML Form Adapter. The message is sent to the user's email address, specifically the mail attribute value returned by the LDAP Username PCV instance. | | **Show Password Expiring Warning** | Select if you want the **Sign On** window to warn the user about an approaching password expiration. | | **Change Password Notification** | Select to choose a notification publisher instance. If you have not yet configured the desired notification publisher instance, click Manage Notification Publishers. | | **Show Advanced Fields** | Click to review or modify default values related to the change password capability. For example, update the **Change Password Template** field if you want to use a custom template to render the **Change Password** window. | 5. (Optional) Customize and localize the on-window messages and notification messages. ## Result You have created a new instance or modified an existing instance of the HTML Form Adapter with the self-service password management capability. When a user signs on through this adapter instance, the user has the option to change the password associated with the account using the **Change Password** link. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can also provide your users the per-adapter Change Password endpoint `/ext/pwdchange/Identify`, which allows them to change their password through this HTML Form Adapter instance without submitting single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* requests. | ## Related links * [Customizable user-facing pages](pf_custom_user_facing_pages.html) * [IdP endpoints](../developers_reference_guide/pf_idp_endpoints.html) * [Managing notification publisher instances](help_notificationsendertasklet_notificationsendermanagementstate.html) * [Configuring an LDAP connection](help_datasourcetasklet_ldapconfigstate.html) * [Configuring the LDAP Username Password Credential Validator](pf_configure_ldap_username_pcv.html) * [Configuring the PingOne for Enterprise Directory Password Credential Validator](pf_configure_p1_for_enterprise_directory_pcv.html) * [Configuring an HTML Form Adapter instance](pf_config_html_form_adapt_instance.html) * [Customizable email notifications](pf_customiz_email_notificat.html) * [Localizing messages for end users](pf_local_message_end_users.html)