PingFederate offers self-service username password management for users to change their network password. This optional capability is integrated into the HTML Form Adapter and the LDAP Username Password Credential Validator (PCV). You may configure PingFederate to generate notification messages when users have successfully changed the password associated with their accounts through the HTML Form Adapter or when their passwords are about to expire.

If you are validating credentials through the PingOne® Directory PCV, you can also enable the change password capability. Note that notifications for change password and password expiry are not supported at this point.

  1. On the System > Data Stores screen, create a new LDAP datastore.

    You can also reuse an existing LDAP datastore connection.

    Important:

    When connecting to an Active Directory (AD) LDAP server, you must secure the datastore connection using LDAPS. AD requires this level of security to allow password changes.

    This step does not apply if you are validating credentials through the PingOne Directory PCV.

  2. On the System > Password Credential Validators screen, create a new instance of the LDAP Username PCV or the PingOne Directory PCV.
    You can also reuse an existing LDAP Username PCV or PingOne Directoryinstance.

    If you are validating credentials through the LDAP Username PCV and if you want to enable notifications, skip to step 3b to configure the related advanced fields.

    1. Select a datastore, enter a search base, define a search filter, select the scope of search, and enable or disable case-sensitive matching.
    2. Click Show Advanced Fields to update fields related to notifications.
      Configuration items vary depending on your requirements and the directory setup. Refer to the following table for more information.
      Field Description
      Display Name Attribute The LDAP attribute that PingFederate uses to personalize the notification message.

      The default value is displayName.

      Mail Attribute The LDAP attribute containing the email address that PingFederate uses as the destination of the notification message.

      The default value is mail.

  3. On the Identity Provider > Adapters screen, create a new HTML Form Adapter instance.
    You can also reuse an existing HTML Form Adapter instance. If so, skip to step 4c to configure your adapter instance to enable self-service password management.
    1. Select the PCV instance defined in the previous step as the credential validator.
    2. Optional: Update any default values or options.
    3. Select the Allow Password Changes check box.
    4. Select the Change Password Notification check box if you want PingFederate to generate a notification message for the user who has successfully changed the password through the HTML Form Adapter.
      The destination is the user's email address, specifically the mail attribute value returned by the LDAP Username PCV instance.
    5. Select the Show Password Expiring Warning check box if you want the Sign On screen to warn the user about an approaching password expiration.
    6. Select a notification publisher instance from the list if you have selected the Change Password Notification check box.
      If you have not yet configured the desired notification publisher instance, click Manage Notification Publishers.
    7. Click Show Advanced Fields to review or modify default values related to the change password capability.

      For example, update the Change Password Template field if you want to use a custom template to render the Change Password screen.

  4. Optional: Customize and localize the on-screen messages and notification messages.

You have now successfully created a new instance or modified an existing instance of the HTML Form Adapter with the self-service password management capability.

When a user signs on through this adapter instance, the user has the option to change the password associated with the account using the Change Password link, as illustrated in this screen capture.

A sample sign-on page

Additionally, you can also provide your users the per-adapter Change Password endpoint (/ext/pwdchange/Identify), which allows them to change their password through this HTML Form Adapter instance without submitting SSO requests.