PingFederate offers self-service password reset (SSPR) for users to recover their account in the event of forgotten password. Integrated into the HTML Form Adapter and Password Credential Validator (PCV) framework, users can now reset their password via one of the following mechanisms:
- Authentication policy
- One-time link via email
- One-time password via email
- One-time password via text message
- PingID®
The SSPR capability relies on the HTML Form Adapter and the LDAP Username PCV to query
the required attributes for the chosen reset mechanism. PingFederate supports PingDirectory , Microsoft Active Directory,
Oracle Unified Directory, and Oracle Directory Server out-of-the-box. Custom PCV
implementations may also be developed to offer the SSPR features for users stored in
non-LDAP data sources. For more information, refer to the
ResettablePasswordCredential
interface in Javadoc.
The Javadoc for PingFederate is located in the <pf_install>/pingfederate/sdk/doc directory.
PingFederate also provides the capability for users to unlock their account without submitting a ticket to the IT department. When enabled with SSPR, if an account is locked, a user can initiate an account unlock request at the Sign On screen or the per-adapter Password Reset endpoint. Through the HTML Form Adapter, PingFederate prompts the user to prove ownership of the account using the password reset flow.
Unlike password reset, when users succeed in proving account ownership, they are allowed to retain their current password or to reset their password as needed. Furthermore, self-service account unlock is only compatible with PingDirectory and Microsoft Active Directory. If the underlying datastore is connected to Oracle Unified Directory or Oracle Directory Server, users can only unlock their account by changing their current password through the password reset flow.
You have now successfully created a new instance or modified an existing instance of the HTML Form Adapter with the SSPR and account unlock capabilities.
When a user signs on through this adapter instance, the user has the option to reset the password or unlock the account using the Trouble Signing On link, as illustrated in this screen capture.
Additionally, you can also provide your users the per-adapter Account Recovery endpoint (/ext/pwdreset/Identify), which allows them to reset their password or unlock their account through this HTML Form Adapter instance without submitting SSO requests.