These steps include specific field configurations. For comprehensive instructions for configuring this adapter instance, see Configuring an HTML Form Adapter instance.

When connecting to an Active Directory server, you must secure the datastore connection using LDAPS because Active Directory requires this level of security to allow password changes.

To configure an HTML Form Adapter instance to enable account recovery and password change:

  1. Go to Authentication > Integration > IdP Adapters > Create New Instance and click the IdP Adapter tab.
  2. Select the Allow Password Changes check box.

    An LDAP service account is used for password changes.

  3. To allow a password expiring message, select the Show Password Expiring Warning check box.
  4. In the Password Reset Type field, click a method to use for self-service password reset.

    To enable account recovery, you must select a password reset type other than None.

    Password reset type and configuration requirements
    Self-service password reset option Configuration requirements

    Authentication Policy

    To enable this option, in the Password Reset Policy Contract list, select a policy.

    Email One-Time Link or Email One-Time Password

    1. In the Notification Publisher list, select an option or, to configure a new notification publisher, click Manage Notification Publishers
    2. In your LDAP password credential validator instance, on the Instance Configuration tab, enter values for the Display Name Attribute and Mail Attribute fields.


    1. Upload the PingID properties file for the PingID reset option.
    2. Configure the PingID Username Attribute field in the LDAP password credential validator.

    Text Message

    1. Click Manage SMS Provider Settings to add an SMS Provider and enter values for theAccount SID,Auth Token, and From Number fields. Click Save.

      Create a Twilio trial account to get an Account SID, Auth Token, and From Number.

    2. In your LDAP password credential validator instance, on the Instance Configuration tab, enter a value for the SMS Attribute field.

    When connecting to PingDirectory or Oracle Directory Server, administrators should configure proxied authorization for the service account on the directory server for account recovery. This allows PingFederate to request self-service password reset operations under the identity as the user. Otherwise, the service account's identity is used instead if a user's password is expired.

  5. To allow users with a locked account to unlock the account using the self-service password reset type, select the Account Unlock check box.

    Access to the access control instruction (ACI) is required for PingDirectory account unlock.

    To enable self-service account unlock for an HTML Form Adapter instance that uses a PingDirectory datastore, administrators must configure the account usability control or ACI for the service account on the directory server when connecting PingFederate to PingDirectory.

    For more information, see Configuring the account usability control ACI and Managing Access Control.

  6. To allow users to recover their username when using the HTML Form Adapter instance as they initiate single sign-on (SSO) requests and are prompted to enter their username and password, select the Enable Username Recovery check box.

    This setting requires:

    • A notification publisher instance
    • Configured mail search filter and username attribute fields in the LDAP password credential validator
  7. Complete the remaining configuration tab settings, and then click Next .
  8. On the Summary tab, click Save.