--- title: Setting up password reset in PingOne description: Learn how to customize the user's sign-on experience by enabling self-service management, such as change password and password reset, in the PingFederate administrative console when using the company's HTML Form sign-on page. component: solution-guides page_id: solution-guides:customer_use_cases:htg_password_reset_setup_p1 canonical_url: https://docs.pingidentity.com/solution-guides/customer_use_cases/htg_password_reset_setup_p1.html revdate: April 13, 2025 page_aliases: ["customer_use_cases:htg_password_reset_p1_pf_ldaps.adoc", "customer_use_cases:htg_password_reset_p1_pf_html_form.adoc", "customer_use_cases:htg_password_reset_p1_methods.adoc"] section_ids: components: Components overview-of-changing-and-resetting-passwords: Overview of changing and resetting passwords before-you-begin: Before you begin set-up-ldaps-datastore-connection-pf: Setting up an LDAPS datastore connection in PingFederate about-this-task: About this task steps: Steps configuring-an-html-form-adapter-instance-for-password-reset: Configuring an HTML Form Adapter instance for password reset before-you-begin-2: Before you begin about-this-task-2: About this task steps-2: Steps choose-from: Choose from: result: Result resetting-a-password-using-various-methods: Resetting a password using various methods --- # Setting up password reset in PingOne Learn how to customize the user's sign-on experience by enabling self-service management, such as change password and password reset, in the PingFederate administrative console when using the company's HTML Form sign-on page. ## Components * PingOne * PingFederate 10.1 ## Overview of changing and resetting passwords The change password capability is helpful when a user knows their password and wants to change it. The password reset capability is helpful when a user forgets their password and wants to use another factor, such as PingDirectory, to authenticate and change their password. This guide covers how to successfully configure password reset and enable change password in the HTML Form Adapter and password credential validator (PCV) framework in PingFederate. PingFederate provides the following password reset methods for self-service password reset: * Email one-time link * Email one-time passcode * Text message * PingID Each method requires additional configuration. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Self-service password reset using the authentication policy method in PingFederate isn't covered in this topic. Learn more about the authentication policy method and configuration steps in [Configuring self-service account recovery](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-101.pdf#pingfed=643) (page 643) in the PingFederate Server documentation. | ## Before you begin 1. Create an LDAP datastore source connection in PingFederate using LDAPS. 2. Create a service provider (SP) connection in PingFederate. 3. Add PingFederate as an identity provider (IdP) to PingOne and configure PingID. 4. Create an HTML Form Adapter and PingID IdP adapter in PingFederate. 5. Create a PCV in PingFederate. ## Setting up an LDAPS datastore connection in PingFederate ### About this task The self-service password reset capability relies on the LDAP connection to your directory server and the Username PCV to query the required attributes for the chosen reset method. PingFederate supports the following datastores: * PingDirectory * Microsoft Active Directory * Oracle Unified Directory * Oracle Directory Server out-of-the-box | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | This task covers specific configuration settings for this use case. Learn more in [Configuring an LDAP Connection](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-101.pdf#page=871) (page 871). | ### Steps 1. Go to **System > Data & Credential Stores > Data Stores**, and click **Add New Data Store**. 2. On the **Data Store Type** tab, in the **Data Store Name** field, enter a name for the datastore. 3. In the **Type** list, select **Directory (LDAP)**. Click **Next**. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For an Active Directory (AD) datastore, you must issue a certificate from your internal certificate authority (CA) and import it. Follow these substeps to complete the process: | 1. For an AD datastore, go to **Security > Trusted CAs**, and click **Import**. 2. On the **Import Certificate** tab, click **Choose File** and upload the relevant file. Click **Next.** 3. On the **Summary** tab, click **Save**. 4. Go to the **LDAP Configuration** tab: 1. Select the **Use LDAPS** checkbox. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingFederate assumes port 389 when the **Use LDAPS** checkbox is cleared and assumes port 636 when this checkbox is selected. If you are using the default port of 636, you don't have to specify it in the **Hostname(s)** field. | ![Screen capture of the Data Store window and on the LDAP Configuration tab. There are configuration settings for Data Store Name which as AD entered, Hostname(s) which has EC2AMAZ-IV4ESP3.pingdemo.org entered, a Use LDAPS checkbox which is selected to enable, a Use DNS SRV Record checkbox to enable, Load Type which has Active Directory set, a Bind Anonymously checkbox to enable, User DN which has ADAdmin entered, Password which has a protected entry, and a Mask Values in Log checkbox to enable.](_images/fjk1605555084221.jpg) 2. Enter the user attributes in the **User DN** and **Password** fields. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * If the **Password Reset Type** is **PingID** , the user attribute that passes to PingID/> during password reset must be the attribute that is associated with the PingID/> account in PingOne. * For an AD datastore, the default user attribute is `sAMAccountName`. This does not have to be the attribute you enter into the username field on the account recovery page. | 3. Enter the attributes you want to use to query in the **Search Filter** field. The **Search Filter** field, commonly used for Office 365 connections, allows you to enter `sAMAccountName` or `userPrincipleName`. For example, `(|(sAMAccountName=${username})(userPrincipalName=${username}))`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If the **Password Reset Type** is **PingID**, use a search filter that searches with multiple attributes. You can enter either attribute into the fields, and it passes the username attribute you set in your PCV.To view or modify this user attribute:1) Go to **System > Data & Credential Store > Password Credential Validators >** **Password Credential Validators**, and select the relevant PCV instance. 2) On the **Instance Configuration** tab, edit the **PingID Username Attribute** field.This is the attribute used for a PingID password reset type. | ![Screen capture the LDAP configuration tab settings. There are settings for Search Filter which has (\\|(sAMAccountName=${username})(userPrincipalName=${username})) entered, Scope of Search which has two options of One Level and Subtree and Subtree is clicked, a Case-Sensitive Matching checkbox which is selected, Display Name Attribute which has displayName entered, Mail Attribute which has mail entered, SMS Attribute, PingID Username Attribute which has userPrincipalName entered, Mail Search Filter which has mail=$(mail) entered, and Username Attribute which has sAMAccountName entered.](_images/qud1605562002361.jpg) 5. Click **Next**. 6. Configure the remaining LDAP settings as needed. Learn more about the settings in [Configuring an LDAP connection](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-101.pdf#page=871) (page 871) and [Setting advanced LDAP options](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-101.pdf#page=874) (page 874). 7. On the **Summary** tab, click **Save**. ## Configuring an HTML Form Adapter instance for password reset ### Before you begin Make sure you have configured an LDAP datastore connection in PingFederate to connect to your application to enable self-service password reset. This task covers specific configuration steps. You can find comprehensive instructions in [Setting up an LDAP connection in PingFederate](#set-up-ldaps-datastore-connection-pf). ### About this task An HTML Form Adapter instance is used to validate a user authentication session with a PCV and an LDAP datastore connection. This authentication mechanism allows you to customize a user's sign-on experience, such as: * Enabling self-service password reset * Account unlock * Notifying users with password expiration information * Localizable template files To create or modify an HTML Form Adapter instance with a password credential validator (PCV) and an LDAP datastore connection for self-service password management: ### Steps 1. Go to **Identity Provider > IdP Adapters** and choose an HTML Form Adapter: #### Choose from: * In the **Instance Name** list, reuse an existing HTML Form Adapter. * Click **Create New Instance** to create one. 2. Go to the **IdP Adapter** tab: 1. Click **Add New Row to 'Credential Validators'** and add the PCV that's linked to your LDAP connection. Click **Update**. 2. Select the **Allow Password Changes** checkbox. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | You must select the **Allow Password Changes** checkbox to enable password reset. If you don't enable this setting, your changes can't be saved. | 3. **Optional:** To send the user an email when their password is changed, select the **Change Password Email Notification** checkbox. 4. **Optional:** To alert the user with an approaching password expiry message at sign on, select the **Show Password Expiring Warning** checkbox. 5. In the **Password Reset Type** row, click the password reset method that you want to use. ![Screen capture of the IdP Adapter tab configuration. There are checkboxes for the Change Password Email Notification and Show Password Expiring Warning settings. Only the Show Password Expiring Warning checkbox is selected. In the Password Reset Type section, the user has the following method options to select for self-service password reset type: Authentication Policy, Email One-Time Link, Email One-Time Password, PingID, Text Message, or None as radio buttons. The PingID reset type is clicked.](_images/cuj1605217589715.jpg) 6. To allow a user with a locked account to unlock the account using the password reset function, select the **Account Unlock** checkbox. 3. To edit the templates for the HTML pages for password reset: 1. Click **Show Advanced Fields**. 2. Edit the relevant template fields as needed with the appropriate HTML template. | | | | - | ----------------------------------------------------------------------------------------------------- | | | If you modify and rename a template, make sure to update the template name of that specific template. | ![Screen capture of the IdP Adapter tab configuration. There are settings for the HTML templates that support the password reset function. The user can edit the Password Reset Username Template, Password Reset Code Template, Password Reset Template, Password Reset Error Template, Password Reset Success Template, and Account Unlock Template. The fields have the following entries: Password Reset Username Template has forgot-password.html entered, Password Reset Code Template has forgot-password-resume.html entered, Password Reset Template has forgot-password-change.html, Password Reset Error Template has forgot-password-error.html, Password Reset Success Template has forgot-password-success.html, and Account Unlock Template has account-unlock.html entered.](_images/buh1605218856943.jpg) 4. For the **PingID** password reset type, in the **PingID Properties** field, import your PingID properties file from PingOne. This is the same file you used to setup your PingID adapter in PingFederate. 5. Configure the remaining settings as needed. Click **Next**. You can find more information about the settings in [Configuring an HTML Form Adapter instance](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-101.pdf#page=288) (page 288) and [HTML Form Adapter advanced fields](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-101.pdf#page=298) (page 298). 6. On the **Summary** tab, click **Save**. ### Result You have successfully created an instance of the HTML Form Adapter with the self-service password reset capability. When a user signs on through this adapter instance, the sign-on page displays the **Change Password?** and **Trouble Signing On?** options. ## Resetting a password using various methods You can use several methods to configure password reset. Click the following tabs to see instructions for each method.