Setting up password recovery in PingFederate
Learn how to set up PingFederate for self-service password reset and account recovery through an HTML Form Adapter.
Creating an LDAP datastore in PingFederate
About this task
These steps provide specific field configurations. For comprehensive instructions for configuring an LDAP datastore, see Configuring an LDAP connection. |
To create an LDAP datastore in PingFederate:
Steps
-
Go to System → Data & Credential Stores → Data Stores.
-
Click Add New Data Store to open the Data Store configuration window.
-
On the Data Store Type tab, in the Type list, select Directory (LDAP).
-
Complete the remaining LDAP datastore configuration settings.
-
On the Summary tab, click Save.
Creating an LDAP PCV in PingFederate
About this task
These steps include specific field configurations. For comprehensive instructions for configuring an LDAP PCV instance, see Configuring the LDAP Username Password Credential Validator. |
To create an LDAP password credential validator (PCV) in PingFederate:
Steps
-
Go to System → Data & Credential Stores → Password Credential Validators.
-
On the Type tab, in the Instance Name list, select the LDAP datastore you created in Creating an LDAP datastore in PingFederate.
-
In the Type list, select LDAP Username Password Credential Validator. Click Next.
-
On the Instance Configuration tab:
-
Configure the Search Base field.
-
Configure the Search Filter field.
Example:
For example,
sAMAccountName=${username}
for Active Directory anduid=${username}
for Oracle Directory Server (ODS) and PingDirectory.-
Click Show Advanced Fields.
-
Configure the Display Name Attribute, Mail Attribute, SMS Attribute, PingID Username Attribute, and Mail Verified Attribute fields.
-
Configure the Mail Search Filter, Username Attribute, and Mail Verified Attribute fields for username recovery.
-
For detailed password requirements, select the Enable PingDirectory Detailed Password Policy Requirement Messaging check box.
For more information about each field, see step 3 in Configuring the LDAP Username Password Credential Validator.
-
-
Click Next.
-
On the Summary tab, click Save.
Configuring an HTML Form Adapter instance in PingFederate for account recovery and password change
About this task
These steps include specific field configurations. For comprehensive instructions for configuring this adapter instance, see Configuring an HTML Form Adapter instance. When connecting to an Active Directory server, you must secure the datastore connection using LDAPS because Active Directory requires this level of security to allow password changes. |
To configure an HTML Form Adapter instance to enable account recovery and password change:
Steps
-
Go to Authentication → Integration → IdP Adapters → Create New Instance and click the IdP Adapter tab.
-
Select the Allow Password Changes check box.
An LDAP service account is used for password changes.
-
To allow a password expiring message, select the Show Password Expiring Warning check box.
-
In the Password Reset Type field, click a method to use for self-service password reset.
To enable account recovery, you must select a password reset type other than None.
Table 1. Password reset type and configuration requirements Self-service password reset option Configuration requirements Authentication Policy
To enable this option, in the Password Reset Policy Contract list, select a policy.
Email One-Time Link or Email One-Time Password
-
In the Notification Publisher list, select an option or, to configure a new notification publisher, click Manage Notification Publishers
-
In your LDAP password credential validator instance, on the Instance Configuration tab, enter values for the Display Name Attribute and Mail Attribute fields.
PingID
-
Upload the PingID properties file for the PingID reset option.
-
Configure the PingID Username Attribute field in the LDAP password credential validator.
Text Message
-
Click Manage SMS Provider Settings to add an SMS Provider and enter values for theAccount SID,Auth Token, and From Number fields. Click Save.
Create a Twilio trial account to get an Account SID, Auth Token, and From Number.
-
In your LDAP password credential validator instance, on the Instance Configuration tab, enter a value for the SMS Attribute field.
When connecting to PingDirectory or Oracle Directory Server, administrators should configure proxied authorization for the service account on the directory server for account recovery. This allows PingFederate to request self-service password reset operations under the identity as the user. Otherwise, the service account’s identity is used instead if a user’s password is expired.
-
-
To allow users with a locked account to unlock the account using the self-service password reset type, select the Account Unlock check box.
Access to the access control instruction (ACI) is required for PingDirectory account unlock.
To enable self-service account unlock for an HTML Form Adapter instance that uses a PingDirectory datastore, administrators must configure the account usability control or ACI for the service account on the directory server when connecting PingFederate to PingDirectory.
For more information, see Configuring the account usability control ACI and Managing Access Control.
-
To allow users to recover their username when using the HTML Form Adapter instance as they initiate single sign-on (SSO) requests and are prompted to enter their username and password, select the Enable Username Recovery check box.
This setting requires:
-
A notification publisher instance
-
Configured mail search filter and username attribute fields in the LDAP password credential validator
-
-
Complete the remaining configuration tab settings, and then click Next.
-
On the Summary tab, click Save.