--- title: Setting up password recovery in PingFederate description: Learn how to set up PingFederate for self-service password reset and account recovery through an HTML Form Adapter. component: solution-guides page_id: solution-guides:workforce_use_cases:htg_pf_password_recovery_setup canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_pf_password_recovery_setup.html revdate: April 14, 2024 page_aliases: ["workforce_use_cases:htg_pf_password_recovery_setup_ldap.adoc", "workforce_use_cases:htg_pf_password_recovery_setup_ldap_pcv.adoc", "workforce_use_cases:htg_pf_password_recovery_setup_html_form_adapter.adoc"] section_ids: component: Component create-ldap-datastore-pf: Creating an LDAP datastore in PingFederate about-this-task: About this task steps: Steps creating-an-ldap-pcv-in-pingfederate: Creating an LDAP PCV in PingFederate about-this-task-2: About this task steps-2: Steps example: Example: configuring-an-html-form-adapter-instance-in-pingfederate-for-account-recovery-and-password-change: Configuring an HTML Form Adapter instance in PingFederate for account recovery and password change about-this-task-3: About this task steps-3: Steps --- # Setting up password recovery in PingFederate Learn how to set up PingFederate for self-service password reset and account recovery through an HTML Form Adapter. ## Component PingFederate 10.2 ## Creating an LDAP datastore in PingFederate ### About this task | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These steps provide specific field configurations. You can find comprehensive instructions for configuring an LDAP datastore in [Configuring an LDAP connection](https://cdn-docs.pingidentity.com/archive/pdf/pingfederatebridge/pingfederatebridge-102.pdf#page=124) (page 124). | To create an LDAP datastore in PingFederate: ### Steps 1. Go to **System > Data & Credential Stores > Data Stores**. 2. Click **Add New Data Store** to open the **Data Store** configuration window. 3. On the **Data Store Type** tab, in the **Type** list, select **Directory (LDAP)**. 4. Complete the remaining LDAP datastore configuration settings. 5. On the **Summary** tab, click **Save**. ## Creating an LDAP PCV in PingFederate ### About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | These steps include specific field configurations. You can find comprehensive instructions for configuring an LDAP PCV instance in [Configuring the LDAP Username Password Credential Validator](https://cdn-docs.pingidentity.com/archive/pdf/pingfederatebridge/pingfederatebridge-102.pdf#page=136) (page 136). | To create an LDAP password credential validator (PCV) in PingFederate: ### Steps 1. Go to **System > Data & Credential Stores > Password Credential Validators**. 2. On the **Type** tab, in the **Instance Name** list, select the LDAP datastore you created in [Creating an LDAP datastore in PingFederate](#create-ldap-datastore-pf). 3. In the **Type** list, select **LDAP Username Password Credential Validator**. Click **Next**. 4. On the **Instance Configuration** tab: 1. Configure the **Search Base** field. 2. Configure the **Search Filter** field. #### Example: For example, `sAMAccountName=${username}` for Active Directory and `uid=${username}` for Oracle Directory Server (ODS) and PingDirectory. 3. Click **Show Advanced Fields**. 4. Configure the **Display Name Attribute**, **Mail Attribute**, **SMS Attribute**, **PingID Username Attribute**, and **Mail Verified Attribute** fields. 5. Configure the **Mail Search Filter**, **Username Attribute**, and **Mail Verified Attribute** fields for username recovery. 6. For detailed password requirements, select the **Enable PingDirectory Detailed Password Policy Requirement Messaging** checkbox. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Learn more about each field in step 3 of [Configuring the LDAP Username Password Credential Validator](https://cdn-docs.pingidentity.com/archive/pdf/pingfederatebridge/pingfederatebridge-102.pdf#page=136) (page 136). | 5. Click **Next**. 6. On the **Summary** tab, click **Save**. ## Configuring an HTML Form Adapter instance in PingFederate for account recovery and password change ### About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These steps include specific field configurations. For comprehensive instructions for configuring this adapter instance, learn more in [Configuring an HTML Form Adapter instance](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-102.pdf#page=286) (page 286).When connecting to an Active Directory server, you must secure the datastore connection using LDAPS because Active Directory requires this level of security to allow password changes. | To configure an HTML Form Adapter instance to enable account recovery and password change: ### Steps 1. Go to **Authentication > Integration > IdP Adapters > Create New Instance** and click the **IdP Adapter** tab. 2. Select the **Allow Password Changes** checkbox. | | | | - | ----------------------------------------------------- | | | An LDAP service account is used for password changes. | 3. To allow a password expiring message, select the **Show Password Expiring Warning** checkbox. 4. In the **Password Reset Type** field, click a method to use for self-service password reset. | | | | - | -------------------------------------------------------------------------------------- | | | To enable account recovery, you must select a password reset type other than **None**. | **Table 1. Password reset type and configuration requirements** | Self-service password reset option | Configuration requirements | | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Authentication Policy** | To enable this option, in the **Password Reset Policy Contract** list, select a policy. | | **Email One-Time Link** or **Email One-Time Password** | 1. In the **Notification Publisher** list, select an option or, to configure a new notification publisher, click **Manage Notification Publishers** 2. In your LDAP password credential validator instance, on the **Instance Configuration** tab, enter values for the **Display Name Attribute** and **Mail Attribute** fields. | | **PingID** | 1) Upload the PingID properties file for the PingID reset option. 2) Configure the **PingID Username Attribute** field in the LDAP password credential validator. | | **Text Message** | 1. Click **Manage SMS Provider Settings** to add an SMS Provider and enter values for the**Account SID**,**Auth Token**, and **From Number** fields. Click **Save**. Create a Twilio trial account to get an Account SID, Auth Token, and From Number. 2. In your LDAP password credential validator instance, on the **Instance Configuration** tab, enter a value for the **SMS Attribute** field. | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When connecting to PingDirectory or Oracle Directory Server, administrators should configure proxied authorization for the service account on the directory server for account recovery. This allows PingFederate to request self-service password reset operations under the identity as the user. Otherwise, the service account's identity is used instead if a user's password is expired. | 5. To allow users with a locked account to unlock the account using the self-service password reset type, select the **Account Unlock** checkbox. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Access to the access control instruction (ACI) is required for PingDirectory account unlock.To enable self-service account unlock for an HTML Form Adapter instance that uses a PingDirectory datastore, administrators must configure the account usability control or ACI for the service account on the directory server when connecting PingFederate to PingDirectory.Learn more in [Configuring the account usability control ACI](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-100.pdf#page=182) (page 182) and [Managing Access Control](https://cdn-docs.pingidentity.com/archive/pdf/pingdirectory/pingdirectory-81.pdf#page=782) (page 782). | 6. To allow users to recover their username when using the HTML Form Adapter instance as they initiate single sign-on (SSO) requests and are prompted to enter their username and password, select the **Enable Username Recovery** checkbox. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This setting requires:- A notification publisher instance - Configured **mail search filter** and **username attribute** fields in the LDAP password credential validator | 7. Complete the remaining configuration tab settings, and then click **Next**. 8. On the **Summary** tab, click **Save**.