Reset Password using One Touch Password Reset

This document describes how to create  a web page to use One touch on an other device to reset users password.

You can also create a web page to choose method from, see the following document, PPSS Choice, on how to do that.

Requirements :  LDAP and One Touch must be configured, note the ID of the connections they will be used in later steps.

Do the following steps in the ADVANCED  tab in the Configuration GUI

Step 1 - Authentication - HTTP

Add the following configuration to “Authentication - HTTP” 

{
	"alias": "changepwdotauth",
	"name": "AssignmentAuthenticator",
	"displayName": "selector.display.onetouch",
	"configuration": {
		"assignment_template_name": "changepwd_ot_auth_template",
		"poll_template_name": "changepwd/changepwdot-poll.template",
		"successURL": "/ppss/authenticate/changepwdot",
		"allowLanguageChange": "true",
		"templateVariables": {
			"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice"
		},
		"translation": [
			"ppsspasot.start.title",
			"ppsspasot.start.header",
			"ppsspasot.start.paragraph",
			"ppsspas.common.helptext.username",
			"ppsspasot.start.labels.username",
			"ppsspasot.start.labels.openLocalOneTouch",
			"ppsspasot.start.buttons.continue",
			"ppsspasot.start.buttons.verify",
			"ppsspas.common.label.newpassword"
		],
		"poll_template_translation_keys": [
			"ppsspasot.poll.progress.labels.cancelled",
			"ppsspasot.poll.progress.labels.error",
			"ppsspasot.poll.progress.labels.timeout",
			"ppsspasot.poll.progress.labels.pending",
			"ppsspasot.poll.progress.labels.in_progress",
			"ppsspasot.poll.progress.labels.confirmed",
			"ppsspasot.poll.progress.labels.rejected",
			"ppsspasot.poll.header",
			"ppsspasot.poll.paragraph",
			"ppsspasot.poll.title",
			"ppsspasot.start.labels.username",
			"ppsspasot.start.labels.openLocalOneTouch",
			"ppsspasot.start.buttons.continue",
			"ppsspasot.start.buttons.verify",
			"ppsspas.common.label.newpassword"
		],
		"enableHoneypot": "true",
		"template": "changepwd/changepwdot-start"
	},
	"id": "changepwdotauth"
},
{
	"alias": "changepwdot",
	"name": "Registration",
	"configuration": {
		"stages": [
			{
				"pipeid": "changepwdot-setpwd",
				"template": "changepwd/changepwdot-setpwd",
				"templateVariables": {
					"password_validity": {
						"contains_lowercase": "true",
						"contains_uppercase": "true",
						"contains_special": "true",
						"contains_number": "true",
						"password_length": "8"
					},
					"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
				},
				"enableHoneypot": "true",
				"translation": [
					"common.messages.human",
					{
						"key": "header",
						"mapKeyTo": "ppsspasot.setpwd.header"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspasot.setpwd.paragraph"
					},
					{
						"key": "title",
						"mapKeyTo": "ppsspasot.setpwd.title"
					},
					{
						"key": "helptext.otp",
						"mapKeyTo": "ppsspas.common.helptext.otp"
					},
					{
						"key": "validation.header",
						"mapKeyTo": "ppsspas.common.validation.header"
					},
					{
						"key": "validation.lowercase",
						"mapKeyTo": "ppsspas.common.validation.lowercase"
					},
					{
						"key": "validation.uppercase",
						"mapKeyTo": "ppsspas.common.validation.uppercase"
					},
					{
						"key": "validation.special",
						"mapKeyTo": "ppsspas.common.validation.special"
					},
					{
						"key": "validation.number",
						"mapKeyTo": "ppsspas.common.validation.number"
					},
					{
						"key": "validation.length",
						"mapKeyTo": "ppsspas.common.validation.length"
					},
					{
						"key": "label.username",
						"mapKeyTo": "ppsspas.common.label.username"
					},
					{
						"key": "label.newpassword",
						"mapKeyTo": "ppsspas.common.label.newpassword"
					},
					{
						"key": "button.continue",
						"mapKeyTo": "ppsspas.common.button.continue"
					},
					{
						"key": "error.user",
						"mapKeyTo": "ppsspas.common.error.user"
					},
					{
						"key": "error.otp",
						"mapKeyTo": "ppsspas.common.error.otp"
					},
					{
						"key": "error.lockout",
						"mapKeyTo": "ppsspas.common.error.lockout"
					},
					{
						"key": "error.ldappwd",
						"mapKeyTo": "ppsspas.common.error.ldappwd"
					},
					"ppsspasot.start.buttons.verify"
				],
				"sessionValues": []
			},
			{
				"pipeid": "changepwdot-complete",
				"template": "changepwd/changepwd-common-complete",
				"sessionValues": [],
				"templateVariables": {
					"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
				},
				"enableHoneypot": "true",
				"translation": [
					{
						"key": "header",
						"mapKeyTo": "ppsspasot.complete.header"
					},
					{
						"key": "paragraph",
						"mapKeyTo": "ppsspasot.complete.paragraph"
					},
					{
						"key": "title",
						"mapKeyTo": "ppsspasot.complete.title"
					},
					{
						"key": "button.done",
						"mapKeyTo": "ppsspas.common.button.done"
					}
				]
			}
		]
	},
	"id": "changepwdot"
}

Adjust the following settings to match your password policy:

Requires lower case character set this value to true else false- "contains_lowercase": "true", 

Requires upper case character set this value to true else false- "contains_uppercase": "true",

Requires special character set this value to true else false - "contains_special": "true",

Requires a number set this value to true else false -  "contains_number": "true",

Minimum length of the password , in this example minimum 8 characters- "password_length": "8"

Verify that "nextTarget" on both “cancel_href” and “done_href” values match your requirements.
If needed change nextTarget value see the following example:

"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
"done_href": "/ppss/authenticate/logout/?nextTarget=https://www.phenixid.se"

Step 2 - Pipes

Add the following configuration to “Pipes"

{
	"id": "changepwdot-setpwd",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}",
				"require_auth_session": "true"
			}
		},
		{
			"name": "InputParameterExistValidatorValve",
			"config": {
				"param_name": "password"
			}
		},
		{
			"name": "LDAPSearchValve",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"base_dn": "replace-base_dn",
				"scope": "SUB",
				"size_limit": "0",
				"filter_template": "replace-ppss-filter",
				"attributes": ""
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"exec_if_expr": "flow.items().isEmpty()"
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"skip_if_expr": "flow.isSingle()"
			}
		},
		{
			"name": "replace-ppss-pwdvalve",
			"enabled": "true",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"value": "{{request.password}}"
			}
		},
		{
			"name": "EventValve",
			"config": {
				"event_key": "EVT_000054",
				"parameters": [
					{
						"parameter": "duser",
						"value": "{{session.user_id}}"
					}
				]
			}
		},
		{
			"name": "SessionPersistValve",
			"config": {}
		}
	]
},
{
	"id": "changepwdot-complete",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "SessionRemoveValve",
			"config": {}
		}
	]
}

Replace the following Pipe settings:

“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”

“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”

"replace-ppss-filter" with either "sAMAccountName={{session.user_id}}" if you have Active Directory or "uid={{session.user_id}}" for other LDAP catalogs

"replace-ppss-pwdvalve" with "ADPasswordChangeValve" if you have Active Directory,
for other LDAP catalogs replace with "LDAPModifyValve" and add "modification_type": "REPLACE",
to the config section of the valve

Verify that “filter_template” and “attributes” match your environment.

Surf to https://"Server address":"port"/ppss/authenticate/changepwdot , example https://www.phenixid.se:8443/ppss/authenticate/changepwdot