PhenixID Password self service

Start guide

PhenixID Password self service allows for a user to change password in a secure and controlled way.

Prerequisites : At least one SAML IDP is known by the system. 

Start the guide by clicking the '+' sign next to Password self service.

Properties

Name - the display name

Description - description

URI - Path used to access the application. This must not be used by any other application in the system.

Service provider Identifier - Password self service uses SAML authenticating users. The SP entityid is used identifying the SP. If using an external IDP make sure to import password self service SAML SP metadata to establish trust. This id must be unique in the SAML federation.

Keystore - The keystore used to sign messages.

HTTP connection - The HTTP connection used to expose the application

Trusted Identity provider - The idp to use for authentication. Additional identity providers can be added later.

LDAP user store - The user store

Guide steps

Click Next.

User store settings

The settings for the previously selected user store

Click Next then Create.

Edit guide configuration

You can edit and delete your  configuration by selecting it in the left hand menu.

When you click save, the configuration will be updated and the server will instantly restart affected components to apply your changes.

Delete removes all configuration created by the guide but not shared components (i.e components that could be used by other configurations like connections and user stores).

Edit guide configuration

General

General tab allows for configuration of the same parameters set when creating the configuration

Authentication flow

This is the PIPE that will receive the incoming SAML assertion from the IDP. Here it's possible to customise authentication to fit any additional needs.

Password reset flow

This is the PIPE that will handle the password reset. Here it's possible to customise to fit any additional .

Authentication methods

Identity providers (authentication methods) used to log into Password self service. Here it is possible to select additional identity providers, adding to the one previously configured.


Password policy

Password policies for the Password self service.

Adding control against global breach list

Even though a password meets the local policies there is still the possibility of the password has been a part of a password leak . 

It is possible to enable online control for breach validation checks. If password has been found in prior databreach the user will be notified and can choose an other password.

Configure by in Advanced locate the pss module. 

Configuring

Enable by adding "pwdreset_hint":"true" in the config section. See image.

Note that a global breach service is used. Not hosted or controlled by PhenixID.

Notifying user when password is changed

When a password has been changed by the application it is a good best practice to notify the user. This  can be done through sending a text message to the user's mobile, an e-mail or both.

This is not done by the guide it self due to the large set of unknowns.