PhenixID Password self service
PhenixID Password self service allows for a user to change password in a secure and controlled way.
Prerequisites : At least one SAML IDP is known by the system.
Start the guide by clicking the '+' sign next to Password self service.
Name - the display name
Description - description
URI - Path used to access the application. This must not be used by any other application in the system.
Service provider Identifier - Password self service uses SAML authenticating users. The SP entityid is used identifying the SP. If using an external IDP make sure to import password self service SAML SP metadata to establish trust. This id must be unique in the SAML federation.
Keystore - The keystore used to sign messages.
HTTP connection - The HTTP connection used to expose the application
Trusted Identity provider - The idp to use for authentication. Additional identity providers can be added later.
LDAP user store - The user store
User store settings
The settings for the previously selected user store
Click Next then Create.
Edit guide configuration
You can edit and delete your configuration by selecting it in the left hand menu.
When you click save, the configuration will be updated and the server will instantly restart affected components to apply your changes.
Delete removes all configuration created by the guide but not shared components (i.e components that could be used by other configurations like connections and user stores).
General tab allows for configuration of the same parameters set when creating the configuration
This is the PIPE that will receive the incoming SAML assertion from the IDP. Here it's possible to customise authentication to fit any additional needs.
Password reset flow
This is the PIPE that will handle the password reset. Here it's possible to customise to fit any additional .
Identity providers (authentication methods) used to log into Password self service. Here it is possible to select additional identity providers, adding to the one previously configured.
Password policies for the Password self service.
Adding control against global breach list
Even though a password meets the local policies there is still the possibility of the password has been a part of a password leak .
It is possible to enable online control for breach validation checks. If password has been found in prior databreach the user will be notified and can choose an other password.
Configure by in Advanced locate the pss module.
Enable by adding "pwdreset_hint":"true" in the config section. See image.
Note that a global breach service is used. Not hosted or controlled by PhenixID.
Notifying user when password is changed
When a password has been changed by the application it is a good best practice to notify the user. This can be done through sending a text message to the user's mobile, an e-mail or both.
This is not done by the guide it self due to the large set of unknowns.