Reset Password using One Touch app
This section will show how to use PhenixID One Touch as a method to let users prove their identity before resetting their password.
Requirements :
- LDAP must be configured, note the ID of the connection it will be used in later steps.
(in config UI, SCENARIOS -> CONNECTIONS -> LDAP) - One Touch must be configured under SYSTEM
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following configuration to “Authentication - HTTP”
{
"alias": "otpwdreset",
"name": "Registration",
"configuration": {
"stages": [
{
"pipeid": "otresetpwd-start",
"template": "changepwd/otresetpwd-start",
"errorTemplate": "changepwd/changepwd-common-complete",
"sessionValues": [
"pki_user"
],
"translation": [
"otpwdreset.title",
"otpwdreset.start.header",
"otpwdreset.start.paragraph",
"otpwdreset.start.continue",
{
"key": "header",
"mapKeyTo": "ppsspassms.messages.completeheader"
},
{
"key": "paragraph",
"mapKeyTo": "ppsspasot.poll.progress.labels.error"
},
{
"key": "title",
"mapKeyTo": "ppsspassms.messages.title"
},
{
"key": "button.done",
"mapKeyTo": "otpwdreset.start.continue"
}
]
},
{
"pipeid": "otresetpwd-set-password",
"template": "changepwd/otresetpwd-set-password",
"templateVariables": {
"password_validity": {
"contains_lowercase": "true",
"contains_uppercase": "true",
"contains_special": "true",
"contains_number": "true",
"password_length": "8"
},
"cancel_href": "/otpwdreset/authenticate/logout/?replace-ppss-logout_url"
},
"translation": [
"otpwdreset.title",
"otpwdreset.setpwd.header",
"otpwdreset.setpwd.paragraph",
"otpwdreset.setpwd.givenname",
"otpwdreset.setpwd.surname",
"otpwdreset.setpwd.username",
"otpwdreset.setpwd.mobile",
"otpwdreset.setpwd.continue",
"ppsspas.common.validation.header",
"ppsspas.common.validation.lowercase",
"ppsspas.common.validation.uppercase",
"ppsspas.common.validation.number",
"ppsspas.common.validation.special",
"ppsspas.common.validation.length",
"ppsspas.common.validation.",
"ppsspas.common.error.lockout",
"ppsspas.common.error.user",
"ppsspas.common.error.otp",
"ppsspas.common.error.ldappwd"
],
"sessionValues": [
"pki_user",
"givenname",
"sn",
"mobile"
]
},
{
"pipeid": "otresetpwd-complete",
"template": "changepwd/otresetpwd-complete",
"sessionValues": [],
"templateVariables": {
"done_href": "/otpwdreset/authenticate/logout/?replace-ppss-logout_url"
},
"translation": [
"otpwdreset.title",
"otpwdreset.complete.header",
"otpwdreset.complete.paragraph",
"otpwdreset.complete.done"
]
}
]
},
"id": "otpwdreset"
}Adjust the following settings to match your password policy:
Requires lower case character set this value to true else false- "contains_lowercase": "true",
Requires upper case character set this value to true else false- "contains_uppercase": "true",
Requires special character set this value to true else false - "contains_special": "true",
Requires a number set this value to true else false - "contains_number": "true",
Minimum length of the password , in this example minimum 8 characters- "password_length": "8"
Change logout URL:
"replace-ppss-logout_url" with the url that you want the users to go to when they have completed or canceled the password reset.
Example :
If you like to have the logout URL to https://www.phenixid.se then it would look like:
..."/otpwdreset/authenticate/logout/?nextTarget=https://www.phenixid.se"
Step 2 - Pipes
Add the following configuration to “Pipes"
{
"id": "otresetpwd-start",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "OTTokenVerifierValve",
"enabled": "true",
"config": {}
},
{
"name": "FlowFailValve",
"config": {
"message": "Session too old",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "pki_user",
"value": "{{item.subject}}"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace-ppss-filter",
"attributes": "givenname,sn,mobile"
}
},
{
"name": "ItemMergeValve",
"enabled": "true",
"config": {
"dest_id": "{{session.pki_user}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"dest_id": "{{session.pki_user}}",
"name": "givenname",
"value": "{{item.givenName}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "sn",
"value": "{{item.sn}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "mobile",
"value": "{{item.mobile}}"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "otresetpwd-set-password",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "InputParameterExistValidatorValve",
"config": {
"param_name": "password"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace-ppss-filter",
"attributes": ""
}
},
{
"name": "replace-ppss-pwdvalve",
"enabled": "true",
"config": {
"connection_ref": "replace-ldap-ref",
"value": "{{request.password}}"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "otresetpwd-complete",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "SessionRemoveValve",
"config": {}
}
]
}Replace the following Pipe settings:
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
"replace-ppss-filter" with either "sAMAccountName={{session.pki_user}}" if you have Active Directory or "uid={{session.pki_user}}" for other LDAP catalogs
"replace-ppss-pwdvalve" with "ADPasswordChangeValve" if you have Active Directory,
for other LDAP catalogs replace with "LDAPModifyValve" and add "modification_type": "REPLACE",
to the config section of the valve
Verify that “filter_template” and “attributes” match your environment.
Step 3 - Add Module
Add the following module to "Modules"
{
"name": "com.phenixidentity~phenix-replay-cache",
"singleton": "true",
"config": {},
"id": "replay"
}Step 4 - Add Actions to One Touch
In "Modules" section find and add the following to the module "name": "com.phenixidentity~phenix-pki"
Add the following after "guide_id": "guides.onetouch",
"actions_url" : "replace-otreset-actions_url",
"actions" : [ {
"type" : "open",
"url" : "replace-otreset-url",
"authentication" : "jwt",
"title" : "Change password",
"text" : "Click if you need a password reset"
} ]Replace the following :
"replace-otreset-actions_url" to your actions_url address , example "https://www.phenixid.se:8443"
"replace-otreset-url" to your url address , example "https://www.phenixid.se:8443/otpwdreset/authenticate/otpwdreset"
Replace title and text to match your requirements
Example config :
{
"name": "com.phenixidentity~phenix-pki",
"enabled": "true",
"config": {
"issuer": "PhenixID",
"ca_ref": "d1aac3e6-3ff7-4c0a-95cd-9e98ed111864",
"ca_profile": "64b47de0-b60b-40ec-8a74-8a9201d6d17d",
"client_key_algorithm": "RSA",
"client_key_size": "2048",
"url_prefix": "https://www.phenixid.se:8443",
"http_configuration_ref": "25d1df89-9e0d-4c0a-b8ad-83bd71f7491f",
"guide_ref": "d753bf53-43e3-424e-bc1b-39459254a39b",
"guide_id": "guides.onetouch",
"actions_url": "https://www.phenixid.se:8443",
"actions": [
{
"type": "open",
"url": "https://www.phenixid.se:8443/otpwdreset/authenticate/otpwdreset",
"authentication": "jwt",
"title": "Change password",
"text": "Click if you need a password reset"
}
]
}
}Step 5 - Add module Replay to Node_Group
In the Node_Group section add the module "replay" to the value "module_refs".
Example:
"module_refs": "replay,6c191eaa-b035-4641-ab1f-227c7d39b5da,67d0bc1c-8035-4d75-a3eb-652c72e59413"Step 6 - Use One Touch app to reset password
Open the PhenixID One touch app on your mobile device and select Change password
Follow the instructions presented during password reset