1.2 Password Reset
Home
Integrity
Control
Solutions

Reset Password

Once the password policy is met the user can reset their password. The actual reset is done in a pipe.

Data available to pipe

  • user_name - NameID from the incoming assertion at login.

  • new_password - the password user entered

  • email - if present in the incoming assertion at login

  • display_name - used as avatar display name or in pipe

  • on_behalf_of_display_name - if present in the incoming assertion at login

  • on_behalf_of_user_name - if present in the incoming assertion at login

  • on_behalf_of_email - if present in the incoming assertion at login

Example configuration to reset password in Active Directory

In this example the NameID from the SAML response located in user_name (nameid) property contains the sAMAccountName of the user to reset a password for. With this value we can do an LDAP search to get the distinguished name (DN) of the user. In the ADPasswordReset valve the DN is used to locate and update the user in AD with the new password.

"id": "PIPE_Find_and_Reset_Active_Directory_Password",
	"config": {
		"valves": [{
		"name": "LDAPSearch",
		"enabled": true,
		"config": {
			"destination": "default",
			"base_dn": "${globals.ldap.base_dn}",
			"scope": "SUB",
			"filter": "sAMAccountName={{{request.user_name}}}",
			"attributes": {
				"name": "distinguishedName",
				"multivalue": false
			}
		}
	},
	{
		"name": "ADPasswordReset",
		"config": {
			"label": "**********   ADPasswordReset   **********" 
		} }

Resetting password on behalf of someone else

Achieving a reset "on behalf of" uses the same pipe logic as reset password as the user itself. In essence this means looking at the incoming request. If it contains "on_behalf_of_user_name", pipe should be configured to call second "on behalf-pipe" ignoring the regular valves used for reseting the logged in user.

"id": "PIPE_Find_and_Reset_Active_Directory_Password",
	"config": {
		"valves": [{
		"name": "LDAPSearch",
		"enabled": true,
		"config": {
			"destination": "default",
			"base_dn": "${globals.ldap.base_dn}",
			"scope": "SUB",
			"filter": "sAMAccountName={{{request.on_behalf_of_user_name}}}",
			"attributes": {
				"name": "distinguishedName",
				"multivalue": false
			}
		}
	},
	{
		"name": "ADPasswordReset",
		"config": {
			"label": "**********   ADPasswordReset   **********" 
		} }

Last updated