Reset Password

Once the password policy is met the user can reset their password. The actual reset is done in a pipe.

Data available to pipe

user_name - NameID from the incoming assertion at login.
new_password - the password user entered
email - if present in the incoming assertion at login
display_name - used as avatar display name or in pipe
on_behalf_of_display_name - if present in the incoming assertion at login
on_behalf_of_user_name - if present in the incoming assertion at login
on_behalf_of_email - if present in the incoming assertion at login

Example configuration to reset password in Active Directory

In this example the NameID from the SAML response located in user_name (nameid) property contains the sAMAccountName of the user to reset a password for. With this value we can do an LDAP search to get the distinguished name (DN) of the user. In the ADPasswordReset valve the DN is used to locate and update the user in AD with the new password.

"id": "PIPE_Find_and_Reset_Active_Directory_Password",
	"config": {
		"valves": [{
		"name": "LDAPSearch",
		"enabled": true,
		"config": {
			"destination": "default",
			"base_dn": "${globals.ldap.base_dn}",
			"scope": "SUB",
			"filter": "sAMAccountName={{{request.user_name}}}",
			"attributes": {
				"name": "distinguishedName",
				"multivalue": false
			}
		}
	},
	{
		"name": "ADPasswordReset",
		"config": {
			"label": "**********   ADPasswordReset   **********" 
		} }

Resetting password on behalf of someone else

Achieving a reset "on behalf of" uses the same pipe logic as reset password as the user itself. In essence this means looking at the incoming request. If it contains "on_behalf_of_user_name", pipe should be configured to call second "on behalf-pipe" ignoring the regular valves used for reseting the logged in user.

"id": "PIPE_Find_and_Reset_Active_Directory_Password",
	"config": {
		"valves": [{
		"name": "LDAPSearch",
		"enabled": true,
		"config": {
			"destination": "default",
			"base_dn": "${globals.ldap.base_dn}",
			"scope": "SUB",
			"filter": "sAMAccountName={{{request.on_behalf_of_user_name}}}",
			"attributes": {
				"name": "distinguishedName",
				"multivalue": false
			}
		}
	},
	{
		"name": "ADPasswordReset",
		"config": {
			"label": "**********   ADPasswordReset   **********" 
		} }

"id": "PIPE_Find_and_Reset_Active_Directory_Password", "config": { "valves": [{ "name": "LDAPSearch", "enabled": true, "config": { "destination": "default", "base_dn": "${globals.ldap.base_dn}", "scope": "SUB", "filter": "sAMAccountName={{{request.user_name}}}", "attributes": { "name": "distinguishedName", "multivalue": false } } }, { "name": "ADPasswordReset", "config": { "label": "********** ADPasswordReset **********" } }

"id": "PIPE_Find_and_Reset_Active_Directory_Password", "config": { "valves": [{ "name": "LDAPSearch", "enabled": true, "config": { "destination": "default", "base_dn": "${globals.ldap.base_dn}", "scope": "SUB", "filter": "sAMAccountName={{{request.on_behalf_of_user_name}}}", "attributes": { "name": "distinguishedName", "multivalue": false } } }, { "name": "ADPasswordReset", "config": { "label": "********** ADPasswordReset **********" } }