Configuration

How to activate

By adding a on behalf parameter to the SAML assertion, Password reset can use this parameter to figure out if the password should be reset on the user that authenticated or if the user authenticated should reset someone else's password.

Required data

In order for allowing resetting password on behalf of some one else, the incoming assertion need to include two attributes:

• on_behalf_of_user_name

• on_behalf_of_display_name

In addition on_behalf_of_email is also included for notification reasons.

Resetting password on behalf of someone else

Achieving a reset "on behalf of", use pipe logic. In essence this means looking at the incoming request. If it contains "on_behalf_of_user_name" pipe should be configured to call second "on behalf-pipe" ignoring the regular valves used for reseting the logged in user.