Password Reset using Self service.
In this scenario you will login as yourself using your BankID.
This scenario could easily be copied and modified to fulfill:
Using other eID methods to reset the password, such as SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi
Prerequisite
FortifiedID Integrity Web current version installed
Fortified Password Reset current version installed
BankID certificate. To be able to communicate with bankid backend.
Entra ID (Azure AD) administration rights. Azure P1 license, or higher.
Host (DNS) name of the Integrity service (external access)
Host (DNS) name of the Password reset service (external access)
Social security number (personnummer) stored on the Entra ID user object. The attribute name holding the value is also required.
Outgoing TCP/443 communication. To be able to communicate with BankID backend and Entra ID services.
Configuration
Download and add configuration
Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.
Download ZIP containing configuration for Web and Password Reset
Add Integrity WEB configuration to your environment.
Rename the existing customer folder to customer_ORG and add the customer folder to your \..\fortifiedid\web\ folder. .
Add Password Reset configuration to your environment.
Add the customer-pwdreset folder to you \..\fortifiedid\pwdreset\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.
Update the Entra ID configuration
Create App Registration
Login to Entra ID as an administrator
Select App Registrations
Click New Registration
Enter a name of the app registration, Fortified ID Password reset
Select Accounts in this organizational directory only (<tenant_name> only - Single tenant)
Register
Click on the App Registration in the list
Select API permissions
Add a permission
Microsoft Graph->Application Permissions->User.Read.All
In the Overview section, copy these values (they will be used in later steps):
Application (client) ID
Object ID
Directory (tenant) ID
Select Certificates & secrets
Select Certificates
Click Upload certificate
Select the certificate file
Click Save
Select Microsoft Entra roles and administrators
Open the role User administrator
Select Add assignment
Enter Fortified ID Password Reset
Select and Add
Update the configuration to map your environment
The downloaded folders contains all information needed. For example, a test certificate and metadata files are included and configured to work with the example applications.
However, some data needs to be changed to map your environment. You need to update the Entra settings to map your environment. Also the http ports might need to be changed if they are not available in your environment.
Integrity Web
Globals
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
Open the file customer/config/globals.json. Change according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be:
"base_dir": "../customer"
For Docker, the value should be:
"base_dir": ".",
"base_dir": "../customer"
host
Set the host value to your Integrity Web DNS name entry, including https://.
Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service.
! The recommendation is to always use SSL to encrypt the communication to Integrity Web.
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
For connecting against BankID test environment, you don't need to do anything.
For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed.
Find in section: keystore
keystore - entra
The keystore used for connecting to Entra ID, to perform a user lookup.
For test environments, you may use the test certificate provided by us, if so you do not need to change anything.
For production environments, you should use your own keystore and update the values below to point to that keystore. This must map to the certificate uploaded to Entra in previous step.
keystore - saml
The keystore used to sign SAML assertions.
For test environments, you may use the test certificate provided by us, if so you do not need to change anything.
For production environments, you should use your own keystore and update the values below to point to that keystore.
entra
Set client_id and tenant_id to the value fetched in previous step. Set mfa_identifier_attribute to the Entra ID user object attribute containing the eID identifier value (for BankID = social security number).
Start the Integrity web service and verify the start by looking through the server.log file.
Open a web browser and browse to https://<integrity_web_host>/saml/metadata/integrity_idp_entra_pwdreset
Save the downloaded file as \..\fortifiedid\pwdreset\config\resources_external\saml_meta\integrity_idp_entra_pwdreset.xml
Password reset
Globals
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
Open the file customer/config/config.json and locate the globals section. Change according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be:
"base_dir": "../customer"
For Docker, the value should be:
"base_dir": ".",
"file_path": {
"base_dir": "."
},
http
Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service.
! The recommendation is to always use SSL to encrypt the communication to Integrity Web.
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
keystore - entra
The keystore used for connecting to Entra ID, to perform a password reset.
For test environments, you may use the test certificate provided by us, if so you do not need to change anything.
For production environments, you should use your own keystore and update the values below to point to that keystore. This must map to the certificate uploaded to Entra in previous step.
keystore - saml
The keystore used to sign SAML requests.
For test environments, you may use the test certificate provided by us, if so you do not need to change anything.
For production environments, you should use your own keystore and update the values below to point to that keystore.
Open the file /config/resources_internal/saml_sp_metadata_template/fortifiedid_pwdreset_saml_sp_template.xml.
Change PWDRESET-HOSTNAME to the DNS name of Password Reset.
Save the file.
Start the Password reset service and verify the start by looking through the server.log file.
Copy the file in the folder /config/resources_internal/saml_sp_metadata. Paste it into /fortifiedid/web/customer/config/resources_internal/saml_sp_metadata_files (replace existing file).
Restart Integrity Web.
Testing the use case
Self - Password Reset
Browse to https://PWDRESET-HOSTNAME/pwdreset
Authenticate with BankID
Enter a password (follow the on-screen instructions)
The password was updated.
Try to logon to Entra with the newly set password.
Check server.log files (both Integrity Web and Password Reset) to find errors. Fix accordingly.
Complete config.json file of Password Reset
The config.json of Password reset can be found in the associated zip-file in this use case.
Click to download customer folders for Web and PWDReset.
Extract the certificate chain from the keystore file referenced in the globals entra->ssl_keystore_path, . This should result in a certificate file that will be used in next step.
