Password Reset - OLD
Reset a password for yourself or help someone else.
Scenario
In this use case there are two scenarios:
Password Reset using Self service. In this scenario you will login as yourself using your userid (mail) and an one-time password (otp) sent using SMTP.
Password Reset as a delegated user. You reset someone else's password. In this scenario you can delegate the password reset ability to another person. In this use case the manager can perform the password reset. The application will look in the directReport attribute to figure out what users to display for the delegated user. Active Directory have a backlink attribute connection between directReports and manager for users. Note. This is just an example, you can figure out who should be able to reset another persons password using any LDAP query. Example: The Active Directory user Ruth Anderson is manager for user Frank Sinatra and user Dean Martin. When Ruth logs in she will have a list to choose from for all the user she is currently manager for.
Prerequisite
FortifiedID Integrity Web current version
Fortified Password Reset current version
LDAP directory The example code is configured to use an Active Directory. We are using mail attribute of the Active Directory user. Make sure you have a test users, Ruth Anderson, Frank Sinatra and Dean Martin created with following LDAP attribute:
Ruth Anderson
displayName: Ruth Anderson
mail: [email protected]
sAMAccountName: rutha
directReports: CN=Frank Sinatra,OU=...,DC=..,DC
directReports: CN=Dean Martin,OU=...,DC=..,DC
Frank Sinatra
displayName: Frank Sinatra
mail: [email protected]
sAMAccountName: franks
manager: CN=Ruth Anderson,OU=...,DC=..
Dean Martin
displayName: Dean Martin
mail: [email protected]
sAMAccountName: deanm
manager: CN=Ruth Anderson,OU=...,DC=..
Server platform. Docker, Windows or Linux. In this use case we have used a Windows server with an Active Directory.
FakeSMTP. This is used when a user reset its own password. When authenticating to the self service we will use UserID (mail) and a mail delivered one-time password (otp). Download and install FakeSMTP on the same host as the use cases and start the smtp service on port 25. Note. If you have an "real" SMTP server then use that instead.
Configuration
Download and add configuration
Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.
Download ZIP containing configuration for Web and Password Reset
Click USE_CASE_LINK to download customer folders for Web and PWDReset.
Add Integrity WEB configuration to your environment.
Add the customer_WEB folder to you \..\fortifiedid\web\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.
Add Password Reset configuration to your environment.
Add the customer_PWDReset folder to you \..\fortifiedid\pwdreset\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.
Update the configuration to map your environment
The downloaded folders contains all information needed. For example, a test certificate and metadata files are included and configured to work with the example applications. However, some data needs to be changed to map your environment. You need to update the LDAP data to map your environment. Since this example was done on a Windows server you might need to update file paths if you run something else. Also the http ports might need to be changed if they are not available in your environment.
To make it easy both application folders have a file called globals.json that contains the data you need to change. Config.json uses the variables in globals.json.
Open globals.json for \..\fortifiedid\pwdreset\config and \..\fortifiedid\web\config folder and update:
LDAP data to map you environment
File paths if needed
HTTP if needed
When updated, start Integrity WEB and Password Reset in order described below.
Start Fortified ID Web service. Wait until service is started before moving on. Verify server.log file that service running without errors.
Start Fortified ID Password Reset service Verify server.log file that service running without errors.
Testing the use case
There are two authenticators in this use case. See explanation below:
Delegated - Password Reset
This will authenticate [email protected] with Active Directory and display a selector to reset someone else's password. This option also include the possibility for Ruth to reset here own password.
Open a browser
Browse to https://localhost:8446/pwdreset You should now be redirected to https://localhost:8443/saml/authn/selector/
On Integrity WEB SAML IdP, click Delegated - Password Reset option
In Username and Password, add [email protected] and password and then click Sign In.
In the Select user to reset password for, select Frank Sinatra. You should now be redirected back to Password reset.
You are logged in as Ruth Anderson performing a password reset for Frank Sinatra.
Self - Password Reset
This will authenticate [email protected] with Active Directory and verify a generated and sent OTP via smtp.
Start FakeSMTP is started
Open a CMD prompt
Go to the folder where you downloaded FakeSMTP
Run the following command: (change to fit downloaded version) "C:\Program Files\FortifiedID\web\jre\bin\java.exe" -jar fakeSMTP-2.0.jar
Click Start server
Click Last Message tab where you in the next section will find the otp
Login with self service to reset the password
Open a browser
Browse to https://localhost:8446/pwdreset You should now be redirected to https://localhost:8443/saml/authn/selector/
On Integrity WEB SAML IdP, click Self - Password Reset option
In UserID, add [email protected] and then click Verify userid
Check FakeSMTP and look for the otp. See example below:
Add the OTP to the Verify one-time password web page. Click Verify one-time password.
You should now been authenticated and redirected back to the SAML SP, Password Reset.
Note. If you type the username incorrectly you will still advance to OTP page. Authentication will fail. This is because someone a bad person should know if userid or OTP was incorrect.
Complete config.json file of Password Reset
The config.json of Web can be found in the associated zip-file in this use case.
{
"globals": "@include:globals.json",
"modules": [
{
"name": "CefEventModule",
"config": {}
},
{
"name": "HttpClient",
"config": {
"name": "default",
"ssl_trust_all": true,
"idle_timeout_ms": 5000,
"connect_timeout_ms": 5000
}
},
{
"name": "LdapClient",
"enabled": true,
"instances": 1,
"config": {
"name": "${globals.ldap.ldap1.name}",
"connection": {
"host": "${globals.ldap.ldap1.connection.host}",
"port": "${globals.ldap.ldap1.connection.port}",
"bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
"bind_password": "${globals.ldap.ldap1.connection.bind_password}",
"use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
"ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
}
}
},
{
"name": "PasswordReset",
"config": {
"http_port": "${globals.http.port}",
"webroot_dir": "resources/web",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"http_context": "/pwdreset",
"http_auth_redirect_url": "/pwdreset/authn/login",
"overlay_dirs": [
"${globals.file_path.base_dir}/config/resources_external/overlays/1_pwdreset",
"${globals.file_path.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"pipe_id": "Reset_Active_Directory_Password",
"rules": "@include:rules.json"
}
},
{
"name": "ADResetClient",
"config": {
"name": "${globals.ldap.ldap1.name}",
"connection": {
"host": "${globals.ldap.ldap1.connection.host}",
"port": "${globals.ldap.ldap1.connection.port}",
"bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
"bind_password": "${globals.ldap.ldap1.connection.bind_password}",
"use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
"ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
}
}
},
{
"name": "AuthN",
"config": {
"http_context": "/authn",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"authenticators": [
{
"id": "sp_pwdreset",
"type": "SAMLSP",
"config": {
"context_path": "/pwdreset/authn/login",
"success_location": "/pwdreset/",
"logout_location": "/pwdreset/logged_out",
"metadata_output_directory": "${globals.file_path.base_dir}/config/resources_internal/saml_sp_metadata",
"metadata": {
"url": "https://localhost:8443/saml/metadata/fortifiedid_web_saml_idp_1"
},
"entity_id": "FortifiedID_PWD_Reset",
"metadata_file_path": "${globals.file_path.base_dir}/config/resources_internal/saml_sp_metadata_template/fortifiedid_pwdreset_saml_sp_template.xml",
"sign_ref": [
{
"keystore": {
"alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
"key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
"password": "${globals.keystore.saml.sign_ref_keystore_password}",
"path": "${globals.keystore.saml.sign_ref_keystore_path}"
}
}
]
}
}
]
}
},
{
"name": "Pipes",
"config": {
"pipes": [
{
"id": "Reset_Active_Directory_Password",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "********** DumpRequest before PIPEEXEC **********"
}
},
{
"name": "PipeExec",
"exec_if_expr": "request.on_behalf_of_user_name == null",
"config": {
"pipe": "Find_User_and_Do_Password_Reset_of_Authenticated_User"
}
},
{
"name": "PipeExec",
"exec_if_expr": "request.on_behalf_of_user_name != null",
"config": {
"pipe": "Find_Selected_User_and_Do_Password_Reset_Authenticated_On_Behalf_of_User"
}
}
]
}
},
{
"id": "Find_User_and_Do_Password_Reset_of_Authenticated_User",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "********** DumpRequest **********"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{request.user_name}}}",
"attributes": [
{
"name": "displayName",
"multivalue": false
},
{
"name": "distinguishedName",
"multivalue": false
}
]
}
},
{
"name": "DumpState",
"config": {
"label": "********** DumpState **********"
}
},
{
"name": "ADPasswordReset",
"config": {
"destination": "${globals.ldap.ldap1.name}",
"label": "********** ADPasswordReset valve - Self service **********",
"unlock_user": true,
"change_password_next_logon": false,
"pwd_last_set_allowed_days": 1
}
}
]
}
},
{
"id": "Find_Selected_User_and_Do_Password_Reset_Authenticated_On_Behalf_of_User",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "********** DumpRequest **********"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "sAMAccountName={{{request.on_behalf_of_user_name}}}",
"attributes": [
{
"name": "displayName",
"multivalue": false
},
{
"name": "distinguishedName",
"multivalue": false
}
]
}
},
{
"name": "DumpState",
"config": {
"label": "********** DumpState **********"
}
},
{
"name": "ADPasswordReset",
"config": {
"destination": "${globals.ldap.ldap1.name}",
"label": "********** ADPasswordReset valve - Impersonation **********",
"unlock_user": true,
"change_password_next_logon": false,
"pwd_last_set_allowed_days": 0
}
}
]
}
}
]
}
}
]
}
Last updated