Password Reset - OLD

Reset a password for yourself or help someone else.

Scenario

In this use case there are two scenarios:

  • Password Reset using Self service. In this scenario you will login as yourself using your userid (mail) and an one-time password (otp) sent using SMTP.

  • Password Reset as a delegated user. You reset someone else's password. In this scenario you can delegate the password reset ability to another person. In this use case the manager can perform the password reset. The application will look in the directReport attribute to figure out what users to display for the delegated user. Active Directory have a backlink attribute connection between directReports and manager for users. Note. This is just an example, you can figure out who should be able to reset another persons password using any LDAP query. Example: The Active Directory user Ruth Anderson is manager for user Frank Sinatra and user Dean Martin. When Ruth logs in she will have a list to choose from for all the user she is currently manager for.

Prerequisite

  • FortifiedID Integrity Web current version

  • Fortified Password Reset current version

  • LDAP directory The example code is configured to use an Active Directory. We are using mail attribute of the Active Directory user. Make sure you have a test users, Ruth Anderson, Frank Sinatra and Dean Martin created with following LDAP attribute:

    • Ruth Anderson

      • displayName: Ruth Anderson

      • sAMAccountName: rutha

      • directReports: CN=Frank Sinatra,OU=...,DC=..,DC

      • directReports: CN=Dean Martin,OU=...,DC=..,DC

    • Frank Sinatra

      • displayName: Frank Sinatra

      • sAMAccountName: franks

      • manager: CN=Ruth Anderson,OU=...,DC=..

    • Dean Martin

      • displayName: Dean Martin

      • sAMAccountName: deanm

      • manager: CN=Ruth Anderson,OU=...,DC=..

  • Server platform. Docker, Windows or Linux. In this use case we have used a Windows server with an Active Directory.

  • FakeSMTP. This is used when a user reset its own password. When authenticating to the self service we will use UserID (mail) and a mail delivered one-time password (otp). Download and install FakeSMTP on the same host as the use cases and start the smtp service on port 25. Note. If you have an "real" SMTP server then use that instead.

Configuration

Download and add configuration

Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.

  1. Download ZIP containing configuration for Web and Password Reset

    1. Click USE_CASE_LINK to download customer folders for Web and PWDReset.

  2. Add Integrity WEB configuration to your environment.

    1. Add the customer_WEB folder to you \..\fortifiedid\web\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.

  3. Add Password Reset configuration to your environment.

    1. Add the customer_PWDReset folder to you \..\fortifiedid\pwdreset\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.

Update the configuration to map your environment

The downloaded folders contains all information needed. For example, a test certificate and metadata files are included and configured to work with the example applications. However, some data needs to be changed to map your environment. You need to update the LDAP data to map your environment. Since this example was done on a Windows server you might need to update file paths if you run something else. Also the http ports might need to be changed if they are not available in your environment.

To make it easy both application folders have a file called globals.json that contains the data you need to change. Config.json uses the variables in globals.json.

  1. Open globals.json for \..\fortifiedid\pwdreset\config and \..\fortifiedid\web\config folder and update:

    1. LDAP data to map you environment

    2. File paths if needed

    3. HTTP if needed

  2. When updated, start Integrity WEB and Password Reset in order described below.

    1. Start Fortified ID Web service. Wait until service is started before moving on. Verify server.log file that service running without errors.

    2. Start Fortified ID Password Reset service Verify server.log file that service running without errors.

Testing the use case

There are two authenticators in this use case. See explanation below:

Delegated - Password Reset

This will authenticate [email protected] with Active Directory and display a selector to reset someone else's password. This option also include the possibility for Ruth to reset here own password.

  1. Open a browser

  2. On Integrity WEB SAML IdP, click Delegated - Password Reset option

  3. In Username and Password, add [email protected] and password and then click Sign In.

  4. In the Select user to reset password for, select Frank Sinatra. You should now be redirected back to Password reset.

  5. You are logged in as Ruth Anderson performing a password reset for Frank Sinatra.

Self - Password Reset

This will authenticate [email protected] with Active Directory and verify a generated and sent OTP via smtp.

Start FakeSMTP is started

  1. Open a CMD prompt

  2. Go to the folder where you downloaded FakeSMTP

  3. Run the following command: (change to fit downloaded version) "C:\Program Files\FortifiedID\web\jre\bin\java.exe" -jar fakeSMTP-2.0.jar

  4. Click Start server

  5. Click Last Message tab where you in the next section will find the otp

Login with self service to reset the password

  1. Open a browser

  2. On Integrity WEB SAML IdP, click Self - Password Reset option

  3. In UserID, add [email protected] and then click Verify userid

  4. Check FakeSMTP and look for the otp. See example below:

  5. Add the OTP to the Verify one-time password web page. Click Verify one-time password.

  6. You should now been authenticated and redirected back to the SAML SP, Password Reset.

Note. If you type the username incorrectly you will still advance to OTP page. Authentication will fail. This is because someone a bad person should know if userid or OTP was incorrect.

Complete config.json file of Password Reset

The config.json of Web can be found in the associated zip-file in this use case.

{
    "globals": "@include:globals.json",
    "modules": [
        {
            "name": "CefEventModule",
            "config": {}
        },
        {
            "name": "HttpClient",
            "config": {
                "name": "default",
                "ssl_trust_all": true,
                "idle_timeout_ms": 5000,
                "connect_timeout_ms": 5000
            }
        },
        {
            "name": "LdapClient",
            "enabled": true,
            "instances": 1,
            "config": {
                "name": "${globals.ldap.ldap1.name}",
                "connection": {
                    "host": "${globals.ldap.ldap1.connection.host}",
                    "port": "${globals.ldap.ldap1.connection.port}",
                    "bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
                    "bind_password": "${globals.ldap.ldap1.connection.bind_password}",
                    "use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
                    "ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
                }
            }
        },
        {
            "name": "PasswordReset",
            "config": {
                "http_port": "${globals.http.port}",
                "webroot_dir": "resources/web",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "http_context": "/pwdreset",
                "http_auth_redirect_url": "/pwdreset/authn/login",
                "overlay_dirs": [
                    "${globals.file_path.base_dir}/config/resources_external/overlays/1_pwdreset",
                    "${globals.file_path.base_dir}/config/resources_external/overlays/0_look_and_feel"
                ],
                "pipe_id": "Reset_Active_Directory_Password",
                "rules": "@include:rules.json"
            }
        },
        {
            "name": "ADResetClient",
            "config": {
                "name": "${globals.ldap.ldap1.name}",
                "connection": {
                    "host": "${globals.ldap.ldap1.connection.host}",
                    "port": "${globals.ldap.ldap1.connection.port}",
                    "bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
                    "bind_password": "${globals.ldap.ldap1.connection.bind_password}",
                    "use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
                    "ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
                }
            }
        },
        {
            "name": "AuthN",
            "config": {
                "http_context": "/authn",
                "http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "authenticators": [
                    {
                        "id": "sp_pwdreset",
                        "type": "SAMLSP",
                        "config": {
                            "context_path": "/pwdreset/authn/login",
                            "success_location": "/pwdreset/",
                            "logout_location": "/pwdreset/logged_out",
                            "metadata_output_directory": "${globals.file_path.base_dir}/config/resources_internal/saml_sp_metadata",
                            "metadata": {
                                "url": "https://localhost:8443/saml/metadata/fortifiedid_web_saml_idp_1"
                            },
                            "entity_id": "FortifiedID_PWD_Reset",
                            "metadata_file_path": "${globals.file_path.base_dir}/config/resources_internal/saml_sp_metadata_template/fortifiedid_pwdreset_saml_sp_template.xml",
                            "sign_ref": [
                                {
                                    "keystore": {
                                        "alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
                                        "key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
                                        "password": "${globals.keystore.saml.sign_ref_keystore_password}",
                                        "path": "${globals.keystore.saml.sign_ref_keystore_path}"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        },
        {
            "name": "Pipes",
            "config": {
                "pipes": [
                    {
                        "id": "Reset_Active_Directory_Password",
                        "config": {
                            "valves": [
                                {
                                    "name": "DumpRequest",
                                    "config": {
                                        "label": "**********   DumpRequest before PIPEEXEC   **********"
                                    }
                                },
                                {
                                    "name": "PipeExec",
                                    "exec_if_expr": "request.on_behalf_of_user_name == null",
                                    "config": {
                                        "pipe": "Find_User_and_Do_Password_Reset_of_Authenticated_User"
                                    }
                                },
                                {
                                    "name": "PipeExec",
                                    "exec_if_expr": "request.on_behalf_of_user_name != null",
                                    "config": {
                                        "pipe": "Find_Selected_User_and_Do_Password_Reset_Authenticated_On_Behalf_of_User"
                                    }
                                }
                            ]
                        }
                    },
                    {
                        "id": "Find_User_and_Do_Password_Reset_of_Authenticated_User",
                        "config": {
                            "valves": [
                                {
                                    "name": "DumpRequest",
                                    "config": {
                                        "label": "********** DumpRequest **********"
                                    }
                                },
                                {
                                    "name": "LDAPSearch",
                                    "enabled": true,
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "base_dn": "${globals.ldap.ldap1.connection.base_dn}",
                                        "scope": "SUB",
                                        "filter": "mail={{{request.user_name}}}",
                                        "attributes": [
                                            {
                                                "name": "displayName",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "distinguishedName",
                                                "multivalue": false
                                            }
                                        ]
                                    }
                                },
                                {
                                    "name": "DumpState",
                                    "config": {
                                        "label": "********** DumpState **********"
                                    }
                                },
                                {
                                    "name": "ADPasswordReset",
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "label": "**********   ADPasswordReset valve - Self service **********",
                                        "unlock_user": true,
                                        "change_password_next_logon": false,
                                        "pwd_last_set_allowed_days": 1
                                    }
                                }
                            ]
                        }
                    },
                    {
                        "id": "Find_Selected_User_and_Do_Password_Reset_Authenticated_On_Behalf_of_User",
                        "config": {
                            "valves": [
                                {
                                    "name": "DumpRequest",
                                    "config": {
                                        "label": "********** DumpRequest **********"
                                    }
                                },
                                {
                                    "name": "LDAPSearch",
                                    "enabled": true,
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "base_dn": "${globals.ldap.ldap1.connection.base_dn}",
                                        "scope": "SUB",
                                        "filter": "sAMAccountName={{{request.on_behalf_of_user_name}}}",
                                        "attributes": [
                                            {
                                                "name": "displayName",
                                                "multivalue": false
                                            },
                                            {
                                                "name": "distinguishedName",
                                                "multivalue": false
                                            }
                                        ]
                                    }
                                },
                                {
                                    "name": "DumpState",
                                    "config": {
                                        "label": "********** DumpState **********"
                                    }
                                },
                                {
                                    "name": "ADPasswordReset",
                                    "config": {
                                        "destination": "${globals.ldap.ldap1.name}",
                                        "label": "**********   ADPasswordReset valve - Impersonation **********",
                                        "unlock_user": true,
                                        "change_password_next_logon": false,
                                        "pwd_last_set_allowed_days": 0
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ]
}

Last updated