Password Reset for Google Workspace

Reset a password for yourself in Google Workspace, using Swedish BankID as the verification method.

Scenario

In this use case there is one scenario:

  • Password Reset using Self service. In this scenario you will login as yourself using your BankID, and reset your Google Workspace password.

Google Workspace is a set of tools for organizations provided by Google, such as mail, drive, classroom, education and more.

This scenario could easily be copied and modified to fulfill:

  • Using other eID methods to reset the password, such as SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS), eduID, Suomi.fi.

Prerequisite

  • FortifiedID Integrity Web current version installed

  • Fortified Password Reset current version installed

  • BankID certificate. To be able to communicate with bankid backend.

  • Google Workspace administration rights.

  • Host (DNS) name of the Integrity service (external access)

  • Host (DNS) name of the Password reset service (external access)

  • Social security number (personnummer) stored on a custom Google Workspace user object. The schema and attribute name holding the value is also required.

  • Outgoing TCP/443 communication. To be able to communicate with BankID backend and Google Workspace services.

Configuration

Download and add configuration

Remember that this use case does not describe installation of the products. Products are expected to be installed in advance.

  1. Download ZIP containing configuration for Web and Password Reset

    1. Click USE_CASE_LINK to download customer folders for Web and PWDReset.

  2. Add Integrity WEB configuration to your environment.

    1. Rename the existing customer folder to customer_ORG. Add the customer-WEB folder to your \..\fortifiedid\web\ folder. Rename it to customer

  3. Add Password Reset configuration to your environment.

    1. Add the customer-pwdreset folder to you \..\fortifiedid\pwdreset\ folder. Rename the existing customer folder to customer_ORG and rename the added one to \customer.

Update the Google Workspace configuration

Setup the Google Workspace configuration using this guide.

Update the configuration to map your environment

The downloaded folders contains all information needed. For example, a test certificate and metadata files are included and configured to work with the example applications. However, some data needs to be changed to map your environment. Also the http ports might need to be changed if they are not available in your environment.

Integrity Web

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

Open the file customer/config/globals.json. Change according to the instructions below.

  1. base_dir

    1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.

      1. For Windows the value should be: "base_dir": "../customer"

      2. For Docker, the value should be: "base_dir": ".",

    "base_dir": "../customer"
  2. host Set the host value to your Integrity Web DNS name entry, including https://.

    "host": "https://be4f-194-68-171-97.ngrok-free.app",
  3. http

    Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.

     "http": {
                "http_port": 443,
                "http_use_ssl": true
            }
  4. keystore - https

    Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.

    1. Find in section: keystore

      "https": {
                      "ref": {
                          "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12",
                          "password": "password"
                      },
                      "http_key_alias": "1",
                      "http_key_password": "password"
                  },
  5. keystore - bankid

    For connecting against BankID test environment, you don't need to do anything. For production connectivity, please use your BankID keystore and change the variables below to reflect that. Truststore changes will not be needed. Find in section: keystore

               "bid": {
                    "ssl_keystore_path": "${globals.base_dir}/config/resources_internal/certificates/BankID/bankid_test_rp.p12",
                    "ssl_keystore_password": "qwerty123",
                    "ssl_key_alias": "1",
                    "ssl_key_password": "qwerty123",
                    "ssl_truststore_path": "${globals.base_dir}/config//resources_internal/certificates/trust_jks/bankidtrust.jks",
                    "ssl_truststore_password": "password"
                },
  6. keystore - saml The keystore used to sign SAML assertions. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.

                "saml": {
            	    "alias": "1",
             	    "key_password": "password",
             	    "password": "password",
           		    "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"
                }

Save the globals.json file.

Start the Integrity web service and verify the start by looking through the server.log file.

Open a web browser and browse to https://<integrity_web_host>/saml/metadata/integrity_idp_google_pwdreset

Save the downloaded file as \..\fortifiedid\pwdreset\config\resources_external\saml_meta\integrity_idp_google_pwdreset.xml

Password reset

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

Open the file customer/config/globals.json. Change according to the instructions below.

  1. base_dir

    1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.

      1. For Windows the value should be: "base_dir": "../customer"

      2. For Docker, the value should be: "base_dir": ".",

    "file_path": {
                "base_dir": "."
                 },
  2. http

    Update the http information to map your environment. This is the port that Integrity Web will use to host the SAML IdP service. ! The recommendation is to always use SSL to encrypt the communication to Integrity Web.

     "http": {
                "http_port": 8446,
                "http_use_ssl": true
            }
  3. keystore - https

    Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.

    1. Find in section: keystore

      "https": {
                      "ref": {
                          "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12",
                          "password": "password"
                      },
                      "http_key_alias": "1",
                      "http_key_password": "password"
                  },
  4. keystore - saml The keystore used to sign SAML requests. For test environments, you may use the test certificate provided by us, if so you do not need to change anything. For production environments, you should use your own keystore and update the values below to point to that keystore.

                "saml": {
            	    "alias": "1",
             	    "key_password": "password",
             	    "password": "password",
           		    "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"
                }

Save the globals.json file.

Open the file /config/resources_internal/saml_sp_metadata_template/fortifiedid_pwdreset_saml_sp_template.xml.

Change PWDRESET-HOSTNAME to the DNS name of Password Reset.

Save the file.

Start the Password reset service and verify the start by looking through the server.log file.

Copy the file in the folder /config/resources_internal/saml_sp_metadata. Paste it into /fortifiedid/web/customer/config/resources_internal/saml_sp_metadata_files (replace existing file).

Restart Integrity Web.

Testing the use case

Self - Password Reset

  1. Browse to https://PWDRESET-HOSTNAME/pwdreset

  2. Authenticate with BankID

  3. Enter a password (follow the on-screen instructions)

  4. The password was updated.

  5. Try to logon to Google Workspace with the newly set password.

Check server.log files (both Integrity Web and Password Reset) to find errors. Fix accordingly.

Complete config.json file of Password Reset

The config.json of Password reset can be found in the associated zip-file in this use case.

{
    "globals": "@include:globals.json",
    "modules": [
        {
            "name": "CefEventModule",
            "config": {}
        },
        {
            "name": "HttpClient",
            "config": {
                "name": "default",
                "ssl_trust_all": true,
                "idle_timeout_ms": 5000,
                "connect_timeout_ms": 5000
            }
        },
        {
            "name": "PasswordReset",
            "config": {
                "http_port": "${globals.http.port}",
                "webroot_dir": "resources/web",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "http_context": "/pwdreset",
                "http_auth_redirect_url": "/pwdreset/authn/login",
                "overlay_dirs": [
                    "${globals.file_path.base_dir}/config/resources_external/overlays/1_pwdreset",
                    "${globals.file_path.base_dir}/config/resources_external/overlays/0_look_and_feel"
                ],
                "pipe_id": "Reset_Password",
                "rules": "@include:rules.json"
            }
        },
        {
            "name": "AuthN",
            "config": {
                "http_context": "/authn",
                "http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "type": "${globals.keystore.https.ref.type}",
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_keystore_type": "${globals.keystore.https.type}",
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "authenticators": [
                    {
                        "id": "sp_pwdreset",
                        "type": "SAMLSP",
                        "config": {
                            "context_path": "/pwdreset/authn/login",
                            "success_location": "/pwdreset/",
                            "logout_location": "/pwdreset/logged_out",
                            "metadata_output_directory": "${globals.file_path.base_dir}/config/resources_internal/saml_sp_metadata",
                            "metadata": {
                                "path": "${globals.file_path.base_dir}/config/resources_external/saml_meta/integrity_idp_google_pwdreset.xml"
                            },
                            "entity_id": "FortifiedID_PWD_Reset",
                            "metadata_file_path": "${globals.file_path.base_dir}/config/resources_internal/saml_sp_metadata_template/fortifiedid_pwdreset_saml_sp_template.xml",
                            "sign_ref": [
                                {
                                    "keystore": {
                                        "alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
                                        "key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
                                        "password": "${globals.keystore.saml.sign_ref_keystore_password}",
                                        "path": "${globals.keystore.saml.sign_ref_keystore_path}"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        },
        {
            "name": "Pipes",
            "config": {
                "pipes": [
                    {
                        "id": "Reset_Password",
                        "config": {
                            "valves": [
                                {
                                    "name": "PipeExec",
                                    "exec_if_expr": "request.on_behalf_of_user_name == null",
                                    "config": {
                                        "pipe": "Find_User_and_Do_Password_Reset_of_Authenticated_User"
                                    }
                                }
                            ]
                        }
                    },
                    {
                        "id": "Find_User_and_Do_Password_Reset_of_Authenticated_User",
                        "config": {
                            "valves": [
                                {
                                    "name": "CreateJwt",
                                    "config": {
                                        "jwt_ttl": 5,
                                        "jwt_claims": {
                                            "iss": "${globals.google.serviceaccount}",
                                            "scope": "https://www.googleapis.com/auth/admin.directory.user",
                                            "aud": "https://oauth2.googleapis.com/token"
                                        },
                                        "keystore": {
                                            "path": "${globals.keystore.google.ssl_keystore_path}",
                                            "password": "${globals.keystore.google.ssl_keystore_password}",
                                            "type": "PKCS12"
                                        },
                                        "keystore_password": "${globals.keystore.google.ssl_key_password}",
                                        "keystore_alias": "${globals.keystore.google.ssl_key_alias}"
                                    }
                                },
                                {
                                    "name": "HttpPost",
                                    "config": {
                                        "url": "https://oauth2.googleapis.com/token",
                                        "destination": "default",
                                        "parameters": {
                                            "assertion": "{{{item.jwt}}}",
                                            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
                                        },
                                        "content_type": "application/x-www-form-urlencoded"
                                    }
                                },
                                {
                                    "name": "HttpPut",
                                    "config": {
                                        "url": "https://admin.googleapis.com/admin/directory/v1/users/{{{request.user_name}}}",
                                        "destination": "default",
                                        "headers": {
                                            "Authorization": "Bearer {{{state.body.access_token}}}"
                                        },
                                        "content": {
                                            "changePasswordAtNextLogin": false,
                                            "password": "{{{request.new_password}}}"
                                        },
                                        "content_type": "application/json"
                                    }
                                },
                                {
                                    "name": "FlowFail",
                                    "exec_if_expr": "state.status_code>299",
                                    "config": {
                                        "message": "Failed to reset password!"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ]
}

Complete config.json file of Integrity Web

The config.json of Web can be found in the associated zip-file in this use case.

{
   "globals": "@include:globals.json",
    "modules": [
        {
            "name": "SAML",
            "config": {
                "http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "enable_http": true,
                "metadata_cache": "${globals.base_dir}/config/resources_internal/saml_cache/",
                "metadata_template": [
                    {
                        "id": "integrity_idp_google_pwdreset",
            			"metadata_file_path": "${globals.base_dir}/config/resources_internal/saml_templates/integrity_google_idp_pwdreset_template.xml",  
            			"sign_ref": [
                            {
                                "keystore": {
                                    "path": "${globals.keystore.saml.ssl_keystore_path}",
                                    "password": "${globals.keystore.saml.ssl_keystore_password}",
                                    "alias": "${globals.keystore.saml.ssl_key_alias}",
                                    "key_password": "${globals.keystore.saml.ssl_key_password}"
                                }
                            }
                        ]
                    }
                ],
                "metadata": [
                    {
                     "path": "${globals.base_dir}/config/resources_internal/saml_sp_metadata_files/sp_pwdreset.xml"
                    } 
                ]
            }
        },
        {
            "name": "CefEventModule",
            "config": {}
        },
        {
            "name": "HttpClient",
            "config": {
                "name": "default",
                "idle_timeout_ms": 5000,
                "connect_timeout_ms": 5000,
                "ssl_trust_all": true
            }
        },
        {
            "name": "HttpClient",
            "config": {
                "name": "bankid_http_outgoing",
                "idle_timeout_ms": 5000,
                "connect_timeout_ms": 5000,
                "ssl_keystore_path": "${globals.keystore.bid.ssl_keystore_path}",
                "ssl_keystore_password": "${globals.keystore.bid.ssl_keystore_password}",
                "ssl_key_alias": "${globals.keystore.bid.ssl_key_alias}",
                "ssl_key_password": "${globals.keystore.bid.ssl_key_password}",
                "ssl_truststore_path": "${globals.keystore.bid.ssl_truststore_path}",
                "ssl_truststore_password": "${globals.keystore.bid.ssl_truststore_password}",
                "request_timeout_ms": 3500
            }
        },
        {
            "name": "AuthN",
            "enabled": true,
            "config": {
                "webroot_dir": "web",
                "http_port": "${globals.http.port}",
                "http_use_ssl": true,
                "http_keystore_ref": {
                    "path": "${globals.keystore.https.ref.path}",
                    "password": "${globals.keystore.https.ref.password}"
                },
                "http_key_alias": "${globals.keystore.https.http_key_alias}",
                "http_key_password": "${globals.keystore.https.http_key_password}",
                "authenticators": [
                	 {
            "id": "auth00",
            "type": "SAMLIDP",
            "config": {
              "force_re_auth": true,
              "context_path": "/saml/authn/idp",
              "base_path": "/saml/authn",
              "idp": "${globals.host}/idp",
              "chain": [
                {
                  "id": "bidomd",
                  "required": true
                },
                {
                  "id": "google_lookup",
                  "required": true
                }
              ],
              "assertion_config": [
                {
                                    "target_sp": [
                                        "FortifiedID_PWD_Reset"
                                    ],
                                    "nameid_parameter": "primaryEmail",
                                    "additional_attribute_parameter": [
                                        "on_behalf_of_display_name",
                                        "on_behalf_of_user_name",
                                        "display_name"
                                    ]
                                }
              ]
            }
          },
                    {
                        "id": "bidomd",
                        "type": "BidOnMobileDevice",
                        "config": {
                            "mode": "test",
                            "base_path": "/saml/authn",
                            "internal_http_destination": "bankid_http_outgoing",
                            "webroot_dir": "web/authenticator/bankid/omd"
                        }
                    },
                    {
                        "id": "google_lookup",
                        "type": "AuthController",
                        "config": {
                            "base_path": "/saml/authn",
                            "pipe_id": "pipe_google_lookup",
                            "fail_location": "/error",
                            "failed_redirect": [
                                {
                                    "pattern": ".*404 Not Found.*",
                                    "target": "/notfound"
                                }
                            ]
                        }
                    }
                ]
            }
        },
        {
            "name": "Pipes",
            "config": {
                "pipes": [
                    {
                        "id": "pipe_google_lookup",
                        "config": {
                            "valves": [
                                {
                                    "name": "CreateJwt",
                                    "config": {
                                        "jwt_ttl": 5,
                                        "jwt_claims": {
                                            "iss": "${globals.google.serviceaccount}",
                                            "scope": "https://www.googleapis.com/auth/admin.directory.user.readonly",
                                            "aud": "https://oauth2.googleapis.com/token"
                                        },
                                        "keystore": {
                                            "path": "${globals.keystore.google.ssl_keystore_path}",
                                            "password": "${globals.keystore.google.ssl_keystore_password}",
                                            "type": "PKCS12"
                                        },
                                        "keystore_password": "${globals.keystore.google.ssl_key_password}",
                                        "keystore_alias": "${globals.keystore.google.ssl_key_alias}"
                                    }
                                },
                                {
                                    "name": "HttpPost",
                                    "config": {
                                        "url": "https://oauth2.googleapis.com/token",
                                        "destination": "default",
                                        "parameters": {
                                            "assertion": "{{{item.jwt}}}",
                                            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
                                        },
                                        "content_type": "application/x-www-form-urlencoded"
                                    }
                                },
                                {
                                    "name": "HttpGet",
                                    "config": {
                                        "url": "https://admin.googleapis.com/admin/directory/v1/users/?domain=${globals.google.domain}&query=${globals.google.custom_attribute}%3D{{{request.personalNumber}}}",
                                        "destination": "default",
                                        "headers": {
                                            "Authorization": "Bearer {{{state.body.access_token}}}"
                                        },
                                        "content_type": "application/json"
                                    }
                                },
                                {
                                    "name": "ExportsPut",
                                    "config": {
                                        "name": "primaryEmail",
                                        "value": "{{{state.body.users.0.value.primaryEmail}}}"
                                    }
                                },
                                {
                                    "name": "ExportsPut",
                                    "config": {
                                        "name": "display_name",
                                        "value": "{{{state.body.users.0.value.primaryEmail}}}"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ]
}

Last updated