000034351 - Enable password reset in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Nov 29, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034351
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 6.9.1+
Platform: SUSE Linux Enterprise Server 11 SP3/Microsoft Windows Server 2008 R2
 
IssueSometimes a customer wants a user to be able to reset his password using the Forgot My Password link on the login screen.  This guide describes how this could be configured using Active Directory as the external authentication source.
ResolutionTo enable a password reset on an external authentication source a number of components will need to be configured. This KB describes the configuration required for Active Directory.
Log in as a user with administrator privileges
User-added image
Navigate to Admin -> System -> Settings and ensure Password Management is enabled.
User-added image
Ensure Password Management is on, this activates the Password Management interface in the Requests menu.
User-added image
Configure the Password Management settings as follows:
User-added image
It is not necessary to explicitly define the port number for the external URL, it will default to port 80 if not defined.  Do not try to use any other port number.  The IP address is the RSA Lifecycle and Governance server address, and appropriate firewall rules must exist to allow access to it from client computers.
Under the Password Policies tab select Basic Password Policy.
User-added image
On the Basic Password Policy screen select Choose Business Sources.
User-added image
Select appropriate Business Sources.
User-added image
Under Challenge Questions tab select the Edit button and choose how many challenge questions to define and from these how many will be randomly selected during the password reset process.
User-added image
Under the Identity Confirmation tab choose whether you want to use the user name or account name as the main identifier for the password reset. In this example I am using user name.
User-added image 
The next step is to create the account.  In this guide I am using Active Directory as the external authentication source so I will create a new account in Active Directory. I use ADSI to create the user and then enable it and assign password in Server Manager. With this technique it is possible to specify the Common Name attribute directly.
User-added image
User-added image
User-added image
User-added image
The new user appears in Server Manager.
User-added image
Right click on user and select Enable Account
User-added image
Right click on user and select Reset Password.
User-added image
User-added image
Provide first and last names.
User-added image
Now that the user account has been created in Active Directory it needs to be collected into RSA Identity Governance and Lifecycle.  This requires identity and account collectors configured appropriately for the Active Directory server used.
Under Resources -> Directory set up a directory to use for the collectors.
User-added image
Configure the directory to use default AFX fulfilment.
User-added image
Configure the Identity Collector
User-added image
User-added image
User-added image
User-added image
User-added image
Account Collector
User-added imageUser-added imageUser-added imageUser-added imageUser-added imageUser-added imageUser-added image
User-added image
Either the identity or account collector needs to be associated with an authentication source in Admin -> System -> Authentication tab.
User-added image
User-added image
User-added image
Collect the new user account by running the Active Directory collectors.
User-added image
Check result.
User-added image
User-added image
Set up AFX connector for automatic provisioning of changed password.
User-added image
User-added image
User-added image
Now that the connector is configured associate it with the collector as a connector binding.
User-added image
Now that all the correct system configuration is in place the user can login and configure their challenge responses.
User-added image
User-added image
User-added image
Log out to get back to the login screen and select Forgot My Password.
User-added image
Enter the username and select the relevant external authentication source
User-added image
Enter the correct responses to challenge questions.
User-added image
Enter and confirm new password.
User-added image
A change request is raised for the reset password operation.
User-added image
It may take a short time for the change request to be automatically provisioned on the authentication source endpoint. To check the progress/success of this operation log in as a user with administrator privileges again.
User-added image
User-added image
Check that the change request completed.
User-added image
The workflow should be similar to the below.
User-added image
The user may now log in using the new password.

Attachments

    Outcomes