|Applies To||RSA Product Set: RSA Identity Governance and Lifecycle|
RSA Version/Condition: 6.9.1+
Platform: SUSE Linux Enterprise Server 11 SP3/Microsoft Windows Server 2008 R2
|Issue||Sometimes a customer wants a user to be able to reset his password using the Forgot My Password link on the login screen. This guide describes how this could be configured using Active Directory as the external authentication source.|
|Resolution||To enable a password reset on an external authentication source a number of components will need to be configured. This KB describes the configuration required for Active Directory.|
Log in as a user with administrator privileges
Navigate to Admin -> System -> Settings and ensure Password Management is enabled.
Ensure Password Management is on, this activates the Password Management interface in the Requests menu.
Configure the Password Management settings as follows:
It is not necessary to explicitly define the port number for the external URL, it will default to port 80 if not defined. Do not try to use any other port number. The IP address is the RSA Lifecycle and Governance server address, and appropriate firewall rules must exist to allow access to it from client computers.
Under the Password Policies tab select Basic Password Policy.
On the Basic Password Policy screen select Choose Business Sources.
Select appropriate Business Sources.
Under Challenge Questions tab select the Edit button and choose how many challenge questions to define and from these how many will be randomly selected during the password reset process.
Under the Identity Confirmation tab choose whether you want to use the user name or account name as the main identifier for the password reset. In this example I am using user name.
The next step is to create the account. In this guide I am using Active Directory as the external authentication source so I will create a new account in Active Directory. I use ADSI to create the user and then enable it and assign password in Server Manager. With this technique it is possible to specify the Common Name attribute directly.
The new user appears in Server Manager.
Right click on user and select Enable Account
Right click on user and select Reset Password.
Provide first and last names.
Now that the user account has been created in Active Directory it needs to be collected into RSA Identity Governance and Lifecycle. This requires identity and account collectors configured appropriately for the Active Directory server used.
Under Resources -> Directory set up a directory to use for the collectors.
Configure the directory to use default AFX fulfilment.
Configure the Identity Collector
Either the identity or account collector needs to be associated with an authentication source in Admin -> System -> Authentication tab.
Collect the new user account by running the Active Directory collectors.
Set up AFX connector for automatic provisioning of changed password.
Now that the connector is configured associate it with the collector as a connector binding.
Now that all the correct system configuration is in place the user can login and configure their challenge responses.
Log out to get back to the login screen and select Forgot My Password.
Enter the username and select the relevant external authentication source
Enter the correct responses to challenge questions.
Enter and confirm new password.
A change request is raised for the reset password operation.
It may take a short time for the change request to be automatically provisioned on the authentication source endpoint. To check the progress/success of this operation log in as a user with administrator privileges again.
Check that the change request completed.
The workflow should be similar to the below.
The user may now log in using the new password.