Password recovery
Password Recovery Addon
- Introduction to Password recovery addon
- How to install Password recovery addon in Soffid
- Password recovery configuration page
- How to configure questions?
Introduction to Password recovery addon
What is password recovery addon?
The Password recovery addon allows end users to recover their passwords.
Soffid provides the funtionality that allows to config the password recovery depending on the bussiness needs and using different technical solutions. The current available options are the following:
- Email recovery
- Questions and answers recovery
- OTP recovery
- SMS recovery
In addition, you can enable and use this option in several Soffid components.
- In the Console login
- In the Federation add-on login
- In the ESSO login
Let's look at some use cases.
Use cases
Email recovery
When an end user wants to recover his password with the email recovery method, Soffid will send an email with a PIN code to the end user to recover his password.
The end user must enter the PIN code and, if it is right, Soffid will display a window to write and cofirm the new password.
Please note that for this feature to work correctly, users' email addresses must be registered in Soffid.
Questions and answers recovery
When an end user wants to recover his password with the Questions and Answers recovery method, Soffid will display a window to answer the questions configured previously by the end user in the self service portal.
If the answers are rigth, Soffid will display a window to write and cofirm the new password.
Please note that for this feature to work correctly, the administrator must configure the questions in the Console and the end user must first complete the answers in the Identity Self Service portal. Otherwise, an error will be displayed and the end user will need to contact an administrator user.
For more information, this page explains How to configure questions and answers?.
OTP recovery
When an end user wants to recover his password with the OTP recovery method, Soffid will display a window to enter the PIN code. The user will need to get the PIN code with an OTP application (Free Otp+, Google Authenticator and Microsoft Authenticator are the most used).
The end user must enter the PIN code and, if it is right, Soffid will display a window to write and cofirm the new password.
Please note that in order to use this feature, the end user must first configure an OTP device in Soffid by registering the OTP in one of the available OTP applications. In other case, an error will be displayed and the end user will have to contact with an administrator user.
For more information about the OTP method you can visit the Two factor authentication (2FA) book
SMS recovery
When an end user wants to recover his password with the SMS recovery method, Soffid sends an SMS to the end user with a PIN code to recover his password.
The end user must to write the pin code and, if it is right, Soffid display a window to write and cofirm the new password.
Please note that the administrator must have previously configured an SMS gateway. Soffid does not have any preconfigured SCMS services by default; the customer must configure their own service.
ESSO
Users who have the ESSO component installed on their devices will also be able to use the password recovery feature.
Remember that in order to use this feature, the user must have ESSO installed and the administrator must have enabled this feature beforehand.
For more information about the ESSO you can visit the ESSO documentation.
How to install Password recovery addon in Soffid
Installation
Introduction
To use an addon in Soffid, you must download and install it in the Console. There are two ways to do this.
1. The first option is to use the Soffid 4 marketplace. You can download and upload it directly from the Licence and plugin page.
2. The second option is to download the file from the Soffid download page and then upload it to the Console.
Soffid 4 marketplace
Soffid 4 allows you to install and update plugins through the new Addons marketplace feature.
To access the marketplace, you must have a valid token to use Soffid and have configured the Console via https. Please check the License and plugin page.
1. Please log in to IAM Console.
You need to be an administrator user of the Soffid console or a user with permission to upload addons.
It is recommended to upload the addons to the master, this is the way to maintain updated all, master and tenants if there are.
2. In the Soffid console, please go to the License and plugin page.
3. Then, click the add button "Add new" button, open the "Soffid Addons" secction and select the "Instlla addon" option, Soffild will upload the addon file.
Image
4. Finally, when the addon is installed, the Consola has to be restarted, a popup will be displayed to perform this action, you can choose to do it now or later.
Image
5. Once the Soffid console has restarted, you can check if the plugin was correctly uploaded on the "License and plugins" page.
6. Now, you can configure the addon.
Download an upload
1. You could download the addon at the following link http://www.soffid.com/download/enterprise/ if you have a Soffid user with authorization, or in the following http://download.soffid.com/download/ by registering.
The addons are in the Addon seccion.
Image
2. Once the addon is downloaded, please log in to IAM Console.
You need to be an administrator user of the Soffid console or a user with permission to upload addons.
It is recommended to upload the addons to the master, this is the way to maintain updated all, master and tenants if there are.
3. In the Soffid console, please go to the License and plugin page.
Soffid 3:
Soffid 4:
4. Then, click the add button "Upload" and pick the file and click the "Select" button and Soffild will upload the addon file.
Image
5. Finally, when the addon is installed, the Consola has to be restarted, a popup will be displayed to perform this action, you can choose to do it now or later.
Image
6. Once the Soffid console has restarted, you can check if the plugin was correctly uploaded on the "License and plugins" page.
7. Now, you can configure the addon.
Password recovery configuration page
Description
Soffid provides you the functionality that allows to the users recover their passwords.
To do this, the administrator user, or a user with the proper roles/authorizations, must first config the password recovery settings.
This setting can be used in the Console login and in the Federation login if enabled in the Identity Provider.
There are several sending method configuration options, use the one that best suits your organization.
Screen Overview
Related objects
- Soffid parameters : must provide a mail server to use mails
- Identity providers : to enable this opcion in federation
Standard attributes
Password recovery questions tab
Enabled methods
- Enable email recovery: if Yes is selected, it will allow password recovery through an e-mail sent to an authorized mailbox.
- Enable question&answer recovery: if Yes is selected, a question and control response will be requested.
- Enable OTP: if Yes is selected, an OTP will be required to recover the password. That OTP depends on the OTP settings configured into the Soffid Console and the OTP devices configured for the end-user.
- Enable SMS: if Yes is selected, an SMS will be send to recover the password.
- Preferred method: in case you select two or more previous options, this drop-drown will allow you to priorize one option over the others.
- Questions
- SMS
- OTP
- Allow to unlock account and keep the same password: Allows the user to unlock his account using the last stored password.
Recovery questions
- Minimum number of filled-in questions: indicates the minimum number of user questions that must be have answered in the end-user's profile to can use this recover password method.
- Questions to answer to unlock: indicates the number of questions that must be formulated to the end-user to reset his password.
- Numer to answer to unlock: indicates the number of answers that must be answered by the end-user to reset his password.
- Enforce fill-in questions: allow on each access Soffid to check if the questions are answered. In case the questions have not been not answered, Soffid will display a window with the questions to answer or to config to the end-user depending on that value.
- Disabled: allows you to disable that functionality.
- Required: if this option is selected, the system will check if the user questions are answered correctly.
If the user have not a required number of questions defined or he have not answered all his questions, the system will show the retrieve password questions page. - Optional: when this option is selected, the system will check the user questions but it will not show the retrieve password questions page if the user questions does not meet the configuration parameters.
Recovery email
- Email subject: the text of the subject sent in the email, you can use variables
- Email body: the text of the body sent in the email, this could be HTML stylel, you can use variables
Tip: Use the ${variable} syntax to customize SMS and e-mails. Use ${PIN} for the secret pin, or ${attributeName} for any user attributes like ${fullName}.
Recovery SMS
- URL for SMS service: URL for SMS service
- HTTP method for SMS: HTTP method for SMS, for example GET
- HTTP body for SMS: the text of the boy sent in the SMS, you can use variables
- HTTP headers for SMS: headers used in the HTTP request
- Response must contain: a text in the response to confirm the successful sending
- User attribute to store phone number: user object attribute defined on the Metadata page to save the phone number.
Tip: Use the ${variable} syntax to customize SMS and e-mails. Use ${PIN} for the secret pin, or ${attributeName} for any user attributes like ${fullName}.
Default questions tab
This Default questions tab is where you enter the questions that the end user will have to answer in order to recover their password.
Table:
- Question: questions for the end user
Actions:
|
Add new |
Add a new row to the table to allow the administrator to write the question. |
|
Delete |
After selecting one or more questions, the "Delete" will be displayed and you could delete the question/s. |
For more information on how to activate and configure the question and answer feature, please review the page How to configure questions?
Actions
Password recovery questions tab
|
Confirm changes |
Allows you to save the data of password recovery configuration. To save the data it will be mandatory to fill in the required fields. |
Default questions tab
|
Add new |
Allows you to add a new question to the questions list |
Others
Login in console
First, activate one of the available methods, in this case email.
Sedond, when you log in to the console, you will see the option ‘Recover password’.
Image
Login in federation
First, enable "Allow user to recover password" in the "Advanced authentication" section.
Second, when you log in to the federation, after entering the user, you will see the option "Forgot your password?".
Image
How to configure questions?
Introduction
Soffid allows to the administrator user, o the user with the proper roles, to configure the default questions that will be displayed to the end users.
Those questions will be the default questions, the end users could change them and configure other questions.
To enable the question functionality, the user needs to configure some parameters.
Next, end users must fill in the answers in the Soffid console to finally revocer the password on the login page.
Let's take a closer look at these steps.
1. Enable the question funcionality
First, go to Password recovery configuration page.
Now enable this feature and select it as preferred.
For more informatión check the Enable methods attributes.
2. Configure the question engine
On the same page, configure the question and answer mechanism as required.
For more informatión check the Recovery questions attributes.
3. Add the default questions
Now go to the Default questions tab and add the questions that the end user will have to answer.
For more informatión check the Default questions attributes.
4. Add the answers
End users will now have to fill in their answers.
In the Console go to the My profile page.
You will see the "Password recovery questions" button.
Next we will have to answer at least the number of questions that has been configured.
5. Use password recovery
Now that we have everything configured, we may use the "Password recovery"’ option on the login page.
Introduce the end user.
If you get this error, it is because there are no answers.
