Reset Password using Pocket Pass and OTP
This section will show how to use one-time password (OTP) generated with PhenixID Pocket Pass as a method to let users prove their identity before resetting their password.
Requirements :
- LDAP must be configured, note the ID of the connection it will be used in later steps.
(in config UI, SCENARIOS -> CONNECTIONS -> LDAP)
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following configuration to “Authentication - HTTP”
{
"alias": "changepwdpp",
"name": "Registration",
"configuration": {
"stages": [
{
"pipeid": "changepwdpp-start",
"template": "changepwd/changepwdpp-start
",
"allowLanguageChange": "true",
"templateVariables": {
"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
},
"enableHoneypot": "true",
"translation": [
"common.messages.human",
{
"key": "header",
"mapKeyTo": "ppsspaspp.messages.header"
},
{
"key": "subheader",
"mapKeyTo": "ppsspaspp.messages.subheader"
},
{
"key": "helptext.username",
"mapKeyTo": "ppsspas.common.helptext.username"
},
{
"key": "helptext.otp",
"mapKeyTo": "ppsspas.common.helptext.otp"
},
{
"key": "paragraph",
"mapKeyTo": "ppsspaspp.messages.paragraph"
},
{
"key": "validation.header",
"mapKeyTo": "ppsspas.common.validation.header"
},
{
"key": "validation.lowercase",
"mapKeyTo": "ppsspas.common.validation.lowercase"
},
{
"key": "validation.uppercase",
"mapKeyTo": "ppsspas.common.validation.uppercase"
},
{
"key": "validation.number",
"mapKeyTo": "ppsspas.common.validation.number"
},
{
"key": "validation.length",
"mapKeyTo": "ppsspas.common.validation.length"
},
{
"key": "label.username",
"mapKeyTo": "ppsspas.common.label.username"
},
{
"key": "label.newpassword",
"mapKeyTo": "ppsspas.common.label.newpassword"
},
{
"key": "label.otpcode",
"mapKeyTo": "ppsspas.common.label.otpcode"
},
{
"key": "button.verifyotp",
"mapKeyTo": "ppsspas.common.button.verifyotp"
},
{
"key": "button.continue",
"mapKeyTo": "ppsspas.common.button.continue"
},
{
"key": "title",
"mapKeyTo": "ppsspas.common.title"
},
{
"key": "error.user",
"mapKeyTo": "ppsspas.common.error.user"
},
{
"key": "error.otp",
"mapKeyTo": "ppsspas.common.error.otp"
},
{
"key": "error.lockout",
"mapKeyTo": "ppsspas.common.error.lockout"
},
{
"key": "error.ldappwd",
"mapKeyTo": "ppsspas.common.error.ldappwd"
}
],
"sessionValues": []
},
{
"pipeid": "changepwdpp-setpwd",
"template": "changepwd/changepwdpp-start
",
"templateVariables": {
"password_validity": {
"contains_lowercase": "true",
"contains_uppercase": "true",
"contains_special": "true",
"contains_number": "true",
"password_length": "8"
},
"cancel_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
},
"enableHoneypot": "true",
"translation": [
"common.messages.human",
{
"key": "header",
"mapKeyTo": "ppsspaspp.messages.header"
},
{
"key": "subheader",
"mapKeyTo": "ppsspaspp.messages.subheader"
},
{
"key": "helptext.username",
"mapKeyTo": "ppsspas.common.helptext.username"
},
{
"key": "helptext.otp",
"mapKeyTo": "ppsspas.common.helptext.otp"
},
{
"key": "paragraph",
"mapKeyTo": "ppsspaspp.messages.paragraph"
},
{
"key": "validation.header",
"mapKeyTo": "ppsspas.common.validation.header"
},
{
"key": "validation.lowercase",
"mapKeyTo": "ppsspas.common.validation.lowercase"
},
{
"key": "validation.uppercase",
"mapKeyTo": "ppsspas.common.validation.uppercase"
},
{
"key": "validation.special",
"mapKeyTo": "ppsspas.common.validation.special"
},
{
"key": "validation.number",
"mapKeyTo": "ppsspas.common.validation.number"
},
{
"key": "validation.length",
"mapKeyTo": "ppsspas.common.validation.length"
},
{
"key": "label.username",
"mapKeyTo": "ppsspas.common.label.username"
},
{
"key": "label.newpassword",
"mapKeyTo": "ppsspas.common.label.newpassword"
},
{
"key": "label.otpcode",
"mapKeyTo": "ppsspas.common.label.otpcode"
},
{
"key": "button.verifyotp",
"mapKeyTo": "ppsspas.common.button.verifyotp"
},
{
"key": "button.continue",
"mapKeyTo": "ppsspas.common.button.continue"
},
{
"key": "title",
"mapKeyTo": "ppsspas.common.title"
},
{
"key": "error.user",
"mapKeyTo": "ppsspas.common.error.user"
},
{
"key": "error.otp",
"mapKeyTo": "ppsspas.common.error.otp"
},
{
"key": "error.lockout",
"mapKeyTo": "ppsspas.common.error.lockout"
},
{
"key": "error.ldappwd",
"mapKeyTo": "ppsspas.common.error.ldappwd"
}
],
"sessionValues": [
"otpverified",
"username"
]
},
{
"pipeid": "changepwdpp-complete",
"template": "changepwd/changepwd-common-complete",
"sessionValues": [],
"templateVariables": {
"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
},
"translation": [
{
"key": "header",
"mapKeyTo": "ppsspaspp.messages.completeheader"
},
{
"key": "paragraph",
"mapKeyTo": "ppsspaspp.messages.completetext"
},
{
"key": "title",
"mapKeyTo": "ppsspas.common.title"
},
{
"key": "button.done",
"mapKeyTo": "ppsspas.common.button.done"
}
]
}
]
},
"id": "changepwdpp"
}
Adjust the following settings to match your password policy:
Requires lower case character set this value to true else false- "contains_lowercase": "true",
Requires upper case character set this value to true else false- "contains_uppercase": "true",
Requires special character set this value to true else false - "contains_special": "true",
Requires a number set this value to true else false - "contains_number": "true",
Minimum length of the password , in this example minimum 8 characters- "password_length": "8"
Verify that "nextTarget" on both “cancel_href” and “done_href” values match your requirements.
If needed change nextTarget value see the following example:
"done_href": "/ppss/authenticate/logout/?nextTarget=/ppss/authenticate/changepwdchoice/"
"done_href": "/ppss/authenticate/logout/?nextTarget=https://www.phenixid.se"
Step 2 - Pipes
Add the following configuration to “Pipes"
{
"id": "changepwdpp-start",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "LockoutCheckValve",
"config": {
"userid_param_name": "{{request.username}}",
"lockout_enabled": "true",
"lockout_login_attempts": "3",
"lockout_time": "30",
"lockout_login_window": "5"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace-ppss-filter_request",
"attributes": ""
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"skip_if_expr": "flow.isSingle()"
}
},
{
"name": "SessionBindToUidValve",
"config": {
"userid": "{{request.username}}"
}
},
{
"name": "GetTokenExistsValve",
"config": {
"username_attribute": "username",
"token_type": "OATH",
"get_value_attribute_key": "OATH"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "You don't have any Pocket Pass",
"exec_if_expr": "flow.property('OATH').equals('false')"
}
},
{
"name": "TokenValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"otp_length": "6",
"userid_param_name": "username",
"lockout_enabled": "true",
"lockout_login_attempts": "3",
"lockout_time": "30",
"lockout_login_window": "5"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "Wrong verification code",
"exec_if_expr": "attributes.user_authenticated === false"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "username",
"value": "{{request.username}}",
"skip_if_expr": ""
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "otpverified",
"value": "true",
"skip_if_expr": ""
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "changepwdpp-setpwd",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "InputParameterExistValidatorValve",
"config": {
"param_name": "password"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "replace-ppss-filter_session",
"attributes": ""
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "replace-ppss-pwdvalve",
"enabled": "true",
"config": {
"connection_ref": "replace-ldap-ref",
"value": "{{request.password}}"
}
},
{
"name": "EventValve",
"config": {
"event_key": "EVT_000054",
"parameters": [
{
"parameter": "duser",
"value": "{{session.username}}"
}
]
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "changepwdpp-complete",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "SessionRemoveValve",
"config": {}
}
]
}
Replace the following Pipe settings:
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
"replace-ppss-filter_request" with either "sAMAccountName={{request.username}}" if you have Active Directory or "uid={{request.username}}" for other LDAP catalogs
"replace-ppss-filter_session" with either "sAMAccountName={{session.username}}" if you have Active Directory or "uid={{session.username}}" for other LDAP catalogs
"replace-ppss-pwdvalve" with "ADPasswordChangeValve" if you have Active Directory,
for other LDAP catalogs replace with "LDAPModifyValve" and add "modification_type": "REPLACE",
to the config section of the valve
Verify that “filter_template” and “attributes” match your environment.
Make sure that "lockout_login_attempts", "lockout_time" and "lockout_login_window" follows your security policy.
Step - 3 Link to the web page
Browse to https://"Server address":"port"/ppss/authenticate/changepwdpp,
example https://www.phenixid.se:8443/ppss/authenticate/changepwdpp