[midPoint] Example for Security Question Password Reset

Pavol Mederly mederly at evolveum.com
Mon Aug 6 15:14:08 CEST 2018 

Hello Brad,

> Thanks for all who contribute such helpful information on this list.  
> I've tried to answer when I know something, but most people's 
> questions are more advanced than I am.  :-) 
that's the right approach, thank you for it. Our (developers') resources 
are really limited - for various reasons - so community members are the 
ones who can really help here a lot.

The code handling security questions is a contributed one, and in 
current midPoint version it seems to be not working quite well. Recently 
I had to make some fixes to make it better working. They are on the 
current master, please see 
https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9.

So, when testing, please use the master, or at least the above commit.

Now the configuration. I suggest the following:

_*Default Security Policy*_

<securityPolicy 
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
                 
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
                 
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="00000000-0000-0000-0000-000000000120"
                 version="6">
    <name>Default Security Policy</name>
    <credentials>
       <password>
<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
<lockoutDuration>PT15M</lockoutDuration>
          <valuePolicyRef 
xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-0000-0000-000000000003"
                          relation="org:default"
type="tns:ValuePolicyType"><!-- Default Password Policy --></valuePolicyRef>
       </password>
       <securityQuestions>
          <questionNumber>2</questionNumber>
          <question id="2">
<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
             <enabled>true</enabled>
             <questionText>How much wood would a woodchuck chuck if 
woodchuck could chuck wood?</questionText>
          </question>
          <question id="3">
<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
             <questionText>What is your mother's best friend's uncle's 
grandaughter's dog's mother maiden name?</questionText>
          </question>
       </securityQuestions>
    </credentials>
*   <credentialsReset>**
**      <securityQuestionReset/>**
**   </credentialsReset>**
*</securityPolicy>

When you will test that, please make sure that the user has an e-mail 
address filled-in in midPoint. And when resetting password, you have to 
enter that e-mail address. It will *not* be used to send anything to it 
(in this setting); it serves here just as an additional verification of 
the identity.

> Another related question:  Is it possible to have both email reset and 
> security question reset active at the same time and allow users to 
> select which method to use? 
As far as I know this is currently not possible.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 03.08.2018 1:07, Brad Firestone wrote:
> Hi All,
>
> Thanks for all who contribute such helpful information on this list.  
> I've tried to answer when I know something, but most people's 
> questions are more advanced than I am.  :-)
>
> Forgive me for repeating.  Peter has asked a similar question in 2017 
> with no answers:
> http://lists.evolveum.com/pipermail/midpoint/2017-April/003624.html
>
> And I asked this question a month or so ago when using 3.6.1 but 
> didn't receive any answers.   I know this is a community resource and 
> nothing is guaranteed, but I thought I'd ask again.  I've tried 
> working through this again with version 3.7.2 and still can't figure 
> out how to configure the system for Security Question password reset.  
> Reset via email is working fine but we plan to control our email 
> accounts through midPoint, so really need Security Questions to work.
>
> I've tried looking through all the Wiki articles and Sample files and 
> haven't found a complete example that shows password reset via 
> Security Questions that I can get to work.  It's possible I'm just 
> missing it, but the more recent examples I've found which include 
> information for Security Questions still show the credentialsReset 
> method as passwordMailReset:
>
> https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration
> https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/security-policy.xml 
>
> https://wiki.evolveum.com/display/midPoint/Security+Policy+Configuration
>
> <credentialsReset>
> <mailReset>
> <name>passwordMailReset</name>
> <additionalAuthenticationName>confirmationLink</additionalAuthenticationName> 
>
> </mailReset>
> </credentialsReset>
>
> I have the Security Questions defined, and my Users can enter answers 
> to the questions.  But I can't find an example of how to activate 
> password reset via the questions instead of email.
>
> I also tried applying the Security Policy Sample that was bundled.  
> This policy only lists Security Questions and includes the following 
> which seems to be a different syntax compared to above:
> <resetMethod>
> <resetType>securityQuestions</resetType>
> </resetMethod>
>
> But when I activate this security policy and click on "Forgot 
> Password" on the login screen, I get a blank space with a Back button 
> and a Reset Password button.  Clicking on Reset Password gives an 
> error of "Unsupported password reset type".
>
> Can anybody share or point me to an example of how to set this up?  I 
> know there are plans to rebuild the password reset system, but 
> hopefully I can get this working for now.
>
> Another related question:  Is it possible to have both email reset and 
> security question reset active at the same time and allow users to 
> select which method to use?
>
> Thank you!
> Brad
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180806/38711c4e/attachment.htm>

More information about the midPoint mailing list