[midPoint] Example for Security Question Password Reset

Brad Firestone bhotrock at gmail.com
Tue Aug 7 19:31:48 CEST 2018 

Hello Pavol,

Thank you so much for your reply and your great explanation.  I will try 
to apply the recent commit and test that.  Also thank you for the 
example security policy.  This is very helpful!!

It may be a week or more before I can test, but will follow up and let 
you know how it works for me.
Thanks again!
Brad

On 8/6/18, 8:14 AM, Pavol Mederly wrote:
>
> Hello Brad,
>
>> Thanks for all who contribute such helpful information on this list.  
>> I've tried to answer when I know something, but most people's 
>> questions are more advanced than I am.  :-) 
> that's the right approach, thank you for it. Our (developers') 
> resources are really limited - for various reasons - so community 
> members are the ones who can really help here a lot.
>
> The code handling security questions is a contributed one, and in 
> current midPoint version it seems to be not working quite well. 
> Recently I had to make some fixes to make it better working. They are 
> on the current master, please see 
> https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9.
>
> So, when testing, please use the master, or at least the above commit.
>
> Now the configuration. I suggest the following:
>
> _*Default Security Policy*_
>
> <securityPolicy 
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>                 xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>                 
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>                 xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>                 
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>                 
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>                 
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>                 oid="00000000-0000-0000-0000-000000000120"
>                 version="6">
> <name>Default Security Policy</name>
> <credentials>
> <password>
> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
> <lockoutDuration>PT15M</lockoutDuration>
> <valuePolicyRef 
> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>                          oid="00000000-0000-0000-0000-000000000003"
>                          relation="org:default"
>                          type="tns:ValuePolicyType"><!-- Default 
> Password Policy --></valuePolicyRef>
> </password>
> <securityQuestions>
> <questionNumber>2</questionNumber>
> <question id="2">
> <identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
> <enabled>true</enabled>
> <questionText>How much wood would a woodchuck chuck if woodchuck could 
> chuck wood?</questionText>
> </question>
> <question id="3">
> <identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
> <questionText>What is your mother's best friend's uncle's 
> grandaughter's dog's mother maiden name?</questionText>
> </question>
> </securityQuestions>
> </credentials>
> *<credentialsReset>**
> **<securityQuestionReset/>**
> **</credentialsReset>**
> *</securityPolicy>
>
> When you will test that, please make sure that the user has an e-mail 
> address filled-in in midPoint. And when resetting password, you have 
> to enter that e-mail address. It will *not* be used to send anything 
> to it (in this setting); it serves here just as an additional 
> verification of the identity.
>
>> Another related question:  Is it possible to have both email reset 
>> and security question reset active at the same time and allow users 
>> to select which method to use? 
> As far as I know this is currently not possible.
>
> Best regards,
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 03.08.2018 1:07, Brad Firestone wrote:
>> Hi All,
>>
>> Thanks for all who contribute such helpful information on this list.  
>> I've tried to answer when I know something, but most people's 
>> questions are more advanced than I am.  :-)
>>
>> Forgive me for repeating.  Peter has asked a similar question in 2017 
>> with no answers:
>> http://lists.evolveum.com/pipermail/midpoint/2017-April/003624.html
>>
>> And I asked this question a month or so ago when using 3.6.1 but 
>> didn't receive any answers.   I know this is a community resource and 
>> nothing is guaranteed, but I thought I'd ask again.  I've tried 
>> working through this again with version 3.7.2 and still can't figure 
>> out how to configure the system for Security Question password 
>> reset.  Reset via email is working fine but we plan to control our 
>> email accounts through midPoint, so really need Security Questions to 
>> work.
>>
>> I've tried looking through all the Wiki articles and Sample files and 
>> haven't found a complete example that shows password reset via 
>> Security Questions that I can get to work.  It's possible I'm just 
>> missing it, but the more recent examples I've found which include 
>> information for Security Questions still show the credentialsReset 
>> method as passwordMailReset:
>>
>> https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration
>> https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/security-policy.xml 
>>
>> https://wiki.evolveum.com/display/midPoint/Security+Policy+Configuration
>>
>> <credentialsReset>
>> <mailReset>
>> <name>passwordMailReset</name>
>> <additionalAuthenticationName>confirmationLink</additionalAuthenticationName> 
>>
>> </mailReset>
>> </credentialsReset>
>>
>> I have the Security Questions defined, and my Users can enter answers 
>> to the questions.  But I can't find an example of how to activate 
>> password reset via the questions instead of email.
>>
>> I also tried applying the Security Policy Sample that was bundled.  
>> This policy only lists Security Questions and includes the following 
>> which seems to be a different syntax compared to above:
>> <resetMethod>
>> <resetType>securityQuestions</resetType>
>> </resetMethod>
>>
>> But when I activate this security policy and click on "Forgot 
>> Password" on the login screen, I get a blank space with a Back button 
>> and a Reset Password button.  Clicking on Reset Password gives an 
>> error of "Unsupported password reset type".
>>
>> Can anybody share or point me to an example of how to set this up?  I 
>> know there are plans to rebuild the password reset system, but 
>> hopefully I can get this working for now.
>>
>> Another related question:  Is it possible to have both email reset 
>> and security question reset active at the same time and allow users 
>> to select which method to use?
>>
>> Thank you!
>> Brad
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180807/62b25906/attachment.htm>

More information about the midPoint mailing list