<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Brad,</p>
<p>
<blockquote type="cite">Thanks for all who contribute such helpful
information on this list. I've tried to answer when I know
something, but most people's questions are more advanced than I
am. :-)
</blockquote>
that's the right approach, thank you for it. Our (developers')
resources are really limited - for various reasons - so community
members are the ones who can really help here a lot.</p>
<p>The code handling security questions is a contributed one, and in
current midPoint version it seems to be not working quite well.
Recently I had to make some fixes to make it better working. They
are on the current master, please see <a moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9">https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9</a>.</p>
<p>So, when testing, please use the master, or at least the above
commit.</p>
<p>Now the configuration. I suggest the following:</p>
<p><u><b>Default Security Policy</b></u></p>
<p><font size="-1"><tt><securityPolicy xmlns=<a
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt> xmlns:q=<a
class="moz-txt-link-rfc2396E"
href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a></tt><tt><br>
</tt><tt> xmlns:c=<a
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt> xmlns:t=<a
class="moz-txt-link-rfc2396E"
href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a></tt><tt><br>
</tt><tt> xmlns:org=<a
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a></tt><tt><br>
</tt><tt>
xmlns:icfs=<a class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a></tt><tt><br>
</tt><tt>
xmlns:ri=<a class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a></tt><tt><br>
</tt><tt>
oid="00000000-0000-0000-0000-000000000120"</tt><tt><br>
</tt><tt> version="6"></tt><tt><br>
</tt><tt> <name>Default Security Policy</name></tt><tt><br>
</tt><tt> <credentials></tt><tt><br>
</tt><tt> <password></tt><tt><br>
</tt><tt>
<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts></tt><tt><br>
</tt><tt>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration></tt><tt><br>
</tt><tt>
<lockoutDuration>PT15M</lockoutDuration></tt><tt><br>
</tt><tt> <valuePolicyRef xmlns:tns=<a
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt>
oid="00000000-0000-0000-0000-000000000003"</tt><tt><br>
</tt><tt> relation="org:default"</tt><tt><br>
</tt><tt>
type="tns:ValuePolicyType"><!-- Default Password Policy
--></valuePolicyRef></tt><tt><br>
</tt><tt> </password></tt><tt><br>
</tt><tt> <securityQuestions></tt><tt><br>
</tt><tt> <questionNumber>2</questionNumber></tt><tt><br>
</tt><tt> <question id="2"></tt><tt><br>
</tt><tt>
<identifier><a class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001">http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</a></identifier></tt><tt><br>
</tt><tt> <enabled>true</enabled></tt><tt><br>
</tt><tt> <questionText>How much wood would a
woodchuck chuck if woodchuck could chuck
wood?</questionText></tt><tt><br>
</tt><tt> </question></tt><tt><br>
</tt><tt> <question id="3"></tt><tt><br>
</tt><tt>
<identifier><a class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002">http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</a></identifier></tt><tt><br>
</tt><tt> <questionText>What is your mother's
best friend's uncle's grandaughter's dog's mother maiden
name?</questionText></tt><tt><br>
</tt><tt> </question></tt><tt><br>
</tt><tt> </securityQuestions></tt><tt><br>
</tt><tt> </credentials></tt><tt><br>
</tt><font color="#3333ff"><b><tt> <credentialsReset></tt></b><b><tt><br>
</tt></b><b><tt> <securityQuestionReset/></tt></b><b><tt><br>
</tt></b><b><tt> </credentialsReset></tt></b><b><tt><br>
</tt></b></font><tt></securityPolicy></tt></font></p>
<p>When you will test that, please make sure that the user has an
e-mail address filled-in in midPoint. And when resetting password,
you have to enter that e-mail address. It will <b>not</b> be used
to send anything to it (in this setting); it serves here just as
an additional verification of the identity.</p>
<p>
<blockquote type="cite">Another related question: Is it possible
to have both email reset and security question reset active at
the same time and allow users to select which method to use?
</blockquote>
As far as I know this is currently not possible.</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 03.08.2018 1:07, Brad Firestone
wrote:<br>
</div>
<blockquote type="cite" cite="mid:5B638EC8.4010800@gmail.com">Hi
All,
<br>
<br>
Thanks for all who contribute such helpful information on this
list. I've tried to answer when I know something, but most
people's questions are more advanced than I am. :-)
<br>
<br>
Forgive me for repeating. Peter has asked a similar question in
2017 with no answers:
<br>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/pipermail/midpoint/2017-April/003624.html">http://lists.evolveum.com/pipermail/midpoint/2017-April/003624.html</a>
<br>
<br>
And I asked this question a month or so ago when using 3.6.1 but
didn't receive any answers. I know this is a community resource
and nothing is guaranteed, but I thought I'd ask again. I've
tried working through this again with version 3.7.2 and still
can't figure out how to configure the system for Security Question
password reset. Reset via email is working fine but we plan to
control our email accounts through midPoint, so really need
Security Questions to work.
<br>
<br>
I've tried looking through all the Wiki articles and Sample files
and haven't found a complete example that shows password reset via
Security Questions that I can get to work. It's possible I'm just
missing it, but the more recent examples I've found which include
information for Security Questions still show the credentialsReset
method as passwordMailReset:
<br>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration">https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration</a>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/security-policy.xml">https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/security-policy.xml</a>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Security+Policy+Configuration">https://wiki.evolveum.com/display/midPoint/Security+Policy+Configuration</a>
<br>
<br>
<credentialsReset>
<br>
<mailReset>
<br>
<name>passwordMailReset</name>
<br>
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
<br>
</mailReset>
<br>
</credentialsReset>
<br>
<br>
I have the Security Questions defined, and my Users can enter
answers to the questions. But I can't find an example of how to
activate password reset via the questions instead of email.
<br>
<br>
I also tried applying the Security Policy Sample that was
bundled. This policy only lists Security Questions and includes
the following which seems to be a different syntax compared to
above:
<br>
<resetMethod>
<br>
<resetType>securityQuestions</resetType>
<br>
</resetMethod>
<br>
<br>
But when I activate this security policy and click on "Forgot
Password" on the login screen, I get a blank space with a Back
button and a Reset Password button. Clicking on Reset Password
gives an error of "Unsupported password reset type".
<br>
<br>
Can anybody share or point me to an example of how to set this
up? I know there are plans to rebuild the password reset system,
but hopefully I can get this working for now.
<br>
<br>
Another related question: Is it possible to have both email reset
and security question reset active at the same time and allow
users to select which method to use?
<br>
<br>
Thank you!
<br>
Brad
<br>
<br>
<br>
_______________________________________________
<br>
midPoint mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
<br>
</blockquote>
<br>
</body>
</html>