<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body text="#000000" bgcolor="#FFFFFF">Hello Pavol,<br>
<br>
Thank you so much for your reply and your great explanation.  I will try
 to apply the recent commit and test that.  Also thank you for the 
example security policy.  This is very helpful!!<br>
<br>
It may be a week or more before I can test, but will follow up and let 
you know how it works for me.<br>
Thanks again!<br>
Brad<br>
<br>
<span>On 8/6/18, 8:14 AM, Pavol Mederly wrote:</span><br>
<blockquote cite="mid:2b939b56-ec1c-8a15-427c-3f2b6930b118@evolveum.com"
 type="cite">
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  
  
    
  <p>Hello Brad,</p>

    
  <p>
      </p>
  <blockquote type="cite">Thanks for all who contribute such helpful
        information on this list.  I've tried to answer when I know
        something, but most people's questions are more advanced than I
        am.  :-)
      </blockquote>

      that's the right approach, thank you for it. Our (developers')
      resources are really limited - for various reasons - so community
      members are the ones who can really help here a lot.
    
  <p>The code handling security questions is a contributed one, and in
      current midPoint version it seems to be not working quite well.
      Recently I had to make some fixes to make it better working. They
      are on the current master, please see <a moz-do-not-send="true" 
href="https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9">https://github.com/Evolveum/midpoint/commit/658e09cbd0ba906f6eb9f12e27f4ac64829c3df9</a>.</p>

    
  <p>So, when testing, please use the master, or at least the above
      commit.</p>

    
  <p>Now the configuration. I suggest the following:</p>

    
  <p><u><b>Default Security Policy</b></u></p>

    
  <p><font size="-1"><tt><securityPolicy xmlns=<a 
moz-do-not-send="true" class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
        </tt><tt>                xmlns:q=<a moz-do-not-send="true" 
class="moz-txt-link-rfc2396E" 
href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a></tt><tt><br>
        </tt><tt>                xmlns:c=<a moz-do-not-send="true" 
class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
        </tt><tt>                xmlns:t=<a moz-do-not-send="true" 
class="moz-txt-link-rfc2396E" 
href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a></tt><tt><br>
        </tt><tt>                xmlns:org=<a moz-do-not-send="true" 
class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">"http://midpoint.evolveum.com/xml/ns/public/common/org-3"</a></tt><tt><br>
        </tt><tt>               
          xmlns:icfs=<a moz-do-not-send="true" 
class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a></tt><tt><br>
        </tt><tt>               
          xmlns:ri=<a moz-do-not-send="true" 
class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a></tt><tt><br>
        </tt><tt>               
          oid="00000000-0000-0000-0000-000000000120"</tt><tt><br>
        </tt><tt>                version="6"></tt><tt><br>
        </tt><tt>   <name>Default Security Policy</name></tt><tt><br>
        </tt><tt>   <credentials></tt><tt><br>
        </tt><tt>      <password></tt><tt><br>
        </tt><tt>        
          
<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts></tt><tt><br>
        </tt><tt>        
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration></tt><tt><br>
        </tt><tt>        
          <lockoutDuration>PT15M</lockoutDuration></tt><tt><br>
        </tt><tt>         <valuePolicyRef xmlns:tns=<a 
moz-do-not-send="true" class="moz-txt-link-rfc2396E" 
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
        </tt><tt>                        
          oid="00000000-0000-0000-0000-000000000003"</tt><tt><br>
        </tt><tt>                         relation="org:default"</tt><tt><br>
        </tt><tt>                        
          type="tns:ValuePolicyType"><!-- Default Password Policy
          --></valuePolicyRef></tt><tt><br>
        </tt><tt>      </password></tt><tt><br>
        </tt><tt>      <securityQuestions></tt><tt><br>
        </tt><tt>         <questionNumber>2</questionNumber></tt><tt><br>
        </tt><tt>         <question id="2"></tt><tt><br>
        </tt><tt>           
          <identifier><a moz-do-not-send="true" 
class="moz-txt-link-freetext" 
href="http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001">http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</a></identifier></tt><tt><br>
        </tt><tt>            <enabled>true</enabled></tt><tt><br>
        </tt><tt>            <questionText>How much wood would a
          woodchuck chuck if woodchuck could chuck
          wood?</questionText></tt><tt><br>
        </tt><tt>         </question></tt><tt><br>
        </tt><tt>         <question id="3"></tt><tt><br>
        </tt><tt>           
          <identifier><a moz-do-not-send="true" 
class="moz-txt-link-freetext" 
href="http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002">http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</a></identifier></tt><tt><br>
        </tt><tt>            <questionText>What is your mother's
          best friend's uncle's grandaughter's dog's mother maiden
          name?</questionText></tt><tt><br>
        </tt><tt>         </question></tt><tt><br>
        </tt><tt>      </securityQuestions></tt><tt><br>
        </tt><tt>   </credentials></tt><tt><br>
        </tt><font color="#3333ff"><b><tt>   <credentialsReset></tt></b><b><tt><br>
            </tt></b><b><tt>      <securityQuestionReset/></tt></b><b><tt><br>
            </tt></b><b><tt>   </credentialsReset></tt></b><b><tt><br>
            </tt></b></font><tt></securityPolicy></tt></font></p>

    
  <p>When you will test that, please make sure that the user has an
      e-mail address filled-in in midPoint. And when resetting password,
      you have to enter that e-mail address. It will <b>not</b> be used
      to send anything to it (in this setting); it serves here just as
      an additional verification of the identity.</p>

    
  <p>
      </p>
  <blockquote type="cite">Another related question:  Is it possible
        to have both email reset and security question reset active at
        the same time and allow users to select which method to use?
      </blockquote>

      As far as I know this is currently not possible.
    
  <p>Best regards,<br>
    </p>

    
  <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>

    
  <div class="moz-cite-prefix">On 03.08.2018 1:07, Brad Firestone
      wrote:<br>
    </div>

    
  <blockquote type="cite" cite="mid:5B638EC8.4010800@gmail.com">Hi
      All,
      <br>
      <br>
      Thanks for all who contribute such helpful information on this
      list.  I've tried to answer when I know something, but most
      people's questions are more advanced than I am.  :-)
      <br>
      <br>
      Forgive me for repeating.  Peter has asked a similar question in
      2017 with no answers:
      <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" 
href="http://lists.evolveum.com/pipermail/midpoint/2017-April/003624.html">http://lists.evolveum.com/pipermail/midpoint/2017-April/003624.html</a>
      <br>
      <br>
      And I asked this question a month or so ago when using 3.6.1 but
      didn't receive any answers.   I know this is a community resource
      and nothing is guaranteed, but I thought I'd ask again.  I've
      tried working through this again with version 3.7.2 and still
      can't figure out how to configure the system for Security Question
      password reset.  Reset via email is working fine but we plan to
      control our email accounts through midPoint, so really need
      Security Questions to work.
      <br>
      <br>
      I've tried looking through all the Wiki articles and Sample files
      and haven't found a complete example that shows password reset via
      Security Questions that I can get to work.  It's possible I'm just
      missing it, but the more recent examples I've found which include
      information for Security Questions still show the credentialsReset
      method as passwordMailReset:
      <br>
      <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" 
href="https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration">https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration</a>
      <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" 
href="https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/security-policy.xml">https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/security-policy.xml</a>
      <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext" 
href="https://wiki.evolveum.com/display/midPoint/Security+Policy+Configuration">https://wiki.evolveum.com/display/midPoint/Security+Policy+Configuration</a>
      <br>
      <br>
      <credentialsReset>
      <br>
      <mailReset>
      <br>
      <name>passwordMailReset</name>
      <br>
<additionalAuthenticationName>confirmationLink</additionalAuthenticationName>

      <br>
      </mailReset>
      <br>
      </credentialsReset>
      <br>
      <br>
      I have the Security Questions defined, and my Users can enter
      answers to the questions.  But I can't find an example of how to
      activate password reset via the questions instead of email.
      <br>
      <br>
      I also tried applying the Security Policy Sample that was
      bundled.  This policy only lists Security Questions and includes
      the following which seems to be a different syntax compared to
      above:
      <br>
      <resetMethod>
      <br>
      <resetType>securityQuestions</resetType>
      <br>
      </resetMethod>
      <br>
      <br>
      But when I activate this security policy and click on "Forgot
      Password" on the login screen, I get a blank space with a Back
      button and a Reset Password button.  Clicking on Reset Password
      gives an error of "Unsupported password reset type".
      <br>
      <br>
      Can anybody share or point me to an example of how to set this
      up?  I know there are plans to rebuild the password reset system,
      but hopefully I can get this working for now.
      <br>
      <br>
      Another related question:  Is it possible to have both email reset
      and security question reset active at the same time and allow
      users to select which method to use?
      <br>
      <br>
      Thank you!
      <br>
      Brad
      <br>
      <br>
      <br>
      _______________________________________________
      <br>
      midPoint mailing list
      <br>
      <a moz-do-not-send="true" class="moz-txt-link-abbreviated" 
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
      <br>
      <a moz-do-not-send="true" class="moz-txt-link-freetext" 
href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
      <br></blockquote>

    <br>

  


  <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body></html>