Configure password self-service
Adaxes enables users to reset their own passwords and unlock their accounts without any assistance from the Help Desk or IT staff. The user's identity can be verified by answering security questions and/or entering a verification code received via SMS, email or authenticator app like Google Authenticator or Authy.
In this tutorial, you will learn how to configure and assign policies for password self-service, customize options for resetting passwords from the Windows/macOS logon screen and Adaxes Web interface.
Policies
All aspects of the self-service password reset process are determined by password self-service policies. A policy defines the methods used to prove the user identity (security questions and/or verification codes), the number of questions to be answered, mandatory and optional questions, whether user-defined questions are allowed, account blocking and unlocking options, e-mail notification settings, etc.
The policy-based approach allows you to apply different levels of security to different users. For example, you can enforce strict policies to privileged users, such as administrators and Help Desk operators, and less severe policies to other users. A policy can be assigned to all users within a domain, users located in an organizational unit, members of groups and business units, individual users, etc. If necessary, you can exclude specific users, groups, OUs, and business units from the scope of a policy.
If users have no assigned policies, the Password self-service feature is not available for them. By default, there are no password self-service policies defined in Adaxes. To allow users to reset their forgotten passwords, you need to create and assign the policies.
To create a policy for password self-service:
-
Launch Adaxes Administration console.
How {id=launchConsole}
-
On the computer where Adaxes Administration console is installed, open Windows Start menu.
-
Click Adaxes Administration Console.
-
-
Expand Adaxes service \ Configuration \ Password Self-Service and select Policies.
-
In Password Self-Service Policies on the right, click New.
Follow the instructions in the Create Policy for Password Self-Service wizard.
-
On the Activity Scope step, click Add.
Select from the following items:
-
All Objects – select to apply the policy to all users in all domains managed by Adaxes.
-
Domain – select to apply the policy to all users within a specific domain.
-
OU or Container – select to apply the policy to the users located in an organizational unit or container.
-
Group – select to apply the policy to members of a group.
-
Business unit – select to apply the policy to members of a business unit. To select a business unit, open the Look in drop-down and select the Business Units item.
You can exclude specific users, groups, organizational units and business units from the policy scope. For example, if you applied the policy to all users in a domain, but do not want to apply it to members of a certain group, you can exclude the group from the scope. To exclude an object, select the Exclude the selection checkbox in the Assignment Options dialog box.
Step by step
-
Click the object you want to exclude.
-
In the Assignment Options dialog, select the Exclude the selection checkbox.
-
Click OK.
When done, click OK and then Finish.
-
-
If a user falls within the scope of two or more policies, the policy with a higher precedence is applied. To change the precedence of a policy, select it and use the buttons.
To view all users a policy applies to, select the policy and click the Show all affected users. To view the policy applied to a user, click Lookup policy for user.
Web interface
By default, the Password Self-Service component is enabled for the Self-Service Web interface only. It means that by default, only this Web interface can be used to reset forgotten passwords, unlock accounts and enroll for password self-service.
Follow the steps below to enable or disable the Password Self-Service component for a Web interface and configure the options related to enrolling for password self-service.
-
Open Adaxes Web interface configurator.
How
-
On the computer where Web interface configurator is installed, open Windows Start menu.
-
Click Adaxes Web Interface Configurator.
To configure the Web interface, you need to have the appropriate permissions.
Permissions
The permissions to configure the Web interface are delegated via security roles. By default, only service administrators have the appropriate permissions. To enable other users to configure the Web interface, grant them the corresponding permissions.
To create a security role that grants the permissions to configure Web interface:
-
In Adaxes Administration console, right-click your Adaxes service, point to New and click Security Role.
-
Enter a name for the new security role and click Next.
-
On the Permissions step, click the down arrow embedded into the Add button and click Configure Web Interface.
-
Click Next and follow the steps in the wizard.
-
-
In the top left corner, select the Web interface you want to customize.
-
In the left navigation menu, click Components.
-
Use the Password self-service checkbox to enable or disable the Password self-service component.
-
To periodically prompt users to enroll for password reset, select the Prompt users to enroll for password self-service checkbox and select how often the prompt should be displayed.
-
To configure the password self-service form, click Customize the password reset form.
Settings you can configure:
Available actions {id=actions}
-
Generate
Allows generating a random password that meets complexity requirements of the password policy assigned to the user.
-
Spell out
Allows viewing the new password spelled out using the phonetic alphabet.
For information on how to configure password spell out, see Configure password spell out.
-
View password policy
Allows viewing the password policy assigned to the user.
Custom message
You can place a custom message on the password reset form:
Screenshot
-
-
To configure the password self-service options to be available in the My menu drop-down, use corresponding checkboxes under the My menu checkbox.
My menu
My menu is located in the top-right corner of the Web interface.
-
To allow users to enroll, re-enroll, and cancel enrollment for password self-service right from the Home page of the Web interface, you can enable the Password self-service card. The card is not visible when there are no password self-service policies assigned to the user.
For details, see Customize the Home page.
For information on how to configure Adaxes to automatically enroll users, see Autoenroll users for self-password reset.
OS login screen
To enable users to reset their passwords right from the Windows/macOS login and unlock screens, you need to install Adaxes self-service client on each computer where you want the feature to be available.
To install and configure Adaxes self-service client:
-
Launch Adaxes Administration console.
How {id=launchConsole}
-
On the computer where Adaxes Administration console is installed, open Windows Start menu.
-
Click Adaxes Administration Console.
-
-
Expand Adaxes service \ Configuration \ Password Self-Service and select OS Integration.
-
In the Client Setup section located to the right, download the self-service client for the required operating system. To view detailed information on how to deploy the client, click Installation Guide.
Publish link
You can integrate the password self-service feature into your web sites and applications by adding a link to the Reset Password page of Adaxes Web interface.
Example
<a href="http://example.com/Adaxes/SelfService/#/SelfPasswordReset?ReturnUrl=http%3A%2F%2Fwebsite.com">Forgot password?</a>
Use the ReturnUrl parameter to specify the URL which should be opened when the user completes or cancels resetting the password.
For details on how to limit the hosts allowed in the parameter, see Limit hosts allowed in ReturnURL for password self-service.
Reset authenticator app
If a mobile authenticator app (Google Authenticator, Okta Verify, Authy, etc.) is used as a verification method for self-service password reset, and a user loses their mobile device or gets a new one, they need to re-activate the app on the new device. This can be done in one of the following ways:
-
Transfer the activation to the new device by means of the authenticator app.
-
Use the Change device option.
-
Reset the app activation using the Reset multifactor authentication operation.
Change device
The Change device option is available via the Multifactor authentication card that is enabled by default in the Self-Service Web interface.
How to enable the card
-
Open Adaxes Web interface configurator.
-
In the top left corner, select the Web interface you want to customize.
-
In the left navigation menu, click Home Page.
-
In the Cards section, select the Multifactor Authentication checkbox.
-
Save the changes.
The card is only visible if the logged in user has already activated an authenticator app, and the app is used for self-service password reset or is required to sign in to a Web interface.
Reset multifactor authentication
Activation of a mobile authenticator app can also be reset with the help of the Reset multifactor authentication operation that is available both in Administration console and Web interface.
The operation is available in the Web interface only if the logged in user has the permission to execute it, and verification via an authenticator app is enabled for password self-service or Web interface sign in. If necessary, you can disable the Reset multifactor authentication operation in a Web interface. For details, see Disable operations on directory objects.
To perform the operation, the user must have the Allow reset multifactor authentication permission assigned to them via security roles.
How to add the permission {id=howto_grant-mfaright}
-
Launch Adaxes Administration console.
-
Expand Adaxes service \ Configuration \ Security Roles.
-
Select the security role you want to modify.
-
In the Permissions section on the right, click Add.
-
In the list of object types, select User.
-
In the General permissions list, select the Reset Multifactor Authentication permission in the Allow column.
-
Click OK and then click Save changes.