jlrodriguez Super Contributor.
Super Contributor.
1118 views

SSPR Create a valid token from outside the application

Hi,

When a new user is created, we want IDM to send an email with a link to allow the user set his initial password. Its authentication must be with a token.
Is there any way we can set a forgotten password token for a user from outside SSPR?
I'm thinking of creating a token using an IDM rule and store it in pwmToken, but I see that SSPR stores the token hashed in this attribute.
Another option, would be to use the REST API, but I can't see any method to have SSPR define and send the token.

Any idea?

Regards
Jose Luis
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR Create a valid token from outside the application

Just as a silly question, is there some reason you do not have IDM just
set a password on the user, expire it, and then have the user set it to a
new value upon login, sending the original password in the e-mail? I
suppose it's a little easier to just have a link to login directly, but it
would not be any more secure.

Which SSPR version, specifically, are you using?


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SSPR Create a valid token from outside the application

This is a customer's requirement. This is for the process to register their new customers and they want to put it as easy as possible. We're replacing an application that actually does it this way.
We're actually working with SSPRv3.3.1.5, but I did some tests with SSPR 4.0.1 and does not seem to solve the problem.
Regards
0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: SSPR Create a valid token from outside the application

jlrodriguez;2455192 wrote:
This is a customer's requirement. This is for the process to register their new customers and they want to put it as easy as possible. We're replacing an application that actually does it this way.
We're actually working with SSPRv3.3.1.5, but I did some tests with SSPR 4.0.1 and does not seem to solve the problem.
Regards


Hi,

You can configure SSPR to let the user provide a value of a custom attribute along with his username to verify that he/she is the correct user. After providing the correct value(s) the user can set his own password. This attribute can be automatically set by an IDM rule or something else!

To make the whole process even more secure you can combine it with the random token generated by SSPR and send to the user via SMS or mail.

Kind regards,

Thorsten
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SSPR Create a valid token from outside the application

tschloesser;2455227 wrote:
Hi,

You can configure SSPR to let the user provide a value of a custom attribute along with his username to verify that he/she is the correct user. After providing the correct value(s) the user can set his own password. This attribute can be automatically set by an IDM rule or something else!

To make the whole process even more secure you can combine it with the random token generated by SSPR and send to the user via SMS or mail.

Kind regards,

Thorsten


Can we simulate the behavior of password recovery with token with a custom attribute? I mean, can we send an email with a link that includes, for example, the user and that attribute so that SSPR authenticates it and lets the user directly change his password?

Regards
Jose Luis
0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: SSPR Create a valid token from outside the application

My idea was that in the idm directory a custom attribute is used to store a value (only) the users knows. For shure you could setup an IDM process to send out an email to the user containing tat value and the URL of the SSPR module to reset the password.

To actually reset the password a user must login to the SSPR modules forgotten password service by providing the username + the value of the custom attribute. In the simple confuguration the user is able to set his password afterwards.

For one or the other customer we defined that a user has to provide the last digits of his passport number or something similar during this process.

To make the process even more secure SSPR allows you to generate a random token send by SMS or a one time password. Those setups need some conceptional thinking and the setup is maybe a little more complex - but it is possible 😉

To make it work you might ensure that the users have an expired password in advance - I would suggest to generate a random password during user creation and set the password expiration time.
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: SSPR Create a valid token from outside the application

I will try to convince them to use the expired password for the first authentication.

Anyway, I think that offering the REST option of generating the mail with the Token is a good idea to incorporate into SSPR.

Regards
Jose Luis
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: SSPR Create a valid token from outside the application

jlrodriguez;2455308 wrote:
I will try to convince them to use the expired password for the first authentication.

Anyway, I think that offering the REST option of generating the mail with the Token is a good idea to incorporate into SSPR.

Regards
Jose Luis


I think your actually try to do what the User Activation feature is for. This module allows users to set an initial password on a newly created account using value in LDAP attributes. When properly configured it only allows this for new users, and not existing users.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.