Versions Compared

Old Version 5

changes.mady.by.user Benn Oshrin

Saved on

compared with

New Version Current

changes.mady.by.user Arlen Johnson (google.com)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt
The Password Authenticator plugin manages passwords for CO People. (experimental)


(warning) This plugin is considered Experimental.

...

  • Autogenerate: The Password is autogenerated on demand, and displayed once.
  • External: The Password is managed by an external component via the REST API.
  • Self Select: The Password is self selected by the individual. This is the mode for all PasswordAuthenticators instantiated prior to v3.3.0.

...

External Passwords are expected to be entirely managed by another component via the REST API. The use of Unprivileged API Users may be supported in a future release (CO-1874).

...

The LDAP Provisioning Plugin supports writing the hashed password to the userPassword attribute. As of Registry v3.2.0, the plugin will only write SSHA hashed values to the LDAP record.

Self Service Reset (Registry v4.1.0 and later)

Self Service Credential Reset is managed by the Recovery Dashboard Widget, working with the Password Authenticator Plugin. The Recovery Widget handles user identity lookup before handing off the reset operation the the Password Authenticator.

Info

Self Service Reset currently only supports Self Select Password Source Mode.

Self Service Reset (Registry v4.0.x)

Registry v4.0.0 introduces the ability for users to reset their own password. This feature is disabled by default.

Self Service Reset works by exposing an unauthenticated page where users may enter an Identifier or verified Email Address. If the value matches an active CO Person record, a reset notification message will be sent to all verified Email Addresses associated with the record. The message notification will include a single use token (embedded in a URL) that will allow the bearer to select a new password.

To enable Self Service Reset, first define a Message Template with a context of Authenticator. This is the message that will be sent to the verified email address(es), and should minimally include the (@RESET_URL) substitution. Next, enable Self Service Reset for the desired Password Authenticator configuration. Configure it with the appropriate Reset Message Template.

A Redirect URL may be specified on successful reset to send the user to an appropriate page, such as documentation, an application, or an account management page. Otherwise, the user will be sent to the Password Authenticator's password management page. 

Once enabled, the Password Authenticator configuration will render the Self Service Reset Initiation URL, which is the path to the unauthenticated page used to start the reset process.

Info

Self Service Reset currently only supports Self Select Password Source Mode.


Info

Locked Authenticators cannot be reset. Similarly, Authenticators cannot be reset for CO People not in Active or Grace Period status.

The search interface may still send a reset token in these circumstances, however on validation the request will be rejected.

See Also