Configuring Password Policy Authenticator¶
The Password Policy authenticator allows you to reset the password during the authentication flow, if the password is expired, user will be prompted to reset the password.
If you are using Password Policy Authenticator version 1.0.8, go to the WSO2 identity-outbound-auth-passwordPolicy GitHub repository to view the latest documentation.
Deploying Password Policy artifacts¶
Download the Password Policy Authenticator and artifacts from the WSO2 connector store.
Add the following lines to the
deployment.tomlfile in the
[[event_handler]] name= "passwordExpiry" subscriptions =["POST_UPDATE_CREDENTIAL", "POST_UPDATE_CREDENTIAL_BY_ADMIN", "POST_ADD_USER"] [event_handler.properties] passwordExpiryInDays= "30" enableDataPublishing= false priorReminderTimeInDays= "0"
Place the authentication pwd-reset.jsp file into the
Before pasting the pwd-reset.jsp file, the server needs to be started at least once to ensure that the folder is available for the web app to be deployed.
Place the authenticator .jar file (
org.wso2.carbon.extension.identity.authenticator.passwordpolicy.connector-1.0.3.jar) into the directory
<IS_HOME>/repository/components/dropins. ( To download the authenticator, go to https://store.wso2.com/store/assets/isconnector/passwordpolicy )
If you want to upgrade the Password Policy Authenticator in your existing IS pack, please refer upgrade instructions.
identity-mgt.propertiesfound in the
<IS_HOME>/repository/conf/identitydirectory and add the following property. This value must be an integer.
If the property is not added to the file, by default, the password reset time is 30 days.
Add claim mapping¶
A claim is a piece of information about a particular subject. It can be
anything that the subject is owned by or associated with, such as name,
group, preferences, etc. In this instance, the claim in question is
lastPasswordChangedTimestamp and this needs to be
linked to a claim that is local to WSO2 Identity Server. This claim is
required because the WSO2 Identity Server needs to know if the password
is expired or not for this flow to work.
For more information about claim mappings, see Adding a claim mapping.
- Navigate to the Identity section under the Main tab of the management console .
- Click Add under Claims and then click Add Local Claim.
Add a new claim for
http://wso2.org/claims/lastPasswordChangedTimestampas the Claim Uri.
When adding a new claim, use an attribute which is mapped to an existing unused claim if the secondary user-store is an LDAP and use any attribute name as the mapped attribute if it is a JDBC user store.
Deploying travelocity sample application¶
Follow this guide to
deploy and configure the
travelocity.com sample app
in order to use it in this scenario.
Configuring the Service Provider¶
The next step is to configure the service provider.
In the previous section you have configured a service provider in WSO2 Identity server. Now edit the service provider to configure password reset.
Go to Local and Outbound Authentication Configuration section.
Select the Advanced configuration radio button option .
Add the basic authentication as first step and password-reset-enforcer authentication as second step.
The Use attributes from this step option is unchecked when the second step is added and selected.
You have now added and configured the service provider.
Testing the sample¶
To test the sample, the password needs be expired. So select "Supported by Default" checkbox in the
lastPasswordChangedTimestampthat has the http://wso2.org/claims/lastPasswordChangedTimestamp claim.
In a production setup, you need to deselect "Supported by Default" checkbox in the lastPasswordChangedTimestamp claim mapping configuration.
Enter a date and time of the past for the Password Changed Time field. Make sure to provide the value in the Epoch format.
- Go to the following URL: http://localhost:8080/travelocity.com
Click the link to log in with SAML from WSO2 Identity Server.
The basic authentication page appears. Use your WSO2 Identity Server credentials.
During the authentication flow, if the password is expired, you will be prompted to reset the password.
- Enter the current password, new password and repeat password. If the authentication is successful, you are taken to the home page of the travelocity.com app.