Configuring Password Policy Authenticator¶
The Password Policy authenticator allows you to reset the password during the authentication flow, if the password is expired, user will be prompted to reset the password.
Note
If you are using Password Policy Authenticator version 1.0.8, go to the WSO2 identity-outbound-auth-passwordPolicy GitHub repository to view the latest documentation.
Deploying Password Policy artifacts¶
-
Download the Password Policy Authenticator and artifacts from the WSO2 connector store.
-
Add the following lines to the
deployment.toml
file in the<IS_HOME>/repository/conf/identity/
directory.
[[event_handler]] name= "passwordExpiry" subscriptions =["POST_UPDATE_CREDENTIAL", "POST_UPDATE_CREDENTIAL_BY_ADMIN", "POST_ADD_USER"] [event_handler.properties] passwordExpiryInDays= "30" enableDataPublishing= false priorReminderTimeInDays= "0"
-
Place the authentication pwd-reset.jsp file into the
<IS_HOME>/repository/deployment/server/webapps/authenticationendpoint
directory.Note
Before pasting the pwd-reset.jsp file, the server needs to be started at least once to ensure that the folder is available for the web app to be deployed.
-
Place the authenticator .jar file (
org.wso2.carbon.extension.identity.authenticator.passwordpolicy.connector-1.0.3.jar
) into the directory<IS_HOME>/repository/components/dropins
. ( To download the authenticator, go to https://store.wso2.com/store/assets/isconnector/passwordpolicy )Note
If you want to upgrade the Password Policy Authenticator in your existing IS pack, please refer upgrade instructions.
-
Edit the
identity-mgt.properties
found in the<IS_HOME>/repository/conf/identity
directory and add the following property. This value must be an integer.Authentication.Policy.Password.Reset.Time.In.Days=20
Info
If the property is not added to the file, by default, the password reset time is 30 days.
Add claim mapping¶
A claim is a piece of information about a particular subject. It can be
anything that the subject is owned by or associated with, such as name,
group, preferences, etc. In this instance, the claim in question is
lastPasswordChangedTimestamp
and this needs to be
linked to a claim that is local to WSO2 Identity Server. This claim is
required because the WSO2 Identity Server needs to know if the password
is expired or not for this flow to work.
Info
For more information about claim mappings, see Adding a claim mapping.
- Navigate to the Identity section under the Main tab of the management console .
- Click Add under Claims and then click Add Local Claim.
-
Add a new claim for
lastPasswordChangedTimestamp
withhttp://wso2.org/claims/lastPasswordChangedTimestamp
as the Claim Uri.Info
When adding a new claim, use an attribute which is mapped to an existing unused claim if the secondary user-store is an LDAP and use any attribute name as the mapped attribute if it is a JDBC user store.
Deploying travelocity sample application¶
Follow this guide to
deploy and configure the travelocity.com
sample app
in order to use it in this scenario.
Configuring the Service Provider¶
The next step is to configure the service provider.
-
In the previous section you have configured a service provider in WSO2 Identity server. Now edit the service provider to configure password reset.
-
Go to Local and Outbound Authentication Configuration section.
-
Select the Advanced configuration radio button option .
-
Add the basic authentication as first step and password-reset-enforcer authentication as second step.
Tip
The Use attributes from this step option is unchecked when the second step is added and selected.
You have now added and configured the service provider.
Testing the sample¶
-
To test the sample, the password needs be expired. So select "Supported by Default" checkbox in the
lastPasswordChangedTimestamp
that has the http://wso2.org/claims/lastPasswordChangedTimestamp claim.Note
In a production setup, you need to deselect "Supported by Default" checkbox in the lastPasswordChangedTimestamp claim mapping configuration.
-
Enter a date and time of the past for the Password Changed Time field. Make sure to provide the value in the Epoch format.
- Go to the following URL: http://localhost:8080/travelocity.com
-
Click the link to log in with SAML from WSO2 Identity Server.
-
The basic authentication page appears. Use your WSO2 Identity Server credentials.
-
During the authentication flow, if the password is expired, you will be prompted to reset the password.
- Enter the current password, new password and repeat password. If the authentication is successful, you are taken to the home page of the travelocity.com app.