Authentication Manager Self Service Password Request Administrator s Guide

Similar documents
EAM Portal User's Guide

One Identity Password Manager User Guide

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

One Identity Active Roles 7.2

One Identity Starling Two-Factor Authentication. Administration Guide

One Identity Authentication Manager for Windows User's Guide

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

One Identity Starling Two-Factor Authentication. Administrator Guide

Cloud Access Manager How to Deploy Cloud Access Manager in a Virtual Private Cloud

One Identity Defender 5.9. Product Overview

One Identity Quick Connect Express

Cloud Access Manager SonicWALL Integration Overview

One Identity Active Roles Diagnostic Tools 1.2.0

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

One Identity Active Roles 7.2. Management Pack Technical Description

One Identity Active Roles 7.2. Configuration Transfer Wizard Administrator Guide

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

One Identity Management Console for Unix 2.5.1

Quest Migrator for Notes to Exchange SSDM User Guide

About One Identity Quick Connect for Base Systems 2.4.0

One Identity Active Roles 7.2. Replication: Best Practices and Troubleshooting Guide

Spotlight Management Pack for SCOM. User Guide

Quest Unified Communications Diagnostics Data Recorder User Guide

Quest One Password Manager

Spotlight on SQL Server Enterprise Spotlight Management Pack for SCOM

The Privileged Appliance and Modules (TPAM) Approver Guide

Quest Code Tester for Oracle 3.1. Installation and Configuration Guide

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

Quest Migration Manager for Exchange Resource Kit User Guide

Quest Migration Manager Upgrade Guide

Quest InTrust Objects Created and Used by InTrust

One Identity Manager Data Archiving Administration Guide

One Identity Manager 8.0. Administration Guide for Connecting to a Universal Cloud Interface

Dell Statistica. Statistica Enterprise Server Installation Instructions

Setting up the DR Series System on Acronis Backup & Recovery v11.5. Technical White Paper

Quest Recovery Manager for Active Directory 9.0. Quick Start Guide

One Identity Starling Two-Factor Authentication

Cloud Access Manager Overview

Quest InTrust InTrust Events

Dell Secure Mobile Access Connect Tunnel Service User Guide

Rapid Recovery License Portal Version User Guide

KACE GO Mobile App 5.0. Getting Started Guide

One Identity Manager 8.0. Administration Guide for Connecting to Azure Active Directory

Enterprise SSO Administrator Guide

One Identity Manager Administration Guide for Connecting to SharePoint

Quest Migration Manager for Exchange Granular Account Permissions for Exchange 2010 to 2013 Migration

One Identity Active Roles 7.2. Web Interface User Guide

One Identity Quick Connect for Base Systems 2.4. Administrator Guide

Cloud Access Manager How to Configure Microsoft Office 365

One Identity Manager 8.0. Data Archiving Administration Guide

Quest Recovery Manager for Active Directory Forest Edition 9.0. Quick Start Guide

SQL Optimizer for IBM DB2 LUW 4.3.1

Metalogix Intelligent Migration. Installation Guide

Metalogix Archive Manager for Files 8.0. IIS Installation

Quest Migration Manager for Exchange Granular Account Permissions for Exchange 2010 to 2010 Migration

TPAM Security Product Client for Windows Security Product Client for Windows Guide

Setting up Quest QoreStor as an RDA Backup Target for NetVault Backup. Technical White Paper

One Identity Manager 8.0. IT Shop Administration Guide

SQL Optimizer for Oracle Installation Guide

Metalogix ControlPoint 7.6. for Office 365 Installation Guide

About Toad for Oracle 2017 Editions 2. Product release notes 4. Installation 5

Toad DevOps Toolkit 1.0

Setting up the DR Series System with vranger. Technical White Paper

Cloud Access Manager How to Configure Microsoft SharePoint

One Identity Manager Administration Guide for Connecting Oracle E-Business Suite

Quest Knowledge Portal 2.9

Quest Migration Manager for Active Directory Cached Credentials Utility Administrator Guide

One Identity Password Manager 5.7.1

One Identity Manager 8.0. Native Database Connector User Guide for Connecting DB2 (LUW) Databases

One Identity Active Roles 7.2. Web Interface Administrator Guide

KACE GO Mobile App 3.1. Release Notes

One Identity Manager 8.0. Administration Guide for Connecting Unix-Based Target Systems

One Identity Manager 8.0. Administration Guide for Connecting to Cloud Applications

One Identity Manager Administration Guide for Connecting to SharePoint Online

KACE GO Mobile App 5.0. Release Notes

Dell One Identity Cloud Access Manager 8.0. Overview

One Identity Authentication Services Defender Integration Guide

One Identity Active Roles 7.2. User's Guide

KACE GO Mobile App 4.0. Release Notes

Dell Change Auditor 6.5. Event Reference Guide

One Identity Starling Identity Analytics & Risk Intelligence. User Guide

Quest Collaboration Services 3.6. Installation Guide

One Identity Manager 8.0. Target System Base Module Administration Guide

Toad Edge 2.0 Preview

Dell GPOADmin 5.7. About Dell GPOADmin 5.7. New features. Release Notes. December 2013

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

Setting Up Quest QoreStor as a Commvault Backup Target. Technical White Paper

Quest ChangeAuditor 5.1 FOR LDAP. User Guide

One Identity Active Roles 7.2. Skype for Business Server User Management Administrator Guide

SonicWall Mobile Connect ios 5.0.0

Toad Intelligence Central 3.3 New in This Release

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Toad Edge Installation Guide

Quest Enterprise Reporter 2.0 Report Manager USER GUIDE

Dell SonicWALL SonicOS 5.9 Upgrade Guide

Quest Client Profile Updating Utility 5.7

Metalogix Essentials for Office Creating a Backup

SonicWall Mobile Connect for Chrome OS

Transcription:

Authentication Manager Self Service Password Request 9.0.2

Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of One Identity LLC. The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: One Identity LLC. Attn: LEGAL Dept 4 Polaris Way Aliso Viejo, CA 92656 Refer to our Web site (http://www.oneidentity.com) for regional and international office information. Patents One Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.oneidentity.com/legal/patents.aspx. Trademarks One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.oneidentity.com/legal. All other trademarks are the property of their respective owners. Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Authentication Manager Self Service Password Request Updated - December 2017 Version - 9.0.2

Contents Preface 4 Overview 5 Password and PIN reset through Authentication Manager 5 Reset with Q&A 5 Reset with OTP 7 Password reset through EAM Portal 9 QRentry emergency access 11 Questions and Answers emergency access 13 Temporary Password Access authentication method 15 Compatibility between SSPR features and supported authentication methods 15 17 Allowing users to reset their password or PIN 17 Allowing users to log on with a mobile device 22 Enabling the questions and answers emergency access 23 Configuring the questions proposed to the user 26 Creating a list of questions 27 Importing a list of questions 30 Setting the Self Service Password Request policy 31 Enabling the temporary password access authentication method 33 Enabling the Q&A Method 34 Enabling the Help desk Method 36 Administering Self Service Password Request 39 Resetting the number of SSPR attempts made by a user 40 Resetting the answers recorded by a user 40 Checking a User Challenge 41 Generating a challenge to allow a user to reset his/her password or PIN 41 About us 43 Contacting us 43 Technical support resources 43 3

Preface Subject Audience Required Software This guide describes how to configure and administer the features offered by Self Service Password Request (SSPR). This guide is intended for Authentication Manager administrators. EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes. Bold Indicates: Typographical Conventions Interface objects, such as menu names, buttons, icons and labels. File, folder and path names. Keywords to which particular attention must be paid. Italics - Indicates references to other guides. Code - Indicates portions of program codes, command lines or messages displayed in command windows. CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules). < > Identifies parameters to be supplied by the user. Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Documentation support The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website. 4 Preface

1 Overview The One Identity Self Service Password Request (SSPR) feature reduces usage costs by allowing users to reset their primary password or PIN by themselves. When this feature is enabled, users can: Select personal questions and answers, then if they forget their means of access, they answer questions, either to reset their primary password or PIN, or to open directly their Windows session. This feature works even if the user is not connected to the corporate network. Request an OTP sent to their mobile device/email to reset their primary password. This feature works only if the user is connected to the corporate network. One Identity SSPR offers the following benefits: It relieves the support service from having to reset the user s password or PIN. It offers an emergency access solution, based on questions and answers or an OTP. It provides an alternative authentication method for users using strong authentication methods (tokens, biometric devices), by allowing them to open temporarily a Windows session using a password. Password and PIN reset through Authentication Manager Reset with Q&A The following figure illustrates the password/pin reset mechanism when Authentication Manager is installed on the workstation. In this mode, mobile users can reset their access even if they are not connected. 5 Overview

6 Overview

Phase Description Configuration phase The administrator configures security profiles to enable the password/pin reset from Authentication Manager. Initialization phase The first time the user opens his Windows session, Authentication Manager prompts him to record answers and questions according to the configuration set by the administrator. Password/PIN reset phase To reset his password or PIN, the user answers to the series of personal questions asked by Authentication Manager. The administrator can make the help desk verify the identity of users when they reset their passwords. For PIN reset, this is mandatory. Reset with OTP One Identity SSPR allows you to use the OTP mechanism as an emergency access solution. In this mode, the password authentication method must be enabled. When a user forgets his password or PIN and he is connected to the network, he can still open his Windows session by receiving and entering an OTP. He can then reset his forgotten password or PIN and access applications for which an authentication is needed. 7 Overview

8 Overview

Phase Description Configuration phase The administrator configures security profiles to enable OTP emergency access. Password/PIN reset phase The user requests an OTP sent to his email address and/or mobile device. To reset his password or PIN, the user enters the OTP and enters a new password/pin. Password reset through EAM Portal If Authentication Manager is not installed on the workstation, users can reset their passwords through EAM Portal, as shown below. There are two ways to reset their passwords: By answering questions. By retrieving an OTP received by e-mail or SMS. This mode requires a network connection. It does not support PIN reset and you cannot make the help desk verify the identity of users when they reset their passwords. 9 Overview

10 Overview

Phase Description Configuration phase The administrator configures security profiles to enable password reset from EAM Portal. Initialization phase The user records his answers and questions through the portal, according to the configuration set by the administrator. Password reset phase To reset his password, the user connects to EAM Portal and answers to the series of personal questions asked by the system. QRentry emergency access One Identity QRentry allows you to use your mobile device as an emergency access solution. In this mode, the mobile device authentication method must be enabled. When a user forgets his password or PIN, he can still open his Windows session by flashing a QR code. Depending on his rights, he can also reset his forgotten password or PIN. The following figure illustrates the emergency access mechanism when Authentication Manager is installed on the workstation. In this mode, mobile users can reset their access even if they are not connected. 11 Overview

12 Overview

Phase Description Configuration phase The administrator configures security profiles to enable authentication with QRentry. Initialization phase The user enrolls his mobile device with Authentication Manager, according to the configuration set by the administrator. Authentication phase To authenticate, the user enters the OTP. Questions and Answers emergency access One Identity SSPR allows you to use the questions/answers mechanism as an emergency access solution. In this mode, the password authentication method must be enabled. When a user forgets his password or PIN, he can still open his Windows session by answering questions, but he cannot reset his forgotten password or PIN and he cannot access applications for which an authentication is needed. 13 Overview

14 Overview

Phase Description Configuration phase The administrator configures security profiles to enable questions and answers emergency access. Initialization phase The first time the user opens his Windows session, Authentication Manager prompts him to record answers and questions according to the configuration set by the administrator. Authentication phase To authenticate, the user answers to the series of personal questions asked by Authentication Manager. Temporary Password Access authentication method This temporary authentication method is useful within company using strong multi-factor authentication. When tokens or biometric devices are used, you may need to provide a temporary password access in the following cases: A user who has a faulty device (smart card reader or biometric device) can use the temporary password authentication method while waiting for a new device. To force the use of token or biometric devices during the deployment of strong authentication within the company: you disable the password authentication method for all users and activate the temporary password access so that users who do not have their smart card or biometric device can authenticate. Compatibility between SSPR features and supported authentication methods The Self Service Password Request feature is delivered with the SSPR option license. Authentication method Reset password Reset PIN Q&A-based authentication Authentication ü ü ü 15 Overview

Authentication method Reset password Reset PIN Q&A-based authentication Manager Windows ü (with web portal) Not available Not available Session Not available Not available Not available QRentry ü Not available Not available Public Access ü (with web portal) Not available Not available 16 Overview

2 Configuring Self Service Password Request Allowing users to reset their password or PIN Subject This section describes how to allow users to reset their password or PIN by themselves. You can enable this feature on any workstations secured by the One Identity EAM (Enterprise Access Management) solution. If Authentication Manager is installed on these workstations, mobile users can reset their access even if they are not connected. IMPORTANT: To enable PIN reset, One Identity Authentication Manager is required. Restriction This feature runs only with the LDAP configuration storage mode. Before Starting Make sure that the Self Service Password Request feature is enabled, as detailed in One Identity EAM Installation Guide. You have the following administration role: In classic administration mode: Security object administrator. In advanced administration mode, your role must contain the following rights: User security profile: Creation/Modification and Temporary password access: Change duration. Procedure 1. In EAM Console, create or select the user security profile that contains the users for whom you want to activate the self-service password and/or PIN reset feature. 17

2. Click the Self Service Password Request tab and complete the tabbed panel as detailed below: a. The user can reset his password through the EAM portal or with Authentication Manager with an OTP. For more information on the OTP configuration, see One Identity EAM Console - Guide de l'administrateur. b. Availability drop-down list: To enable PIN reset, select Always available. To enable password reset only, you are advised to select Always available to allow users reset their password even if they are not connected to the network. If Authentication Manager is not installed on the workstations, select With Self Service Password Request server only. NOTE: For a complete description of the Always available option, see Configuring Self Service Password Request at the end of the procedure. c. If you have selected Always available, you can make the help desk verify the identity of users when they reset their access by selecting the User must contact the help desk to gain password access check box. 18

d. Complete the Questions area. For more details, see Configuring the questions proposed to the user. e. Complete the During authentication area. For more details, see Setting the Self Service Password Request policy. 3. Click the Authentication tab, and make sure that the following options are selected: Password and/or smart card authentication methods. Use cache (if you have selected Always available at Configuring Self Service Password Request). For details on the Use cache option, please refer to One Identity EAM Console - Guide de l'administrateur. If you have selected the User must contact the help desk to gain password access check box at, you can select the Allow temporary password access for and set a value in the <X> days when generating challenge drop-down list. This value applies when the user resets his/her password in disconnected mode. In this case, when the option is selected, the user can authenticate using the password authentication method for a given period, and you specify the default validity duration of the temporary password access when a challenge is given to a user (Generating a challenge to allow a user to reset his/her password or PIN). NOTE: X> days when resetting user s password: this option applies only when you force the user s primary password (for details, see Enabling the temporary password access authentication method). 19

4. Click Apply. 5. Create or select the access point security profile that contains the user workstations for which you want to activate the self-service password/pin reset feature and make sure that the following options are selected in the Security Services tab: Password and/or smart card authentication methods. Activate cache (if you have selected Always available). For details on the Activate cache option, please refer to One Identity EAM Console - Guide de l'administrateur. 20

6. In the Self Service Password Request tab, type the address of an SSPR server in the bottom field and click Add to add it to the server list. IMPORTANT: The position of servers in the list corresponds to the working order (if the first server does not respond, the second one is used, and so on). 7. Click Apply. The "Always available" option: technical details To allow users to reset their password even if they are not connected to the network, they must have authenticated at least once on their workstation. This way, the password is stored in the user cache and used for session opening. When the user resets his password, EAM manages the new password as follows: If the user is connected to the network, the new password is directly updated in the directory. If the user is not connected to the network, the password is temporary stored in the user cache. When the directory is available again, the user is prompted to reauthenticate and to change his/her password (which will then be changed in the directory). 21

Allowing users to log on with a mobile device Subject This section explains how to configure a User Security profile to allow users to use QRentry for emergency access to their computers. Before starting You have the following administration role: In classic administration mode: Security object administrator. In advanced administration mode, your role must contain the following rights: User Security Profile: creation/modification. Mobile devices: Display mobile details. Mobile devices: Management. You have allowed users to enroll a mobile device: see QRentry - Guide de l utilisateur. Procedure 1. In the EAM console, click the User Security Profile that contains the users for whom you want to allow the use of QRentry for computer access. 2. Click the Mobile Device tab. 3. Select and complete the Authentication Manager tabbed panel and click Apply. 22

Example: a. The users associated with the selected User Security Profile can authenticate only when they are connected to the network. b. The users associated with the selected User Security Profile can use the QRentry remote control to manage (open, lock and close) their Windows session. NOTE: For a complete description of this tabbed panel, please refer to the QRentry - Guide de l utilisateur. Enabling the questions and answers emergency access Subject If Authentication Manager is installed on the workstations, you can configure an emergency access based on questions and answers, which gives only access to the Windows session; users cannot access applications for which an authentication is needed. This feature and the Password/PIN reset function cannot be enabled at the same time. 23

Before Starting Make sure that the Self Service Password Request feature is enabled, as detailed in One Identity EAM Installation Guide. You have the following administration role: In classic administration mode: Security object administrator. In advanced administration mode, your role must contain the following rights: User security profile: Creation/Modification and Temporary password access: Change duration. Procedure 1. In EAM Console, create or select the user security profile that contains the users for whom you want to enable the questions and answers emergency access. 2. In the Authentication tab, and make sure the Password authentication method and the Use cache check box options are selected (for details on this check box, please refer to One Identity EAM Console - Guide de l'administrateur). 24

3. Click the Self Service Password Request tab and complete the tabbed panel as detailed below. a. In the Availability drop-down list, select Always available. b. Select the Self Service Password Request opens Windows session check box. The User must contact the help desk to gain password access option becomes unavailable. c. Complete the Questions area. For more details, see Configuring the questions proposed to the user. d. Complete the During authentication area, For more details, see Setting the Self Service Password Request policy. 4. Click Apply. 5. Create or select the access point security profile that contains the user workstations for which you want to activate questions and answers emergency access and make sure that the Password authentication method and Activate cache check box are selected (for details on this option, please refer to One Identity EAM Console - Guide de l'administrateur). 25

IMPORTANT: To enable this feature, the user must first authenticate at least once in connected mode. Configuring the questions proposed to the user Subject This section describes how to complete the Questions area, located in the Self Service Password Request tab of a user security profile. It complements the procedures described in Allowing users to reset their password or PIN, and Enabling the questions and answers emergency access. The following illustration is an overview of this task: you set the number of questions you want to configure and the properties associated with each questions that will be asked to the user. 26

NOTE: You can customize the way the questions appear in the authentication screen. For more details, see One Identity EAM Customization Guide. This feature is not supported on Windows XP. Creating a list of questions 1. In the Questions area, set the number of questions you want to configure. 2. Click the Select button. The question selection window appears. 27

Each line corresponds to one question that can be asked to the user. In this example, question number 1 contains only one question to which the user must answer. 3. Click Manage questions. The question management window appears. The Existing Questions area displays the list of questions that have been already configured, and that can be added to the questions asked to users. 28

IMPORTANT: The question texts defined in this area are valid for all user profiles. It is not only associated with the selected user profile. 4. To add a question, do the following: a. Click the New button. The Question Properties area is activated. b. Set the Question Type: select either Predefined Question to specify a question that cannot be modified by the end user or User-supplied question to allow the end user to define his/her own question. c. For predefined questions only, type the question text and if required, translate it into another language: Click Translations. Select the language in the drop down list and translate the question. Click Add. The translation appears in the Translations area. Click OK. d. For user-supplied questions, set constraints on the question length. e. Set the Answer constraints: Set the minimal and maximal character length of the answer. To set restrictions on the string corresponding to the answer entered by the end user, fill in the Must match regular expression field. For details on the syntax of regular expressions, see One Identity EAM Console - Guide de l'administrateur. f. Click Apply. The question appears in the Existing Questions area. 29

5. Repeat Click Manage questions. as many times as necessary and click Close to finish. The question selection window is available again. 6. In the drop-down list, select a Question number and click the Add button. 7. Select a question text in the Select a Question window and click OK. The selected question appears in the available question area. 8. Repeat Creating a list of questions as many times as necessary and click OK. Importing a list of questions Before starting To import a set of questions, a CSV file containing the questions must have been generated with the Export button. Procedure 1. In the Questions area, click the Select button, and in the displayed window, click Manage questions. The Self Service Password Request question management window appears. 2. Click the Import button. 3. Browse your directory and select the CSV file containing the set of questions. 4. Click Open. The set of questions is added to the Existing Questions area. IMPORTANT: If there are more questions in the CSV file than in the Existing Questions, then the additional questions are added to the Existing Questions. If there are less questions in the Existing Questions than in the CSV file, the Existing Questions are kept. If both the CSV file and the Existing Questions contain the same questions with a few discrepancies, then the Existing Questions are replaced by the questions of the CSV file. If there are some answer constraints in the CSV file, then these constraints replace the ones in the EAM Console. 5. Click Close to finish. The Self Service Password Request Question Selection window appears. 30

6. Set a question number to an available question to define a list of available questions for each Question field of the Self Service Password Request wizard (available through Authentication Manager): a. In the list of questions drop down list, select the Question number, click the Add button. The question selection window appears. b. Select a question in the Select a Question window and click OK. The selected question appears in the available question area. c. Click OK. Setting the Self Service Password Request policy Subject This section describes how to complete the Security area, located in the Self Service Password Request tab of a user security profile. It complements the procedures described in Allowing users to reset their password or PIN, and Enabling the questions and answers emergency access. Procedure 1. In the Security area, set the following fields: Number of questions to ask: the number of questions to which the end-users must answer to reset their password or PIN. This number cannot be greater than the number of questions configured in Configuring the questions proposed to the user. Minimum number of correct answers: the minimum number of correct answers that the end-user must enter to be able to reset his/her password or PIN. 2. Click the Advanced button to define other security parameters, as detailed in the following Setting the Self Service Password Request policy section. 3. Click OK. "Self Service Password Request Policy" Window Description 31

Option Description Forces the user to set his/her questions and answers before he/she can use Enterprise SSO on his/her workstation. Forces the user to change his/her answers to question at a defined frequency. Prevents the user from giving the same answer to different questions. Prevents the user from using the words used in the questions in his/her answers. Sets a maximum number of attempts to answer questions. 32

Option Description Option only available if you have selected the Always available mode and the Limit Self Service Password attempts option. This check box sets a timeout before allowing the user to attempt to answer SSPR questions again on his/her workstation. Note: in enterprises with no SSPR server, the timeout is set only on the concerned workstation: the user can log on another workstation before the end of the timeout to answer the questions. Sets the answers to questions as case-insensitive and ignore white spaces (other characters as accents, hyphens or apostrophes are taken into account). Allows the user to authenticate using the password authentication method for a given period when he/she resets his/her password. Option only available if you have selected the User must contact the help desk to gain password access option. This check box allows the help desk to modify the validity duration of the password authentication method, when he provides an unblocking code to a user. Option only available if the Always available mode is selected This check box forces the use of the reset password server (SSPR server) when available before using the disconnected mode. NOTE:you must set the list of the password reset servers: see One Identity EAM Console - Guide de l'administrateur. Option only available if the Always available mode is selected If this check box is selected, the temporary password will never be resynchronized with the directory. This allows you to force the user to use his/her own password and not his/her temporary password when he/she reconnects to the network. Option only available if the Always available mode is selected. Sets the maximum number of attempts to use the Self Service Password Request feature in disconnected mode. Enabling the temporary password access authentication method Subject The Temporary Password Access authentication method can be used within EAM configurations using strong multi-factor authentication. It allows you to authorize a user 33

who authenticates using a token or a biometric device to temporarily use the password authentication method either by: Replying to a set of questions and entering his password: see Enabling the Q&A Method. Calling the help desk for a temporary password: see Enabling the Help desk Method. Enabling the Q&A Method Before starting You have the following administration role: In classic administration mode: SSO Data Recoverer. The SSO data recoverer right on your administration smart card. In advanced administration mode, your role must contain the following rights: User: Password modification. Temporary password access: Deletion. Temporary password access: Creation. The user security profile associated with the user for whom you want to enable the temporary password access authentication method is configured as follows: The password authentication method is cleared. The Allow temporary password access check box is cleared. 34

Procedure 1. In the tree structure of the Directory panel, select the wanted user and go to his User Security Profile. 2. Click the Self Service Password Request tab. 3. In the Properties area > Availability drop down list, select Always available. 4. In the Questions area, click the Select button. 5. Create a list of questions as described in Creating a list of questions. If the questions have already been created, go to the next step. 6. In the During authentication area, click the Advanced button. The Self Service Password Request Policy window appears. 7. Select the Allow password access for check box and enter the number of days. 8. Click OK and Apply to save the new settings. 35

Enabling the Help desk Method IMPORTANT: You will have to force a new primary password. Remember that: The user's private accounts are lost in this process. Performing this action automatically unlocks the user account (if the unlocking operation fails, you are not warned). Before starting You have the following administration role: In classic administration mode: SSO Data Recoverer. The SSO data recoverer right on your administration smart card. In advanced administration mode, your role must contain the following rights: User: Password modification. Temporary password access: Creation. Temporary password access: Deletion. The user security profile associated with the user for whom you want to enable the temporary password access authentication method is configured as follows: The password authentication method is cleared. The Allow temporary password access check box is selected and configured. 36

Procedure 1. In the tree structure of the Directory panel, right-click the wanted user and select Force Password. The Password tab appears. 2. Fill-in the New password and Confirmation fields. 3. (Optional) Select User must change password at next login. 4. Select the User can connect using password authentication check box. 5. If necessary, modify the value of the Authorization expires in field. NOTE: The proposed value is read from the user security profile associated with the selected user. 37

6. To avoid site replication problems if you use Active Directory: in the User is logged on computer field, type the name of the user's computer so that the password reset operation be done on a domain controller located on the same site as the computer (and not on the domain controller on which you are connected). NOTE: For more information on domain controller selection, see One Identity EAM Console - Guide de l'administrateur. 7. Click Apply and send the password to the selected user. The tab shows the TPA expiration date. If the user connects with a token, the TPA is automatically deleted. NOTE: To extend the TPA duration, clear the User can connect using password authentication check box and repeat the whole procedure. 38

3 Administering Self Service Password Request Subject SSPR administration is performed at the user object level. A dedicated tab allows you to manage the SSPR information for a user. You can perform the following operations: Reset the password attempts for the user if he/she has reached the maximum number. Reset the answers entered by a user. Generating challenges to allow the user to reset his/her password or PIN. 39 Administering Self Service Password Request

Before Starting To perform the tasks described in this section, you must have at least the following administration role: In classic administration mode: Security object administrator or Rights administrator or SSO Data Recoverer. In advanced administration mode, your role must contain the following rights: Self Service Password Request: Answer deletion and Self Service Password Request: Challenge generation and Self Service Password Request: Reset attempt counter. Resetting the number of SSPR attempts made by a user 1. In the tree structure of the Directory panel, select the wanted user. 2. In the Connection tab, click Self Service Password Request. The Self Service Password Request tab appears. 3. Click Reset (works only in connected mode). Resetting the answers recorded by a user 1. In the tree structure of the Directory panel, select the wanted user. 2. In the Connection tab, click Self Service Password Request. The Self Service Password Request tab appears. 3. Click Reset Answers. 40 Administering Self Service Password Request

Checking a User Challenge You might want to check a user challenge to confirm his identity first. Procedure 1. In the tree structure of the Directory panel, select the wanted user. 2. In the Connection tab, click Self Service Password Request. The Self Service Password Request tab appears. 3. Click the Check User Challenge button. 4. Type-in the challenge the user gives you and click the Check button. The user challenge is either accepter or rejected. Generating a challenge to allow a user to reset his/her password or PIN 1. In the tree structure of the Directory panel, select the wanted user. 2. In the Connection tab, click Self Service Password Request. The Self Service Password Request tab appears. 3. Click the Generate Unblocking Code button. 4. Follow the instructions displayed on screen and in User challenge, type the challenge the user gave you. NOTE: If a temporary password access has been given to the user, the Temporary password access duration field displays the number of days left during which the user will be able to use a password to connect. Depending on your configuration, this value can be modified (for more information, see Setting the Self Service Password Request policy). 5. Click Generate. The result appears, you can then give it to the user so that he/she resets his or her password or PIN code. 41 Administering Self Service Password Request

NOTE:The user SSPR attempts are automatically reset to 0 once the password has been reset (if the operation fails, you are not warned). 42 Administering Self Service Password Request

About us About us Contacting us For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329. Technical support resources Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to: Submit and manage a Service Request View Knowledge Base articles Sign up for product notifications Download software and technical documentation View how-to-videos Engage in community discussions Chat with support engineers online View services to assist you with your product 43 About us

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback