ForgeRock Community Blog Syndicate

What’s the password reset service exactly?

The password reset service let’s the user to change it’s own password, when the current one is forgotten/lost. First the user has to post his/her username, then he has to answer a pre-defined or user-defined question. If the answer was correct, then a mail will be sent to the user with the new password. It’s pretty easy, right?
So let’s see how could we configure this easily in a subrealm:

Go to Access Control -> -> Services Click on Add, and choose Password Reset Configure the LDAP settings, and enable personal questions Press Finish

This will enable the password reset functionality. Let’s see how you can try this out:

Log in with a simple user and go to /openam/console There will be a new edit link for the password reset options, click on it Create a new question/answer and Save (don’t forget to check the checkbox in the first column!) now log out, and go to /openam/password?realm=/ supply your username and there is your custom question which will only accept your custom answer

And that’s it. Hopefully OPENAM-192 will be merged into trunk soon, which will allow you to use realm aliases instead of ugly GET parameters for realm identification.

NOTE: if you’re looking for a quick way to learn how to develop auth modules, then you may want to read this or this instead.

In the OpenAM world an authentication module is responsible for authenticating a user, but sometimes the method of authentication is not that simple, as we think. For example the OpenAM gives out-of-the-box support for LDAP, Cert, SPNEGO token, etc. based authentication, but what happens if you need to authenticate (for some reason) from a WebService, this is when you’re probably going to end up developing a custom authentication module.

OpenAM is using JAAS, so if you don’t know what JAAS is, probably you need to read this, this is going to help you understand the basic concepts of the Auth API.

To create an authentication module, you’re going to need the followings:

Configuration-UI descriptor XML with localization Callback-descriptor XML for login page UI Some java code for authentication logic maybe some JSP and lot’s of lot’s of OpenAM container restarts

So based on these needs I’m going to write a few more posts in this area, probably in the following structure:

Configuration basics Config UI elements Validation of configuration Login UI basics Callbacks Dynamic Callback-handling How to write the Java code Gotcha’s, best practices How to install auth module

I hope you will find these articles useful, some of them are new stuff for me too, so it may going to need some time to write them, but they’re going to (Forge)ROCK!