Forgot password management using Oracle Access Manager
Hi all,
Today I have implemented Lost Password Management using Oracle Access Manager 10.1.4.3. The infrastructure I have is OAM 10.1.4.3, Sun DS 5.2 as User store and Policy Store.
There is a web application deployed in OHS 11g protected with Form based authentication. When we install OHS 11g webgate, a folder /oamsso gets created under WebGate/oblix location. This folder has login.html with Forgot Password button given. If you dont have such login file, then you can add the below code in your custom login file.
<script content=”text/javascript” language=”JavaScript” >
function lostPassword()
{
var elements = document.forms[0].elements;
name = “”;
for (i=0; i<elements.length; i++)
{
name = “”+ elements[i].name;
if (name == “userid”)
{
if (isEmpty(document.forms[0].elements[i].value) == true)
{
alert(“Please enter a valid User Name”);
return;
}
var newFormInput = document.createElement(‘input’);
newFormInput.setAttribute(“name”,”login”);
newFormInput.setAttribute(“type”,”hidden”);
newFormInput.setAttribute(“value”,document.forms[0].elements[i].value);
document.loginForm.appendChild(newFormInput);
break;
}
}
// REPLACE host:port with host & port of Webserver where WEBPASS is installed
document.forms[0].action = “http://host:port/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?backUrl=” + document.URL;
}
<input type=”submit” onclick=”lostPassword()” name=”button” value=”Lost Password”>
The basic needs to achieve Lost Password management functionality are some custom challenge phrase and response attributes with auxiliary object class.
Use the below lines and add it to a LDIF file.
# adding attributes
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.206 NAME ‘Challenge Phrase1’ SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.207 NAME ‘Challenge Response1’ SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
#adding aux object class
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.9999.1.1094.208 NAME ‘oblixAuxPerson4LPM’ DESC ‘User defined objectclass’ SUP top AUXILIARY MAY ( ChallengePhrase1 $ ChallengeResponse1 ) )
Here, we are adding two attributes Challenge Phrase1 and Challenge Response1 to the LDAP schema along with Auxiliary Object class which uses two two attributes as optional.
These attributes are used when a user is created either by administrator using Create User Identity or through User Self Registration (using Identity XML).
You can use the below command to add those attributes and object class to schema.
D:\Sun\MPS\shared\bin>ldapmodify.exe -h kbmahendra.india.hcleai.com -p 30127 -D
“cn=Directory Manager” -w admin123 -f D:\Sun\LPM.ldif
modifying entry cn=schema
Upon executing the ldapmodify command, you should see a success message “modifying entry cn=schema”.
Restart the OC4J_SECURITY service to reflect the oblixAuxPerson4LPM objectclass to OAM schema.
Now, you should add the object class oblixAuxPerson4LPM in the OAM object classes.
For this, goto the Identity System Console -> Common Configuration -> Object Classes.
Click Add and select oblixAuxPerson4LPM from dropdown. Select Object Class Type as Person. Click Modify Attributes, configure the attribute ChallengePhrase1 by selecting Challenge and DN Prefix as Semantic Type. Let the Display Type be Single Line Text and Attribute Values be Single. Similarly configure the object class ChallengeResponse1 by selecting Response as Semantic Type.
Save these configurations and Click Done.
Goto the Authentication scheme. Here, I am using Form Based Login.
Goto the Validation Plugin and add the text and it should appear as shown below.
obCredentialPassword=”password”,obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP”
Please be careful with quotes (use ” and not ”).
With this, the configuration part is completed. Now lets test the lost password functionality.
Access the test URL protected by OAM and it should throw the login page as shown below.
Enter the userid and click Lost Password.
You will be prompted with Challenge Phrase that is already registered by the user. Answer the challenge phrase and click Submit.
Now, you will be prompted to enter the new Password and click Save.
It will display a message saying the password has been changed and click Back.
Now, you will be prompted with login page again. Enter the credentials with new password and you will be shown the requested resource.
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com