Forgot password management using Oracle Access Manager

Hi all,

Today I have implemented Lost Password Management using Oracle Access Manager 10.1.4.3.  The infrastructure I have is OAM 10.1.4.3, Sun DS 5.2 as User store and Policy Store.

There is a web application deployed in OHS 11g protected with Form based authentication.  When we install OHS 11g webgate, a folder /oamsso gets created under WebGate/oblix location. This folder has login.html with Forgot Password button given. If you dont have such login file, then you can add the below code in your custom login file.

<script content=”text/javascript” language=”JavaScript” >

function lostPassword()
{
var elements = document.forms[0].elements;
name = “”;
for (i=0; i<elements.length; i++)
{
name = “”+ elements[i].name;
if (name == “userid”)
{
if (isEmpty(document.forms[0].elements[i].value) == true)
{
alert(“Please enter a valid User Name”);
return;
}
var newFormInput = document.createElement(‘input’);
newFormInput.setAttribute(“name”,”login”);
newFormInput.setAttribute(“type”,”hidden”);
newFormInput.setAttribute(“value”,document.forms[0].elements[i].value);
document.loginForm.appendChild(newFormInput);
break;
}
}

// REPLACE host:port with host & port of Webserver where WEBPASS is installed

document.forms[0].action = “http://host:port/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?backUrl=” + document.URL;
}
<input type=”submit” onclick=”lostPassword()” name=”button” value=”Lost Password”>

The basic needs to achieve Lost Password management functionality are some custom challenge phrase and response attributes with auxiliary object class.

Use the below lines and add it to a LDIF file.

# adding attributes
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.206 NAME ‘Challenge Phrase1’ SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.9999.1.1094.207 NAME ‘Challenge Response1’ SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
#adding aux object class
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.9999.1.1094.208 NAME ‘oblixAuxPerson4LPM’ DESC ‘User defined objectclass’ SUP top AUXILIARY MAY ( ChallengePhrase1 $ ChallengeResponse1 ) )

Here, we are adding two attributes  Challenge Phrase1 and Challenge Response1 to the LDAP schema along with Auxiliary Object class which uses two two attributes as optional.

These attributes are used when a user is created either by administrator using Create User Identity or through User Self Registration (using Identity XML).

You can use the below command to add those attributes and  object class to schema.

D:\Sun\MPS\shared\bin>ldapmodify.exe -h kbmahendra.india.hcleai.com -p 30127 -D
“cn=Directory Manager” -w admin123 -f D:\Sun\LPM.ldif
modifying entry cn=schema

Upon executing the ldapmodify command, you should see a success message “modifying entry cn=schema”.

Restart the OC4J_SECURITY service to reflect the oblixAuxPerson4LPM objectclass to OAM schema.

Now, you should add the object class oblixAuxPerson4LPM in the OAM object classes.

For this, goto the Identity System Console ->  Common Configuration -> Object Classes.

Click Add and select  oblixAuxPerson4LPM from dropdown. Select Object Class Type as Person. Click Modify Attributes, configure the attribute ChallengePhrase1 by selecting Challenge and DN Prefix as Semantic Type. Let the Display Type be Single Line Text and Attribute Values be Single. Similarly configure the object class ChallengeResponse1 by selecting Response as Semantic Type.

Save these configurations and Click Done.

Goto the Authentication scheme. Here, I am using Form Based Login.

Goto the Validation Plugin and add the text and it should appear as shown below.

obCredentialPassword=”password”,obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP”

Please be careful with quotes (use ” and not ”).

With this, the configuration part is completed. Now lets test the lost password functionality.

Access the test URL protected by OAM and it should throw the login page as shown below.

Enter the userid and click Lost Password.

You will be prompted with Challenge Phrase that is already registered by the user. Answer the challenge phrase and click Submit.

Now, you will be prompted to enter the new Password and click Save.

It will display a message saying the password has been changed and click Back.

Now, you will be prompted with login page again. Enter the credentials with new password and you will be shown the requested resource.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

16 comments
Ferry says August 10, 2010

Hello Mahendra,
Do we have a feature in OAM, where after password reset using “forgot password” an email should be sent to the user with his new password.
Regards,
Ferry

Reply
Atul Kumar says August 10, 2010

@ Ferry,
Yes this is possible. For lost password, OAM uses challenge phrase

From the Identity System Console, click the System Configuration sub-tab, then click Lost Password Policy.

Select the Send Email After Password Change box if you want email to be sent to
the user after the password has been reset.

http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12489/idconfig.htm#BABDFCGI

===========

Or you can customize OAM that change password simply send updated password via email (not safe solution) using API – http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12491/idapi.htm#sthref478

Reply
Ferry says August 10, 2010

Hello Atul,

Thank You for the quick response. Appreciated !!!!!

Regards,
Ferry

Reply
Rahul says August 14, 2010

Hello Mahendra,
I am unable to update the object class. I am getting the following error:
modifying entry cn=schema
ldap_modify: Undefined attribute type
ldap_modify: additional info: Attribute dn is not supported in schema.

I suspect that it’s unable to find the dn for schema. I am using OID 11g with OAM 10.1.4.3
Thanks,
Rahul

Reply
Atul Kumar says August 14, 2010

@ Rahul,

What command you are using ?

Above post is to extend object class in Sun LDAP server. For OID command could be different .

Reply
Rahul says August 14, 2010

Hi Atul,
I am using ldapmodify command and tried the DN: cn=subschemasubentry as well.. still fails with same error. Is there any specific command for OID
Thanks,
Rahul

Reply
Rahul says August 16, 2010

Hello
I finally added the attributes & objectclasses and confirmed their existence in OID schema. However, I am unable to see them in Identity System Console.
Thanks,

Reply
Mahendra says August 16, 2010

Rahul,

You have to add those objectclasses and attributes explicitly in the OAM Identity Console.

-M

Reply
Rahul says August 17, 2010

Hello Mahendra,
When I click on Add under Common configuration, I don’t see them. Is there any other way to add them explicitly. Could you please elaborate…
Thank You….

Reply
Mahendra says August 17, 2010

Rahul,

Please check whether the objectclass is added in your LDAP. I remember seeing this behavior before and re-adding the objectclass and attributes have done the trick OR it should be added as auxiliary object class.

-M

Reply
Rahul says August 29, 2010

Hello,
we are using a different tool for self registration. I am able to update the user & pwd directly to my ldap and able to login via OAM. however, I am not able to find a clue on how to update the challenge phrase & response. As, response value is encrpted by oam in ldap?? Any ideas ??
Regards,
Rahul…

Reply
Mahendra says August 30, 2010

Rahul,

May I know the tool that you are using for self registration?

To my knowledge, either we should provide the self registration link of OAM identity console or use Identity XML API to do so.

If you are using Identity XML API for self registration, then there are specific attributes to update the challenge phrase and response. Please check some sample identity xml samples in the identity server installation directory. It must be under Unsupported folder (cannot remember the exact location though).

Hope this helps.

Mahendra.

Reply
Ravi says February 24, 2011

Hi Mahendra,

What is the attribute used to send the email after user resetting their password?

thanks
Ravi

Reply
Jisha Roy says March 10, 2011

Hi Atul,

Thanks for your updates. The article was very helpful in setting up the LPM. I noticed that the challenge is prompted to the user as many times until he enters the correct response. How can we secure this functionality for eg: Prompt the challenge to the user only 3 times or so.

regards,
Jisha

Reply
Mahendra says March 10, 2011

Jisha,

I don’t think it is possible OOTB. Even if you try to customize it, it is very difficult to fetch the challenge response attributes and play with it.

Anyhow, this is a good question.

Hope this helps.

-Mahendra.

Reply
jaga says August 11, 2014

Hi Atul/Mahendra,

Iam using OAM 11gr2 PS2. I have an application protected by OAM. I had dump all the users of application to OID. OID is my user Identity.
I changed all users password to default password.
Now, when user tries to login i need to forcely redirect user to change password. How can i achieve. I don’t have OIM.

Any suggestions

Thanks

Reply
Add Your Reply