17.4.1.1.2. Password reset-configuration (JSP-Loginapp)
  • Go to MAIN SETTINGS >> Password Settings >> Reset Self-Service (alternatively, the Password Settings are reached via Loginapp >> Password Settings).
  • Choose one of the three verification types (email, SMS or secret questions) for the property User Verification Type.
  • Refer to the documentation in the Config Editor for further information.

Details about email Verification in the JSP-Loginapp

There are two types of email verification:

  • 1.
    Stored Context Token (recommended)
    All context information required for the password-reset is stored in the database and a random token referencing the data is used in the email's URL.
  • This type is used if a "Token Persister" is configured in the plugin "Email Verification (Password Reset)".

    It has the following properties:

    • 1.
      Data is persisted, i.e., a password-reset-token database table or LDAP schema extension is required.
    • 2.
      No sensitive information is sent via email - not even encrypted information.
    • 3.
      The usage of multiple tokens is not possible
    • 4.
      The link sent in the email can only be used in IAM instances connected to the same database/directory as where it was produced.
  • 2.
    Encrypted Context Token
  • All context information required for the password reset is encrypted and directly used in the email's URL.

    This type is used if a no "Token Persister" is configured in the plugin "Email Verification (Password Reset)".

    It has the following properties:

    • 1.
      No data needs to be persisted. Slightly simpler setup.
    • 2.
      Sensitive information is encrypted (and made authentic) and transported via email.
    • 3.
      The "token" can be used multiple times within the validity period.
    • 4.
      The link sent in the email can be used in any IAM instance knowing the shared secret (token encryption passphrase)

Storage of forward location, configuration context, and language

The forward location, configuration context, and display language can be stored in the first step of the password reset self-service and reused in the second step.

To do so, configure the corresponding settings in the Advanced Settings of the Password Reset Self-Service plugin. By default, the information is not stored.

Using Secret Questions

Secret questions have to be enabled for each user (using Adminapp or REST API).

Limitations of User Verification using SMS

Note, that verifying the user using SMS is not compatible with the token data model storage model (i.e. supporting multiple phone numbers per user).

It does work when using the credential persister storage model (only one phone number per user).