Fact

• PhenixID Identity Manager 4.8.9 or later

Situation

Use the custom control se.nordicedge.controls.password.ManagePasswordCC to use a password control in an IM form.

Solution

The password control can be used in three different modes: Change, Reset and Selfservice.

The mode Change is used when the user changes their own password, by entering their existing password and their new password. A connection to the directory is then made using the user’s credentials, and the password is set using the user’s connection. In this mode, the password policy in the directory including password history, allowed number of password changed per day etc. will be applied to the password change.

The mode Reset is used when the user’s password should be changed using the service account’s credentials. This could be used by, for example, a service desk.

The mode Selfservice is used when the user changes their own password, but you do not want them to enter their existing password. If the user has logged in to IM using their username and password, those credentials will be used to create a connection to the directory. If the user has logged in using another authentication method, a temporary password will be generated and saved to the directory. After that, IM can create a connection to the directory using this newly generated password. The chosen new password will then be set using the user’s connection.

Configuration

Type (change/reset/selfservice). Default is change.
Select the mode for the custom control. How the different modes work are described above.

Enable show password (true/false). Default is true.
If this option is set to true, an icon in the form of an eye, is shown next to the password textfields. When clicking on the icon, the password textfield will toggle between showing the password in text and only showing dots for the password.

Password policy (Ex: A-Z:x|a-z:x|0-9:x|!.():x)
Enter the password policy to use. The policy can contain one or more groups of characters, and the characters can be given as an interval (a-z) or as specific characters. The groups are separated with | and the number of required characters in the group are given efter the colon.

Example of policy where the password must contain three upper letters and three lower letters:
A-Z:3|a-z:3

Example of policy where the password must contain two lower letters, two numbers and two special characters:
a-z:2|0-9:2|!€().?,:2

The password policy is used both for checking if the password meets the requirements before setting the password in the directory and for generating passwords.

To use a custom password validator, set the policy PASSWORD_VALIDATOR to the classname of the validator class. The validator class must extend the class se.nordicedge.controls.password.ConfigurablePasswordValidatorImpl.

Password policy – Number of groups in policy used
Set how many of the character groups in the password policy that must be matched. Default is that all groups in the policy must match.

For example, you may have configured four different groups of characters in the password policy but the policy is met if you match three of those groups.

Password policy – Max length. Default is 20.
The maximum length of the password.

Password policy – Min length. Default is 6.
The minimum length of the password.

Password policy – Check password policy before saving (true/false). Default is true.
If this option is set to true, the custom control will check if the new password match the password policy in pre save. If the password doesn’t match the password policy, a veto will be raised.

Password policy – Check password policy at typing (true/false). Default is true.
If this option is set to true, the password will be check during typing to see if the password match the password policy. The result of the check will be displayed at the bottom of the custom control.

Check password strength at typing (true/false) Default is false.
If this option is set to true, the password strength will be checked during typing. If the password is to be checked against the password policy, the password strength will only be checked after the password has passed the password policy.

To use a custom password strength checker, set the policy PWD_STRENGTH_CLASS to the classname of the checker. The checker class must implement the interface se.nordicedge.controls.password.PasswordStrengthCheck.

The built-in password strength checker makes 6 different tests, and the strength is based on the number of passed tests.
Very weak password: 0-1 test
Weak password: 2-3 tests
Average password – 4 tests
Strong password – 5-6 tests

The tests made by the built-in password strength checker are:
1. Contains lower case letters
2. Contains upper case letters
3. Contains digits
4. Contains some of the chars .-_
5. The password length is greater than 6
6. The password length is greater than 8

Enable generate password (true/false). Default is true.
If this option is set to true, a Generate Password link will be displayed. The password generation will use the configured password policy to generate the password.

Generate – Excluded characters from password policy. (Ex: IO|l|01|!)
When generating password, there might be some characters that look alike each other, that you don’t want to use in the generated password. Specify those characters for each group in the password policy, separated by a |.

Generate – Length. Default is 10.
The length of the generated password.

Reset – Enable change password at next login (true/false). Default is false.
When using the Reset mode and an Active Directory, you can set this option to true to show a checkbox for ‘Change password at next logon’. If the checkbox is set, the attribute pwdLastSet will be set to 0 after the password has been set, forcing the user to change their password at next logon.

Jsp file to use. Default is /jsp/CustomControls/ManagePasswordCC.jsp
The default jsp-file to use for this custom control is /jsp/CustomControls/ManagePasswordCC.jsp but you may use another jsp-file of your choice. In this option the file path is the URL, starting at the IM web app directory.

XML file with text labels. Default is lib/ManagePasswordCC.xml in NEIDMgmt folder.
The XML-file to use, that contains all the texts that are displayed to the user. In this option the file path is the URL, starting at the NEIDMgmt directory.

Width of text input fields. Default is 200.
Set the width of the password text fields in pixels.

Space between textbox and it’s title, in pixels. Default is 3.
Set the number of pixels between each textbox and it’s title.

Space between textbox and next textbox title, in pixels. Default is 6.
Set the number of pixels between each textbox and the following textbox title.

Space over ‘Generate Password’ text, in pixels. Default is 6.
Set the number of pixels between the ‘Generate Password’ text and the textbox above.

Space over password strength text, in pixels. Default is 6.
Set the number of pixels between the password strength text and the component above.

Reset AD lockout time in selfservice mode (true/false). Default is false.
As described above, the user will be given a temporary password before setting the chosen password. Setting this option to true will set the Active Directory attribute lockoutTime to ‘0’ after the temporary password has been set.

Label text left or above (default above)
Should the label text (New password and Confirm password) sit above the input box or left to the input box.
This parameter was added to IM 5.5.0

XML-file

The XML-file contains all the texts presented to the user.
The default XML-file with the default values is located in \..\PhenixID\IM\application\WEB-INF\xml. If you like to change any value you should NOT update this file since an upgrade will overwrite the file.
Take a copy of the file a put it inside the customer folder somewhere appropriate and use the parameter above to point out the correct file path and file and make your changes here.

Label_OldPassword
The title for the textbox for the current password in Change mode

Label_NewPassword
The title for the textbox for the new password

Label_ConfirmPassword
The title for the textbox for the confirmation of the new password

Label_GeneratePassword
The text to use in ‘Generate Password’-link

Label_ChangePasswordAtNextLogon
The title for the checkbox that forces the user to change password at next logon

Prompt_BadPasswordLength
The message to the user if the password length is below the minimum length or above the maximum length

Prompt_PasswordsDoNotMatch
The message to the user if the new password and the confirmation password do not match

Prompt_PasswordMustContain
The start of the message to the user if the password doesn’t contain all the expected characters. The message will end with the part from the password policy that is missing.

To change the whole sentence, use $1 where the number of characters should be added and $2 where the list of available characters should be added.

Prompt_TheFollowingCharactersAreNotValid
The start of the message to the user if the password contains characters that are not allowed. The message will end with the characters that are not valid.

Prompt_OldPasswordIsIncorrect
The message to the user if the current password in Change mode is not correct.

Prompt_PasswordDoNotMatchADPolicy
The message to the user if Active Directory does not allow the new password.

Prompt_PasswordDoNotFollowPasswordPolicy
The message to the user if the new password does not match the configured password policy.

Prompt_MorePasswordPolicyGroupsRequired
The message to the user if the new password does not contain characters from all configured groups in the password policy.

Prompt_PasswordChanged
The message to the user if the password change was successful. This will only be used in Change and Selfservice mode. Leave this tag empty to not show a confirmation message.

Prompt_PasswordNotChanged
The message to the user if the password change was unsuccessful in Change or Selfservice mode.

Prompt_VeryWeakPassword
The message to the user if the new password is considered as a very weak password.

Prompt_WeakPassword
The message to the user if the new password is considered as a weak password.

Prompt_AveragePassword
The message to the user if the new password is considered as a password with average strength.

Prompt_StrongPassword
The message to the user if the new password is considered as a strong password.