Symantec IGA

Hi community.  Do you know if it is possible to configure CA Identity Manager to provide Password SelfService based on a link redirection to an primary or alternate email?

For example.  User forgot password and request select a link "Forgot Password".  CA Identity Manager send an email to the user email with a link.  That link redirect user to one screen to change his password.  The verification is not based on questions.  In this case we need to verify based on the email of the customer.  similar case of a lot of forgot password behavior in web applications.

Any idea? Is that posible?

Hello,

This might be possible using a form of Policy Xpress. Have you tried looking in there?  Let me make sure on the process of how you want the password policy to work.

1) User clicks "Forget Password"

2) Enters email address

3) Email gets sent based on matching email address on system to change password

Let me know if this is the procedure you are look for.

Thanks,

Andrew Nguyen

Hi Andrew,

Yes, but the email sent must contain a link to change password directly with no questions to verify user.  How to provide a public task like "change password" without a verification?

Probably not a good idea not to get any kind of verification apart from username. However, if you really wanted to, you can edit the Search Screen of the Forgotten Password Task. It currently has a default of 3 questions. If you set it to 0, it won't ask any questions. But then this opens up your users to things like - 
I know x's username, I am going to prank them by asking to change their password or worse.

Hi Marline, I need to provide the Forgot Password similar of ca.com Access. https://www.ca.com/us/register/forgotpassword.aspx

User will receive an email (verification is made with the email access). Only the user will access the email App with his account.

Is that possible?

Hi Mauricio,

Yes it is possible. My point is just that any one can know the user's email and decide to submit a password reset for them. It may not be malicious, but it is still not as secure as having to answer questions.

To change to email instead of user id, what you need to do is edit the forgotten password task (Maybe take a copy and change the link to your own task)

1. Change from using USER_ID to email

In the User Console, choose Roles and Tasks, Admin Tasks, Modify Admin Task. 

Select the Forgotten Password task. 

Click on The Search Tab

In the search screen for the Forgotten Password task, it also refers to a screen called the Forgotten Password Identify. You can edit this screen so that you replace the user id attribute with email instead.

2. Email the password

By default, the Forgotten Password task displays the temporary password in the User Console. 

To configure the Forgotten Password task to email the temporary password: 

In the Management Console, configure email notifications for the CA IdentityMinder environment.

In the User Console, choose Roles and Tasks, Admin Tasks, Modify Admin Task. 

Select the Forgotten Password task. 

On the Profile tab, click Business Logic Task Handlers. 

The Business Logic Task Handlers screen opens. The BLTHGenerateTemporaryPassword handler should appear in the list of handlers. 

Click the right arrow icon to edit the properties for the handler. 

In the Property field, click the minus icon to delete the ShowPwdOnScreen property. 

In the Property field, type in ShowPwdOnScreen again. 

In the Value field, enter: 

false 

Click Add. 

Regards,

Marline

Hi Marline, thank you for the detail in the answer.  But, is it possible to offer a Forgotten Password Reset instead of Forgotten Password?

I mean the possibility to the user to change the password, not provide a temporary password.

With the forgotten password reset, you can't email the password.

OK, so you want to first direct the user to a screen to verify their email. You can create a screen based on the Forgotten Password Identity but with email.

Then you need to actually create your own Forgotten password handler to verify the email. The current one is actually hard coded to verify user id.

Once the validation is done and task is submitted, you can then sent an email either via system emails or PX with a link to to the user to change their password. This can be based on the forgotten password reset screen.

So this solution would require some customization. It can be done, just not OOTB.

Hi Marline, But I do not want to email "the password".

I want this:

Hi Mauricio,

Please, also consider check if CA Single Sign-On is not the better for the Advanced Password Services that you need. Please, check this link about Advanced Password Services

Hi Mauricio,

Were you able to find a solution to your use case. We are trying to implement the exact same thing in our environment.

Thanks

Garima