I am working with a customer who wants to utilize SSO's Advanced Password Services for users to change their passwords. I have the APS documentation, but it is unclear if I am able to achieve the following flow...
1. User clicks forgot password - (configured)
2. User verifies account using Q&A (configured)
3. Random password is generated and emailed to user (IN QUESTION)
4. User logs in with new password
5. User is forced to change password after login with new password (IN QUESTION)
Does anyone have a clear answer on whether this flow can be achieved out of the box or not? If so, does anyone have any detailed configuration docs for APS (outside of the APSAdmin and FPS techguides on communities?)
Any help is appreciated.
There are several different strategies to finishing the FPS process, all configured using the Confirm section of the APS configuration file.
Give static information to tell the user how to proceed (sending the information via email). Give the user the information on a custom page, email, or a combination of the two. Let FPS display a message box displaying the information or part of the information (the rest being transmitted via email) Log the user in automatically.
One way to do confirmation at the end of the FPS process is to send the information to the user via email. If this is to be done, the confirm page should say something like "The information that you requested has been sent to the email firstname.lastname@example.org".
Another option is to display HalfPassword1 on the custom page and send HalfPassword2 via email. These macros return, in clear text, either the first half or the second half of the user's password. Of course, either the mail or the custom page will have to instruct the user that the two halves must be put together before using.
Instead of using the "real" password, use the OneShotPassword instead. FPS creats a single-use password when the macro "OneShotPassword" is referenced in a mail file or in an initial setting for the confirmation page. The OneShotPassword requires special set up to use (See Authentication Scheme.) but it is more secure than using a multiple use password, even if you allow the user to select their own password (since you will never show the selected password).
Change Pages - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Tech Tip : CA Single Sign-On :Policy Server::How to configure APS Forgot Password (FPS) Interface
Value: mail file(s)
Recommended: yes, if required
Complexity Level: Advanced
At the completion of the FPS process, one or more files can be sent, via email, using this setting.
If the user will be redirected to the No Data URL above, the file(s) specified by this setting can also be sent via email.
If both a password and user id are to be recovered, only one should be sent via mail (the other should be displayed on a page), since both together opens a larger security hole.
There are several special macros available to this mail.
Clear text password that was randomly generated or that the user selected.
The first half of the new password, in clear text. Useful for mailing half and displaying half.
The second half of the new password, in clear text. Useful for mailing half and displaying half.
Only generated if the macro is requested, this is a random, 32-character password that can be used within 5 minutes (not-configurable) of generation to log this user in ONCE. Useful to automatically log in the user. Requires the APS Authentication Scheme to be installed.
Consider the use case. It is very specific. It is not meant to generate a password that the end user has to enter, it is for automatic logins. So you never actually interact with the oneshot password, it is all under the covers.