Permalink: https://doc.oneportal.fi/x/FoEW
Table of Contents |
---|
This chapter covers few tasks which are not part of daily routine, but which are important and deserve to be covered.
Using only the LDAP Server in
...
Trivore Identity Service (WebUI is only used to change/recover password)
This is a special use case. These organisations only use
...
Trivore Identity Service as their primary master data for user accounts, and no other
...
Trivore Identity Service functionality. They have also normally integrated several external services and applications to authenticate user accounts from
...
Trivore Identity Service LDAP Server.
As the master data is in
...
Trivore Identity Service and LDAP is read-only, the user account password must be changed in
...
Trivore Identity Service WebUI. To make this task easy, the
...
Trivore Identity Service sign in view has a special link in it to do just this password change.
Please note, not all external applications and services check for password expiration when
...
performing LDAP authentication. This might cause some surprises and service or support cases.
...
Therefore, it is
...
important to instruct users to go to
...
Trivore Identity Service WebUI in those cases and verify they can sign in to there. If the password
...
has expired, they will be asked for new password and this will resolve the sign in issue.
A good mitigation to password expiration is not to expire passwords at all.
...
This is actually the current best practise and
...
recommendation.
Change password without signing in to
...
Trivore Identity Service
This is a special task most often related to LDAP-only use case described above, but can be used for other circumstances, too.
This process only
...
works for changing passwords. If your 2FA is currently not functioning (TOTP or SMS), please contact you organisation Account Admin for further assistance.
Password change is launched by replacing “/ui” with “/changePassword” on the normal Sign in address. There are also other options which can be embedded to the address: “?ns=namespacename” and “?username=email@address”. Here “namespacename” refers to the actual name of the namespace in question.The table below should help with all of the options related to this task.
#
Task in details | Example address |
---|---|
1 | General direct address to |
start password change process. Username, current password, and namespace code are asked to change the password. | https://oneportal.trivore.com/changePassword | |
2 | Direct address to start password change process. Username and current password are asked to change the password. The example address is for organisation “namespacename”. | https://oneportal.trivore.com/changePassword?ns=namespacename |
3 | Direct address to start password change process. Current password only is asked to change the password. The example address is for organisation “namespacename ” with sign in username “email@address”. | https://oneportal.trivore.com/changePassword?ns=namespacename&username=email@address |
4 | Direct address to start password change process. Current password, and namespace code are asked to change the password. The example address is for sign in username “email@address”. | https://oneportal.trivore.com/changePassword?username=email@address |
5 | Direct address to start password change process. Current password only is asked to change the password. The example address is for namespace code “company1” with sign in username “administrator”. Locale and UI language is also enforced to be English. | https://oneportal.trivore.com/changePassword?ns=company1&username=administrator&locale=en |
Table 7.1: Assistive table with different options for password change task.
This method of password changing is designed and implemented to be unbranded and compatible with iframes, so it is possible to embed it to other websites rather easily.
...
Below is shown the password change process in few pictures. This process is for the general direct address use case described in table above as first example.
To be able to change password, you are required to enter all current credentials.
An error message is shown if the credentials are entered wrong.
After certain number of wrong passwords, the user account will be locked. Details on this vary between organisations, so please consult your administrator for those details.
Note: even if the name of the namespace is required when changing the password, that information does not need to come from the user wanting to change the password. Defining the value of the namespace in the URL is a handy method for showing the user a view that does not ask for namespace information.
Example URL: <https://oneportal.trivore.com/changePassword?ns=
...
namespacename>
...
Tip: See the URL examples in the table above.
...
It is strongly recommended, and even mandatory in some organisations to have second factor for stronger authentication. The second factor might be either proper strong TOTP, or a weaker SMS (text message) OTP PIN. The SMS 2FA is shown here as an example.
Enter the code you received to the mobile number defined in your user account data. The code might be numbers, text, or both.
After proper authentication, you may enter the new password. You only need to enter it once. For convenience, you may reveal it to verify you entered it right.
It is recommended to use password manager program such as Keepass with very long random passwords. Those will protect your account well.
If the password you enter does not obey the defined rules, you may see an error message in a red box
...
. These rules may vary depending on the password requirement set by the organisation.
Password recovery, a.k.a. forgotten password
Password self-recovery is normally enabled for a namespace, but it is possible for Namespace Admin to disable it. It is also possible to disable it for only some user accounts. Self-recovery is normally disabled for special service-like user accounts, and enabled for all others.
This recovery process only works for forgotten passwords. If your 2FA is currently not functioning (TOTP or SMS), please contact your organisation Account Admin for further assistance.
This method of password recovery is designed and implemented to be unbranded and compatible with iframes, so it is possible to embed it to other websites rather easily.
There are two ways to launch password recovery:
...
From Sign in screen by selecting the link “
PasswordPassword forgotten?”. This is the normal interactive way. User is expected to enter sign in username and namespace code to continue with the process.
By directly going to the recovery address. This recovery address is the
onePortal™Trivore Identity Service Appliance address with “/resetPassword” added to the end. For example if
onePortal™Trivore Identity Service Appliance address is “https://oneportal.trivore.com”, the Password recovery address is “https://oneportal.trivore.com/resetPassword”. At the end of “/resetPassword”, it is possible to embed information on the namespace and user account for which this recovery process will take place.
...
Always add “?” between the address and first additional parameter.
...
If you will add more than one parameter, separate the parameters with “&”. See examples to learn more.
...
Task in details | Example Address | |
---|---|---|
1 | Default password recovery address. Username, Email address or phone number and Namespace are required to start password recovery. | https:/oneportal.trivore.com/resetPassword |
2 | Direct address to start password recovery. Username, Email address or phone number will be required to start password recovery. Namespace is always all lower case and it has no spaces. If embedding the recovery WebUI to another website, it is generally recommended to add the namespace information on to the called URI. |
...
Add “username=email@address” to the end to start recovery process for user account with sign in username “email@address”.
...
Add “locale=en” to enforce using English as the language.
In the example address the namespace name is “namespacename” | https://oneportal.trivore.com/resetPassword?ns=namespacename | |
3 | Direct address to start password recovery. Username, Email address or phone number and Namespace are required to start password recovery. Locale is set through the address In the example address the locale is set to English | https://oneportal.trivore.com/resetPassword?locale=en |
4 | Direct address to start password recovery. Username, Email address or phone number will be required to start password recovery. Locale is set through the address. If you will add more than one parameter, separate the parameters with “&”. In the example address the namespace name is “namespacename” and the locale is set to English | https://oneportal.trivore.com/resetPassword?ns= |
...
namespacename& |
...
locale=en |
...
Both methods above launch the same recovery process. The password recovery is visually and technically designed to work properly on small screen devices, and to be embeddable into another website or mobile application.
...
Follow the next steps to execute this recovery task:
Type in your username as you would when signing in normally, you may also need to type in the namespace of your user account. Select “Continue” to proceed. Depending on how the recovery process WebUI was called, some data might already be present in the fields. If you enter
youyour basic information wrong, you will get an error message “Entered username or namespace is unknown
. Please correct your entry, and retry.”
If 2FA has been enabled for the user account, a dialogue to fill in appropriate verification code is shown. For TOTP, open your Authenticator application, and for SMS OTP PIN, open your mobile phone. Type in the code, and select “Continue”.Next phase is for
onePortal™Trivore Identity Service to send a password recovery email. A notification with text
“An email has been“A confirmation email will be sent..” is shown.
Check your email. You should receive email from
onePortal™Trivore Identity Service in a few seconds.
Open the recovery email. You will notice it came from
onePortal™Trivore Identity Service. It is still recommended to verify the actual address and path on the email before continuing. The server address is
onePortal™Trivore Identity Service server address, and the path at the end has the form of “/resetPassword?
ns=namespacename&username=email@address&resetid=abcdef-1234-5678-001122334455”, where “email@address” is your username to onePortal™, and the long string after resetid is unique one-time stringdt=ABCDEFGHIJKLMNOP”. If you
by accidentreceive multiple recovery emails by accident, the latest one is the valid one.
- Select
Click on the link on the email. It will open on web browser. Alternatively, copy the link on email to clipboard and paste it to the address field of your web browser.
On the opened dialogue, your new password is asked. Enter it to field “New password” and select “Change password” to continue. It is also possible to select “Cancel” if you do not want to enter new password at this time. Remember, all passwords must obey the rules defined by Namespace Admin for length, complexity and other rules. If the new password does not obey all rules, an error dialogue is shown, and password is not changed.
After you have entered acceptable new password, you are able to go to the Sign in screen and sign in to
onePortal™Trivore Identity Service with the new password.
It is strongly recommended to verify the new password and ability to sign in immediately.
Password expiration
...
Tip: As per latest NIST SP 800-63-3 recommendation <https://pages.nist.gov/800-63-3/> on passwords from 22 June 2017, password expiration is no longer recommended. By default
...
Trivore Identity Service follows the latest recommendation revision.
Part of a traditional system and service usage life-cycle was the expiration of account passwords, and
...
Trivore Identity Service is not an exception if expiration has been enabled. Before the password actually expires, there is a warning shown about the expiring password. This warning is shown at sign-in when the following three are all true:
Current password has not yet expired.
Current password has not been changed recently, and 25 % or less of its life-time is left before it expires. “Full life-time” in this context is the maximum age of a password.
Current password has maximum of 15 days (360h) life-time left before it expires.
As an example, if maximum password age is 730 days, the expiration warning is first shown 15 days before the password actually expires until it is changed or it expires.
Password expiration usually happens at some time for all user accounts. What has to be done at this time, is to change the password to another one fulfilling all the rules for a new password (minimum length, uniqueness, complexity, etc.).
There are four different ways to change password.
While signed in, open Personal Menu and select Change password to initiate the most common method for the change.
This path is described above in section 4.3.2.While not signed in, use a special address
. That method is described above in section 7.2. This is the only method to change password for those who do not have permissions to sign in to
onePortal™Trivore Identity Service WebUI.
Wait until the “password expiring soon” notification shows up, select password change there. This method is effectively the same as step 1 above.
Wait until you can not sign in any more due to expired password. You are forced to change it. This method is effectively the same as step 2 above.
Until an expired password is changed in
...
Trivore Identity Service, sign in via LDAP is not possible.
Disabling WebUI sign in for all accounts in a namespace
There are special use cases of
...
Trivore Identity Service where accounts in a namespace do not need to be able to sign in on the web user interface. This is most often the case when
...
Trivore Identity Service is used for authenticating users for external services.
...
This can be achieved by removing all Contexts from the namespace settings. In this case if users try to sign in they only see an error message instead of successful sign-in.
Web browser-related sign in issues
It is possible the user web browser and
...
Trivore Identity Service web application are not always fully in sync. This is a rare situation which only happens for those users having multiple accounts to multiple namespaces on the same
...
Trivore Identity Service instance. The situation shows up in various minor ways. One example is seeing a private sign in URI sign in dialog for a namespace when the general sign in dialogue should be seen.
In case of this issue, please go to the
...
Trivore Identity Service web application home address, and add “?restartApplication” to the end of the URI, and select Enter to correct this situation.
Example: <https://id.oneportal.fi/?restartApplication>.
If this does not help, then the next option is to close the browser and reopen it, and possibly clear settings (cache and cookies) on the browser. Another option is to use browser private/incognito mode.