NOTE: Trivore ID Documentation has moved to https://trivoreid.com

The content on this site IS OUT OF DATE!

This space has been archived!

Please go ahead to the new site!

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Permalink: https://doc.oneportal.fi/x/FoEW


This chapter covers few tasks which are not part of daily routine, but which are important and deserve to be covered.

Using only the LDAP Server in onePortal™ (WebUI is only used to change/recover password)

This is a special use case. These organisations only use onePortal™ as their primary master data for user accounts, and no other onePortal™ functionality. They have also normally integrated several external services and applications to authenticate user accounts from onePortal™ LDAP Server.

As the master data is in onePortal™ and LDAP is read-only, the user account password must be changed in onePortal™ WebUI. To make this task easy, the onePortal™ sign in view has a special link in it to do just this password change.

Please note, not all external applications and services check for password expiration when they do LDAP authentication. This might cause some surprises and service or support cases. It is thus important to instruct users to go to onePortal™ WebUI in those cases and verify they can sign in to there. If the password was expired, they will be asked for new password and this will resolve the sign in issue.

A good mitigation to password expiration is not to expire passwords at all. That is actually the current best practise and resommendation.

Change password without signing in to onePortal™

This is a special task most often related to LDAP-only use case described above, but can be used for other circumstances, too.

This process only works for changing passwords. If your 2FA is currently not functioning (TOTP or SMS), please contact you organisation Account Admin for further assistance.

Password change is launched by replacing “/ui” with “/changePassword” on the normal Sign in address. There are also other options which can be embedded to the address: “?ns=namespacename” and “?username=email@address”. Here “namespacename” refers to the actual name of the namespace in question.The table below should help with all of the options related to this task.

#

Task in details

Example address

1

General direct address to start password change process. Username, current password, and namespace code are asked to change the password.

https://oneportal.trivore.com/changePassword

2

Direct address to start password change process. Username and current password are asked to change the password.

The example address is for organisation “namespacename”.

https://oneportal.trivore.com/changePassword?ns=namespacename

3

Direct address to start password change process. Current password only is asked to change the password.

The example address is for organisation “namespacename ” with sign in username “email@address”.

https://oneportal.trivore.com/changePassword?ns=namespacename&username=email@address

4

Direct address to start password change process. Current password, and namespace code are asked to change the password.

The example address is for sign in username “email@address”.

https://oneportal.trivore.com/changePassword?username=email@address

5

Direct address to start password change process. Current password only is asked to change the password.

The example address is for namespace code “company1” with sign in username “administrator”. Locale and UI language is also enforced to be English.

https://oneportal.trivore.com/changePassword?ns=company1&username=administrator&locale=en

Table 7.1: Assistive table with different options for password change task.

This method of password changing is designed and implemented to be unbranded and compatible with iframes, so it is possible to embed it to other websites rather easily.

Below is shown the password change process in few pictures. This process is for the general direct address use case described in table above as first example.

To be able to change password, you are required to enter all current credentials.

An error message is shown if the credentials are entered wrong.

After certain number of wrong passwords, the user account will be locked. Details on this vary between organisations, so please consult your administrator for those details.

Note: even if the name of the namespace is required when changing the password, that information does not need to come from the user wanting to change the password. Defining the value of the namespace in the URL is a handy method for showing the user a view that does not ask for namespace information.

Example URL: <https://oneportal.trivore.com/changePassword?ns=namespacename>

Pro Tip: See the URL examples in the table above.

It is strongly recommended, and even mandatory in some organisations to have second factor for stronger authentication. The second factor might be either proper strong TOTP, or a weaker SMS (text message) OTP PIN. The SMS 2FA is shown here as an example.

Enter the code you received to the mobile number defined in your user account data. The code might be numbers, text, or both.

After proper authentication, you may enter the new password. You only need to enter it once. For convenience, you may reveal it to verify you entered it right.

It is recommended to use password manager program such as Keepass with very long random passwords. Those will protect your account well.

If the password you enter does not obey the defined rules, you may see an error message in a red box like the one on the left.

Password recovery, a.k.a. forgotten password

Password self-recovery is normally enabled for a namespace, but it is possible for Namespace Admin to disable it. It is also possible to disable it for only some user accounts. Self-recovery is normally disabled for special service-like user accounts, and enabled for all others.

This recovery process only works for forgotten passwords. If your 2FA is currently not functioning (TOTP or SMS), please contact your organisation Account Admin for further assistance.

This method of password recovery is designed and implemented to be unbranded and compatible with iframes, so it is possible to embed it to other websites rather easily.

There are two ways to launch password recovery:

  1. From Sign in screen by selecting the link “Password forgotten?”. This is the normal interactive way. User is expected to enter sign in username and namespace code to continue with the process.

  2. By directly going to the recovery address. This recovery address is the onePortal™ Appliance address with “/resetPassword” added to the end. For example if onePortal™ Appliance address is “https://oneportal.trivore.com”, the Password recovery address is “https://oneportal.trivore.com/resetPassword”. At the end of “/resetPassword”, it is possible to embed information on the namespace and user account for which this recovery process will take place.

        • Always add “?” between the address and first additional parameter.

        • If you will add more than one parameter, separate the parameters with “&”. See examples to learn more.

        • Add “ns=namespace1” to the end as a parameter to start recovery process for organisation with code “namespace1”. Namespace is always all lower case and it has no spaces. If embedding the recovery WebUI to another website, it is generally recommended to add the namespace information on to the called URI.

        • Add “username=email@address” to the end to start recovery process for user account with sign in username “email@address”.

        • Add “locale=en” to enforce using English as the language.

Example URI would be <https://oneportal.trivore.com/resetPassword?ns=namespace1&username=myuserid&locale=en>.

Both methods above launch the same recovery process. The password recovery is visually and technically designed to work properly on small screen devices, and to be embeddable into another website or mobile application.

Follow the next steps to execute this recovery task:

  1. Type in your username as you would when signing in normally. Select “Continue” to proceed. Depending on how the recovery process WebUI was called, some data might already be present in the fields. If you enter you basic information wrong, you will get an error message “Entered username or namespace is unknown. Please correct your entry, and retry.”

  2. If 2FA has been enabled for the user account, a dialogue to fill in appropriate verification code is shown. For TOTP, open your Authenticator application, and for SMS OTP PIN, open your mobile phone. Type in the code, and select “Continue”.

  3. Next phase is for onePortal™ to send a password recovery email. A notification with text “An email has been sent..” is shown.

  4. Check your email. You should receive email from onePortal™ in a few seconds.

  5. Open the recovery email. You will notice it came from onePortal™. It is still recommended to verify the actual address and path on the email before continuing. The server address is onePortal™ server address, and the path at the end has the form of “/resetPassword?ns=namespacename&username=email@address&resetid=abcdef-1234-5678-001122334455”, where “email@address” is your username to onePortal™, and the long string after resetid is unique one-time string. If you by accident receive multiple recovery emails, the latest one is the valid one.

  6. Select the link on the email. It will open on web browser. Alternatively, copy the link on email to clipboard and paste it to the address field of your web browser.

  7. On the opened dialogue, your new password is asked. Enter it to field “New password” and select “Change password” to continue. It is also possible to select “Cancel” if you do not want to enter new password at this time. Remember, all passwords must obey the rules defined by Namespace Admin for length, complexity and other rules. If the new password does not obey all rules, an error dialogue is shown, and password is not changed.

  8. After you have entered acceptable new password, you are able to go to the Sign in screen and sign in to onePortal™ with the new password.

  9. It is strongly recommended to verify the new password and ability to sign in immediately.

Password expiration

Pro tip: As per latest NIST SP 800-63-3 recommendation <https://pages.nist.gov/800-63-3/> on passwords from 22 June 2017, password expiration is no longer recommended. By default onePortal™ follows the latest recommendation revision.

Part of a traditional system and service usage life-cycle was the expiration of account passwords, and onePortal™ is not an exception if expiration has been enabled. Before the password actually expires, there is a warning shown about the expiring password. This warning is shown at sign-in when the following three are all true:

  1. Current password has not yet expired.

  2. Current password has not been changed recently, and 25 % or less of its life-time is left before it expires. “Full life-time” in this context is the maximum age of a password.

  3. Current password has maximum of 15 days (360h) life-time left before it expires.

As an example, if maximum password age is 730 days, the expiration warning is first shown 15 days before the password actually expires until it is changed or it expires.

Password expiration usually happens at some time for all user accounts. What has to be done at this time, is to change the password to another one fulfilling all the rules for a new password (minimum length, uniqueness, complexity, etc.).

There are four different ways to change password.

  1. While signed in, open Personal Menu and select Change password to initiate the most common method for the change. This path is described above in section 4.3.2.

  2. While not signed in, use a special address. That method is described above in section 7.2. This is the only method to change password for those who do not have permissions to sign in to onePortal™ WebUI.

  3. Wait until the “password expiring soon” notification shows up, select password change there. This method is effectively the same as step 1 above.

  4. Wait until you can not sign in any more due to expired password. You are forced to change it. This method is effectively the same as step 2 above.

Until an expired password is changed in onePortal™, sign in via LDAP is not possible.

Disabling WebUI sign in for all accounts in a namespace

There are special use cases of onePortal™ where accounts in a namespace do not need to be able to sign in on the web user interface. This is most often the case when onePortal™ is used for authenticating users for external services. The LDAP use-case explained in section 7.1 above falls into this. This can be achieved by removing all Contexts from the namespace settings. In this case if users try to sign in they only see an error message instead of successful sign-in.

Web browser-related sign in issues

It is possible the user web browser and onePortal™ web application are not always fully in sync. This is a rare situation which only happens for those users having multiple accounts to multiple namespaces on the same onePortal™ instance. The situation shows up in various minor ways. One example is seeing a private sign in URI sign in dialog for a namespace when the general sign in dialogue should be seen.

In case of this issue, please go to the onePortal™ web application home address, and add “?restartApplication” to the end of the URI, and select Enter to correct this situation.

Example: <https://id.oneportal.fi/?restartApplication>.

If this does not help, then the next option is to close the browser and reopen it, and possibly clear settings (cache and cookies) on the browser. Another option is to use browser private/incognito mode.


  • No labels