This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom workflow - email user random generated password

 Hello guys,

 

I have just recently installed One Identity Password Manager version 5.7.0.1525 in our test-environment. We see that the existing workflows can not apply to our situation, and need to create a new simple custom workflow. We are looking for a self-selvice portal for our users where they simply can reset their password.

 

The workflow should consist of a user searching after his AD-user and then choose the custom workflow "Password email reset" workflow, a random generated password is set on the user account in AD (in addition: "user must change password at next logon" is checked), and an email is sent to the user with the password.

 

The best would be to email the user a link which he then access and set a new password - like the way facebook, gmail, etc do it. Is this possible? :)

 

Best regards

Bilal

Parents
  • Hello Bilal,

    There are a few problems which I see with this request, from a security standpoint.

    First, emailing a password is not a secure method. The services which allow you to reset your own password, like Facebook and Google, always send a link to a secure portal. The URL which is sent contains a single-use, time-sensitive token which allows you to authenticate for the purposes of resetting your password. This is generally accepted as a secure method.

    Second, how is the User going to access their email account, if their Active Directory account is locked out and it uses the same password?

    Password Manager has the access to reset the User's password directly. Once the User is registered, they can trigger that operation themselves. This is much simpler to implement than a secure portal which tracks single-use tokens, which also would have to tie into an external email system.
Reply
  • Hello Bilal,

    There are a few problems which I see with this request, from a security standpoint.

    First, emailing a password is not a secure method. The services which allow you to reset your own password, like Facebook and Google, always send a link to a secure portal. The URL which is sent contains a single-use, time-sensitive token which allows you to authenticate for the purposes of resetting your password. This is generally accepted as a secure method.

    Second, how is the User going to access their email account, if their Active Directory account is locked out and it uses the same password?

    Password Manager has the access to reset the User's password directly. Once the User is registered, they can trigger that operation themselves. This is much simpler to implement than a secure portal which tracks single-use tokens, which also would have to tie into an external email system.
Children
No Data