By default, if users forget their password used to access Identity as a Service or an application, they must contact an account administrator to have it reset.
You can enable password reset to allow users to reset their password without contacting the administrator. When set, a Forgot your password? link appears on the login page. When a user clicks this link, the user is asked for their user name and second-factor credentials. If both are valid, the user is prompted to create a new password.
Password reset is supported when logging in to the following:
● Identity as a Service
● OIDC and OAuth applications
● SAML applications
Notes:
- Password reset cannot be performed when logging in to RADIUS or Entrust
Identity Enterprise applications.
- Password reset is not available in the Entrust Identity app if the Soft
Token PIN policy in IDaaS is set to false (disabled). See the setting,
PIN Required
in Modify
Entrust Soft Token (ST) authenticator settings.
Configure the following settings of your Identity as a Service account to enable password reset:
● Enable password reset—See Enable password reset
● Set Authentication Decisions—Set first-factor to password in the Resource Rule Authentication Decision settings (see Create and manage resource rules).
● Assign password reset groups to users—If you have configured the Password Reset Settings of your account to require users to be part of specific groups (see the instructions to ), assign those groups to users accordingly (see Add users to Identity as a Service).
● Assign required second-factor authenticators to users—If configured Additional second-factor to require users resetting their password to use a second-factor authenticator before they can reset their password, assign at least one of the second-factor Authenticators Allowed to perform a Password Reset to users (see Manage and assign user authenticators).
● See the Identity as a Service User Help for assistance resetting your password when logging in to an application account.
You can customize your account settings so that users can reset their Active Directory password. This is useful for users who need to complete password authentication but forget the password assigned to them on their Active Directory. See Enable password reset.
Active Directory password reset only works under the following conditions:
● Your account is configured with a 4.0 Identity as a Service gateway or higher.
● You are using Active Directory DS or Active Directory LDS with native users.
● The Identity as a Service directory configuration that syncs Active Directory users to your Identity as a Service account is configured with SSL and with an Active Directory administrator that can reset password (the administrator is allowed to modify the following attributes: unicodePwd, lockoutTimeout, and pwdLastSet)
● The Password Reset feature does not currently work with Active Directory LDS users synced from Active Directory DS. Entrust recommends that Identity as a Service groups are used to exclude Active Directory LDS synced users from the Password Reset feature. In the Password Reset Settings you can define what groups are allowed to use the Password Reset feature.
● The Minimum Lifetime (Minimum password age in Active Directory) is not enforced during a password reset.
A password reset URL is available at /#/reset/<userID> where userID is optional.
For example, if the User ID is aliceg, then the password reset link would be mycorp.<region>.trustedauth.com/#/reset/aliceg
● If set, userID allows a user to skip entering their username and enter directly into the password reset flow.
● If a user navigates directly to the reset URL when they are already logged in, the user will be logged out and they will go into the password reset flow.
● If an invalid user ID is passed, an error message appears and the user is prompted to enter their username.
● If the user clicks Cancel while in the password reset flow then they will be redirected to /#/reset.
● If during the password reset flow it is determined that the user is unable to reset their password then they will be redirected to the login page.