Imprivata OneSign Self-Service Password Reset
Imprivata OneSign Self-Service Password Reset lets Imprivata OneSign users securely identify themselves and reset their primary password if they have forgotten their primary password or lost an authentication device.
Prerequisites
Enabling Self-Service Password Reset requires the following:
-
The Imprivata Directory (domain) is configured to use TLS. For more information, see Managing Domains (Directories).
-
The account that is used to synchronize with the directory must have Account Operator privileges (or higher) on the domain.
-
Your endpoints are configured to trust the appliance's SSL certificate. If the SSL certificate is not included in the endpoint's trusted certificate store, users see a certificate error and cannot reset their password.
-
If you want users to be able to view their application passwords, then a Single Sign-On license is required for each user to which the policy is assigned.
-
Using Imprivata ID as a second factor for self-service password reset requires the following:
-
Either the Imprivata OneSign user policy or the Confirm ID workflow policy is configured to allow Imprivata ID as an authentication factor.
-
Users have enrolled Imprivata ID.
-
The latest release of Imprivata ID.
-
NOTE: Self-Service Password Reset is not the same as the Password Manager detailed in The Imprivata OneSign Password Manager, which allows users to manage their application passwords from the Imprivata agent menu.
OneSign Self-Service Password Reset
If a user has forgotten their password, they can reset it by
-
Clicking Forgot password on the Imprivata login screen.
-
Directly accessing the self-service web application.
Resetting a password requires the user to authenticate by either:
-
Answering one or more security questions.
-
Answering one or more security questions and responding to an Imprivata ID push notification. When Imprivata ID is required as a second factor, the user is prompted to enter a 2-digit code on their phone.
Configuring OneSign Self-Service Password Reset
To configure Self-Service Password Reset:
-
Configure the system setting:
-
Go to the gear icon menu > Settings page.
-
Go to the Self-service section, and select Imprivata EAM self-service web app.
-
Go to the EAM self-service web app section, select either Security questions or Security questions and Imprivata ID.
-
Click Save.
-
-
Configure the user policy:
-
Click the Self-Service Password Reset tab, and then select Allow users to reset their primary authentication password.
-
Optional: Click View and modify security questions to delete default questions or to add new questions.
-
Click Save.
-
NOTE: The account lockout settings of the user policy (Authentication tab > Lockout section) control the lockout behavior for both self-service password reset and authentication through security questions (emergency access). If the policy is configured with both features, verify that the lockout settings meet your needs for both emergency access and self-service password reset.
Requiring Re-authentication after Password Reset
By default, a user is logged in after they change their password. Requiring re-authentication ensures that authentication is enforced after a successful password reset.
Select Require users to re-authenticate after resetting their password to prompt the user to re-authenticate using the authentication factors specified in their Imprivata OneSign user policy.
NOTE: This functionality does not apply to users that are using security questions (emergency access) if they have forgotten their credentials.
Publishing Access to the OneSign Self-Services Web Application
If you want to allow remote users to use Imprivata OneSign Self-Service Password Reset, then you can publish the Imprivata OneSign Self-Services web application via reverse SSL proxy. The following instructions are intended to provide a general overview of this functionality; your environment may require a different configuration.
Only allow HTTPS traffic to the following URLs and ports (the URLs are formatted as regular expressions). Do not allow POST or PUT requests to any URL other than the URL listed in the following table. For all other URLs, only allow GET requests.
The application startup URL is https://%ONESIGN_APPLIANCE_HOST_NAME%/sso/passwordhelp.
| URL | Protocol | Port | URL Query String Parameters | Methods |
|---|---|---|---|---|
| /sso/(passwordhelp|sslogin|ssauthenticate|ssenrollinit|ssenroll|sschallengeinit|sschallenge|ssresetinit|ssreset |ssacceptnumber|sscheckpush|ssenteriidtokeninit|ssenteriidtoken) | HTTPS | 80, 443 | Allow | GET, POST |
| /sso/js/(selfservice|common|dictionaryss|util/pngfix/mainSelfService)\.js | HTTPS | 80, 443 | Allow | GET |
| /sso/css/sspw/(sspw-common|sspw-ie6|sspw-non-ie6)\.css | HTTPS | 80, 443 | Reject | GET |
| /sso/servlet/ssimagedownload | HTTPS | 80, 443 | Reject | GET |
| /sso/images/sspw/[^/\\]+\.(png|jpg|ico) | HTTPS | 80, 443 | Reject |
GET |
| /sso/images/sswa/Background-Large.png | HTTPS | 80, 443 | Reject | GET |
| /sso/images/sswa/Imprivata_EAM_logo_blue%201.svg | HTTPS | 80, 443 | Reject | GET |
Load Balancing
Imprivata recommends that you maintain Imprivata appliance affinity for the duration of a user session, rather than proxying HTTPS traffic to only one Imprivata appliance for all users. A best practice for load balancing in a reverse SSL proxy environment is to proxy a particular Imprivata appliance, chosen at random, when the user session is created, and then to maintain that association for the duration of the user session.
Load Balancing
Imprivata recommends that you maintain Imprivata appliance affinity for the duration of a user session, rather than proxying HTTPS traffic to only one Imprivata appliance for all users. A best practice for load balancing in a reverse SSL proxy environment is to proxy a particular Imprivata appliance, chosen at random, when the user session is created, and then to maintain that association for the duration of the user session.
Security Questions and OneSign Self-Service Password Reset
Users enrolled in Imprivata OneSign Self-Service Password Reset for password management can:
-
Enter a new password upon successfully answering their security questions.
-
Request their application credentials (SSO only) — You can allow users to view a list of their Imprivata OneSign-enabled application passwords. For added security, you can require them to successfully answer one or more challenge questions first.
Prompting Users to Enroll Security Questions
Imprivata OneSign Self-Service Password Reset requires that users enroll security questions.
NOTE: For information on enrolling security questions for Imprivata Confirm ID workflows, see Enrolling Authentication Methods for Imprivata Confirm ID Workflows.
To enforce the enrollment of security questions when users log into Imprivata OneSign for the first time:
- In the Imprivata Admin Console, go to the Users menu > User Policies page to create or modify a user policy.
- Click the Self-Service Password/Imprivata PIN Reset tab.
- In the section Enroll options — Prompt to enroll security questions, select:
- Prompt and must enroll;
- Prompt and may delay enrolling; or
- Do not prompt to enroll (this is the default.)
- Enter the number of security questions that users in the policy must enroll.
- Enter the number of security questions that users in the policy must answer correctly to authenticate.
- Click Save.
The authentication questions are drawn randomly from the total entered at enrollment, so a user policy might specify six questions, and present three of the six questions when the user authenticates either to reset a primary authentication password or to request application credentials (Imprivata OneSign Single Sign-On only).
You can create new questions, as well. When you create new questions, you can make them mandatory. Mandatory questions are always presented.
Users who are in a user policy configured for Self-Service Password Reset are prompted to enroll the next time they authenticate to OneSign.
Even if you select Do not prompt to enroll, the Imprivata enrollment utility always appears after login if the user has only password enrolled.
Users can defer enrolling in Imprivata OneSign password self-service. You can set a Self-Enrollment Declined notification to notify you whenever any user or a specific user declines to enroll in password self-service. The procedure for this and all other notifications is detailed in Configuring Event Notifications.
You can edit the password self-service questions, including adding and deleting questions to suit the needs of your organization.
Modifying Self-Service Password Reset Questions
You can access the list of security questions in the following ways:
From the user policy:
-
Go to the Self-Service Password/Imprivata PIN Reset tab > Reset options section, and click View and modify security questions.
-
Go to the Authentication tab > Primary factors section. If emergency access is enabled, click View and modify security questions.
-
Go to the Authentication tab > Authentication method options section, and click View and modify security questions.
From the Settings page:
-
Go to the gear icon menu > Settings page.
-
Go to the EAM self-service web app section, and click Modify security questions.
Languages
The Self-Service Password Reset feature supports the language setting from the user's browser.
If the browser is set to Brazilian Portuguese, Danish, Dutch, Finnish, English, French, Italian, German, Spanish, or Swedish, the Self Service Password Help feature will display in that language. If any other language is selected as the default language in the browser, the Self Service Password feature will display in English. For information on languages available for the Imprivata agent, see About the Imprivata Agent.
Technical Considerations
Imprivata OneSign self-service password management requires a secure SSL connection to the user directory.
When the user interacts with Imprivata OneSign during enrollment and all subsequent logons to a Imprivata OneSign-enabled workstation and/or the Imprivata OneSign Self-Services home page, and if the user’s Microsoft Active Directory (AD) password is authenticated from LDAP, then the password is stored in the Imprivata OneSign database.
The AD password and challenge/response answers, like all of Imprivata OneSign’s data, are stored in an encrypted Oracle database on the appliance. When the user answers the challenge questions, the Imprivata appliance will authenticate the user’s responses against the answers captured during enrollment.
When the user correctly answers the challenge questions, Imprivata OneSign Self-Services will verify if the user account is locked. If the account is locked, then Imprivata OneSign will unlock the account in AD.
When a user accesses Self-Service Password Reset to change their password, Imprivata OneSign resets the user's AD password to a temporary password of randomly generated characters. This first password change is done using the privileged Imprivata service account in case the user's account has been locked. The privileged service account has the ability to reset an expired account, and will do so as part of the password change.
When the user types in a new password, the Imprivata appliance uses the now-cached temporary password of randomly generated characters to submit the password change using the end user's account (instead of the privileged service account). The reason this happens is to ensure the new password entered conforms to the AD complexity rules set for the user.
Because of this, use of Self-Service Password Reset requires that the domain's Computer Configuration > Windows Settings > Security Settings > Account Policies >“Minimum password age” policy is set to zero days, otherwise the password change will fail with a “password not meeting complexity” error.
Self-Service Password Reset logic has two paths for changing passwords:
- When Imprivata OneSign has a valid stored AD password and the user account is not locked in AD, then Imprivata OneSign will use the user’s credentials to initiate a password change in AD. The user will then be prompted to enter the new password.
- Imprivata OneSign changes the password in AD to a temporary strong password that it subsequently enters into the password change dialog for the user where the user may enter a new password. This is all automated for the user and the user will only see the password change dialog.
Keep in mind the following various reasons for a user not being able to login to the domain:
- The user’s stored password in Imprivata OneSign is not valid. This could be for a number of reasons, such as:
-
- The user changed his password on a non-Imprivata OneSign enabled workstation.
- The help desk changed the password to a temporary password.
- The user account is locked because the user has attempted the wrong password too many times and AD policy has locked the account.
-
NOTE: This is different than if an account is disabled in AD. A disabled account will require intervention from the help desk.
- The user account is restricted by time of day policies in AD. Imprivata OneSign does not do anything to change this or allow access.
Self-Service Password Reset works using Microsoft APIs and proprietary functionality built by Imprivata and does not require an agent to be installed on the AD controller.
