Imprivata Documentation | Imprivata Enterprise Access Management (Confirm ID) 24.3 | Topic updated: March 31, 2025

Imprivata Self-Service Password Reset

The Imprivata Enterprise Access Management self-service web application lets users securely identify themselves and reset their primary password if they have forgotten their primary password or lost an authentication device.

Prerequisites

Enabling Imprivata Self-Service Password Reset (SSPR) requires the following:

The Imprivata Directory (domain) is configured to use TLS. For more information, see Managing Domains (Directories).
The account that is used to synchronize with the directory must have Account Operator privileges (or higher) on the domain.
Your endpoints are configured to trust the appliance's SSL certificate. If the SSL certificate is not included in the endpoint's trusted certificate store, users see a certificate error and cannot reset their password.
If you want users to be able to view their application passwords, then a Single Sign-On license is required for each user to which the policy is assigned.
Using Imprivata ID as a second factor for self-service password reset requires the following:
- Either the SSO user policy or the MFA workflow policy is configured to allow Imprivata ID as an authentication factor.
- Users have enrolled Imprivata ID.
- The latest release of Imprivata ID.

NOTE:Using Imprivata self-service for password reset is not the same as the Password Manager detailed in The Imprivata Password Manager, which allows users to manage their application passwords from the Imprivata agent menu.

Imprivata Self-Service Password Reset

If a user has forgotten their password, they can reset it by

Clicking Forgot password on the Imprivata login screen.
Directly accessing the self-service web application.

Resetting a password requires the user to authenticate by either:

Answering one or more security questions.
Answering one or more security questions and responding to an Imprivata ID push notification. When Imprivata ID is required as a second factor, the user is prompted to enter a 2-digit code on their phone.

Configuring Imprivata Self-Service for Password Reset

To configure Imprivata self-service web application for SSPR:

Configure the system setting:
1. Go to the gear icon menu > Settings page.
2. Go to the Self-service section, and select Imprivata EAM self-service web app.
3. Go to the EAM self-service web app section, select either Security questions or Security questions and Imprivata ID.
4. Click Save.
Configure the user policy:
1. Click the Self-Service Password Reset tab, and then select Allow users to reset their primary authentication password.
2. Optional: Click View and modify security questions to delete default questions or to add new questions.
3. Click Save.

NOTE: The account lockout settings of the user policy (Authentication tab > Lockout section) control the lockout behavior for both self-service password reset and authentication through security questions (emergency access). If the policy is configured with both features, verify that the lockout settings meet your needs for both emergency access and self-service password reset.

Publishing Access to the Imprivata Self-Services Web Application

If you want to allow remote users to use Imprivata self-service, then you can publish the Imprivata self-services web application via reverse SSL proxy. The following instructions are intended to provide a general overview of this functionality; your environment may require a different configuration.

Only allow HTTPS traffic to the following URLs and ports (the URLs are formatted as regular expressions). Do not allow POST or PUT requests to any URL other than the URL listed in the following table. For all other URLs, only allow GET requests.

The application startup URL is https://%ONESIGN_APPLIANCE_HOST_NAME%/sso/passwordhelp.

URL	Protocol	Port	URL Query String Parameters	Methods
/sso/(passwordhelp\|sslogin\|ssauthenticate\|ssenrollinit\|ssenroll\|sschallengeinit\|sschallenge\|ssresetinit\|ssreset \|ssacceptnumber\|sscheckpush\|ssenteriidtokeninit\|ssenteriidtoken)	HTTPS	80, 443	Allow	GET, POST
/sso/js/(selfservice\|common\|dictionaryss\|util/pngfix/mainSelfService)\.js	HTTPS	80, 443	Allow	GET
/sso/css/sspw/(sspw-common\|sspw-ie6\|sspw-non-ie6)\.css	HTTPS	80, 443	Reject	GET
/sso/servlet/ssimagedownload	HTTPS	80, 443	Reject	GET
/sso/images/sspw/[^/\\]+\.(png\|jpg\|ico)	HTTPS	80, 443	Reject	GET
/sso/images/sswa/Background-Large.png	HTTPS	80, 443	Reject	GET
/sso/images/sswa/Imprivata_EAM_logo_blue%201.svg	HTTPS	80, 443	Reject	GET

Load Balancing

Imprivata recommends that you maintain Imprivata appliance affinity for the duration of a user session, rather than proxying HTTPS traffic to only one Imprivata appliance for all users. A best practice for load balancing in a reverse SSL proxy environment is to proxy a particular Imprivata appliance, chosen at random, when the user session is created, and then to maintain that association for the duration of the user session.

Security Questions and Imprivata Self-Service

Users enrolled in Imprivata self-service for password management can:

Enter a new password upon successfully answering their security questions.
Request their application credentials (SSO only) — You can allow users to view a list of their Imprivata-enabled application passwords. For added security, you can require them to successfully answer one or more challenge questions first.

Prompting Users to Enroll Security Questions

Imprivata self-service for password management requires that users enroll security questions.

NOTE: For information on enrolling security questions for MFA workflows, see Enrolling Authentication Methods for MFA Workflows.

To enforce the enrollment of security questions when users log into Imprivata Enterprise Access Management for the first time:

In the Imprivata Admin Console, go to the Users menu > User Policies page to create or modify a user policy.
Click the Self-Service Password/Imprivata PIN Reset tab.
In the section Enroll options — Prompt to enroll security questions, select:
- Prompt and must enroll;
- Prompt and may delay enrolling; or
- Do not prompt to enroll (this is the default.)
Enter the number of security questions that users in the policy must enroll.
Enter the number of security questions that users in the policy must answer correctly to authenticate.
Click Save.

The authentication questions are drawn randomly from the total entered at enrollment, so a user policy might specify six questions, and present three of the six questions when the user authenticates either to reset a primary authentication password or to request application credentials (Single Sign-On only).

You can create new questions, as well. When you create new questions, you can make them mandatory. Mandatory questions are always presented.

Users who are in a user policy configured for Self-Service Password Reset are prompted to enroll the next time they authenticate to Imprivata Enterprise Access Management.

Even if you select Do not prompt to enroll, the Imprivata enrollment utility always appears after login if the user has only password enrolled.

Users can defer enrolling in Imprivata password self-service. You can set a Self-Enrollment Declined notification to notify you whenever any user or a specific user declines to enroll in password self-service. The procedure for this and all other notifications is detailed in Configuring Event Notifications.

You can edit the password self-service questions, including adding and deleting questions to suit the needs of your organization.

Modifying Self-Service Password Reset Questions

You can access the list of security questions in the following ways:

From the user policy:

Go to the Self-Service Password/Imprivata PIN Reset tab > Reset options section, and click View and modify security questions.
Go to the Authentication tab > Primary factors section. If emergency access is enabled, click View and modify security questions.
Go to the Authentication tab > Authentication method options section, and click View and modify security questions.

From the Settings page:

Go to the gear icon menu > Settings page.
Go to the EAM self-service web app section, and click Modify security questions.

See Configuring Authentication Methods in User Policies

Technical Considerations

Imprivata self-service password management requires a secure SSL connection to the user directory.

When the user interacts with Imprivata Enterprise Access Management during enrollment and all subsequent logons to an Imprivata-enabled workstation and/or the Imprivata Self-Services home page, and if the user’s Microsoft Active Directory (AD) password is authenticated from LDAP, then the password is stored in the Imprivata database.

The AD password and challenge/response answers, like all of Imprivata Enterprise Access Management’s data, are stored in an encrypted Oracle database on the appliance. When the user answers the challenge questions, the Imprivata appliance will authenticate the user’s responses against the answers captured during enrollment.

When the user correctly answers the challenge questions, Imprivata Self-Services will verify if the user account is locked. If the account is locked, then Imprivata Enterprise Access Management will unlock the account in AD.

When a user accesses Imprivata self-service to change their password, Imprivata Enterprise Access Management resets the user's AD password to a temporary password of randomly generated characters. This first password change is done using the privileged Imprivata service account in case the user's account has been locked. The privileged service account has the ability to reset an expired account, and will do so as part of the password change.

When the user types in a new password, the Imprivata appliance uses the now-cached temporary password of randomly generated characters to submit the password change using the end user's account (instead of the privileged service account). The reason this happens is to ensure the new password entered conforms to the AD complexity rules set for the user.

Because of this, use of Imprivata self-service for password management requires that the domain's Computer Configuration > Windows Settings > Security Settings > Account Policies >“Minimum password age” policy is set to zero days, otherwise the password change will fail with a “password not meeting complexity” error.

Imprivata self-service has two paths for changing passwords:

When Imprivata Enterprise Access Management has a valid stored AD password and the user account is not locked in AD, then Imprivata Enterprise Access Management will use the user’s credentials to initiate a password change in AD. The user will then be prompted to enter the new password.
Imprivata Enterprise Access Management changes the password in AD to a temporary strong password that it subsequently enters into the password change dialog for the user where the user may enter a new password. This is all automated for the user and the user will only see the password change dialog.

Keep in mind the following various reasons for a user not being able to login to the domain:

The user’s stored password in Imprivata Enterprise Access Management is not valid. This could be for a number of reasons, such as:
- The user changed his password on a non-Imprivata enabled workstation.
- The help desk changed the password to a temporary password.
The user account is locked because the user has attempted the wrong password too many times and AD policy has locked the account.
NOTE: This is different than if an account is disabled in AD. A disabled account will require intervention from the help desk.
The user account is restricted by time of day policies in AD. Imprivata Enterprise Access Management does not do anything to change this or allow access.

Imprivata self-service works using Microsoft APIs and proprietary functionality built by Imprivata and does not require an agent to be installed on the AD controller.