Imprivata Self-Service Password Reset

General

The Imprivata Directory (domain) is configured to use TLS. For more information, see Managing Domains (Directories).
The account that is used to synchronize with the directory must have Account Operator privileges (or higher) on the domain.
Your endpoints are configured to trust the appliance's SSL certificate. If the SSL certificate is not included in the endpoint's trusted certificate store, users see a certificate error and cannot reset their password.
If you want users to be able to view their application passwords, then a Single Sign-On license is required for each user to which the policy is assigned.

Security Questions and Imprivata ID

Using security questions as a first factor and Imprivata ID as a second factor requires:

An Enterprise Access Management user policy or workflow policy that is configured to allow Imprivata ID as an authentication method.

Configuring the policy for Imprivata ID is only required to let users enroll Imprivata ID. After your users have enrolled, allowing Imprivata ID is not required for desktop authentication or remote access.
Users to enroll Imprivata ID as an authentication method.
The latest release of Imprivata ID.

Security Questions and SMS

Using security questions as a first factor and an SMS one-time code as a second factor requires:

An Enterprise Access Management with MFA workflow policy that is configured to allow an SMS code as an authentication method.

Configuring the workflow policy for SMS is only required to let users enroll their mobile device. After your users have enrolled, allowing SMS is not required for remote access.
Users to enroll their mobile phone to receive text messages.

NOTE:

International-based phone numbers are supported. For a list of supported countries, see "Credential Types" under "Remote Access" in Imprivata Enterprise Access Management with MFA Supported Components.

Face Recognition and SMS

Using face recognition as a first factor and an SMS one-time code as a second factor requires:

Face recognition to be configured. For more information, see Face Recognition Authentication.
An Enterprise Access Management user policy that is configured to allow facial biometrics as an authentication method.

Configuring the user policy for facial biometrics is only required to let users enroll their face. After your users have enrolled, allowing facial biometrics is not required for desktop authentication.
An Enterprise Access Management with MFA workflow policy that is configured to allow an SMS code as an authentication method.

Configuring the workflow policy for SMS is only required to let users enroll their mobile device. After your users have enrolled, allowing SMS is not required for remote access.
Users to enroll facial biometrics.
Users to enroll their mobile phone to receive text messages.

NOTE:

International-based phone numbers are supported. For a list of supported countries, see "Credential Types" under "Remote Access" in Imprivata Enterprise Access Management with MFA Supported Components.

Supported Authentication Methods

You can specify how users must authenticate to reset their password. The following table details the authentication methods that are available:

First Factor	Second Factor
Answer one or more security questions.	None.
Answer one or more security questions.	Imprivata ID push notification. When Imprivata ID is required, the self-service web application uses number matching. The user is prompted to enter a 2-digit code on their phone to verify their identity.
Answer one or more security questions.	SMS one-time code. When SMS is required, the user responds to a one-time code sent to their phone to verify their identity. The user enters the code into the self-service web application to verify their identity.
Face recognition	SMS one-time code. In this workflow, the user is prompted for a face scan. If verified, the user responds to a one-time code sent to their phone to verify their identity. The user enters the code into the self-service web application to verify their identity.

Configuring Imprivata Self-Service for Password Reset

Configuring the self-service web application for SSPR requires that you:

Allow access to the ProveID Web API.
Specify how users must authenticate to change their password.
Enable the user policy for Imprivata SSPR.

Configuring Access to the Imprivata ProveID Web API

The self-service web application requires access to the Imprivata ProveID Web API.

To configure access:

Go to the gear icon menu.
Click API Access, and then go to the ProveID - API access and security section.
Verify that API access is allowed.

NOTE:
At a minimum, the self-service web application requires restricted access to the ProveID Web API.

Configuring Two-Factor Authentication

By default, users are prompted to answer security questions only to verify their identify.

In addition to security questions, you can specify a second authentication factor. Supported factors include:

Imprivata ID
SMS

To specify a second authentication factor:

Go to the gear icon menu.
Click Settings, and then go to the Self-service section.
Verify that Use Imprivata EAM self-service web app is selected.
Go to the EAM self-service web app section, and select one of the following:
- Security questions and Imprivata ID
- Security questions and SMS
- Face recognition and SMS
Click Save.

Enabling the User Policy

You must allow users to reset their primary authentication password.

To enable the user policy:

Go to the Users menu > User Policies page.
From the required policy, open the Self-Service Password Rest tab, and select Allow users to reset their primary authentication password.
Optional: Click View and modify security questions to delete default questions or to add new questions.
Click Save.

NOTE: The account lockout settings of the user policy (Authentication tab > Lockout section) control the lockout behavior for both self-service password reset and authentication through security questions (emergency access). If the policy is configured with both features, verify that the lockout settings meet your needs for both emergency access and self-service password reset.

Requiring Re-authentication after Password Reset

Consider the following:

By default, users are required to re-authenticate after resetting their password from a Windows or ProveID Embedded endpoint. No additional configuration is required.
If you have deployed ProveID Web workstations (zero clients) , select Require users to re-authenticate after resetting their password to enforce re-authentication.

NOTE: This functionality does not apply to users that are using security questions (emergency access) if they have forgotten their credentials.

Publishing Access to the Imprivata Self-Services Web Application

If you want to allow remote users to use Imprivata self-service, then you can publish the Imprivata self-services web application via reverse SSL proxy. The following instructions are intended to provide a general overview of this functionality; your environment may require a different configuration.

Only allow HTTPS traffic to the following URLs and ports (the URLs are formatted as regular expressions). Do not allow POST or PUT requests to any URL other than the URL listed in the following table. For all other URLs, only allow GET requests.

The application startup URL is https://%ONESIGN_APPLIANCE_HOST_NAME%/sso/passwordhelp.

URL	Protocol	Port	URL Query String Parameters	Methods
/sso/(passwordhelp\|sslogin\|ssauthenticate\|ssenrollinit\|ssenroll\|sschallengeinit\|sschallenge\|ssresetinit\|ssreset \|ssacceptnumber\|sscheckpush\|ssenteriidtokeninit\|ssenteriidtoken)	HTTPS	80, 443	Allow	GET, POST
/sso/js/(selfservice\|common\|dictionaryss\|util/pngfix/mainSelfService)\.js	HTTPS	80, 443	Allow	GET
/sso/css/sspw/(sspw-common\|sspw-ie6\|sspw-non-ie6)\.css	HTTPS	80, 443	Reject	GET
/sso/servlet/ssimagedownload	HTTPS	80, 443	Reject	GET
/sso/images/sspw/[^/\\]+\.(png\|jpg\|ico)	HTTPS	80, 443	Reject	GET
/sso/css/fonts/NotoSans-VariableFont_wdth,wght.ttf	HTTPS	80, 443	Reject	GET
/sso/images/sswa/Background-Large.png	HTTPS	80, 443	Reject	GET
/sso/images/sswa/Imprivata_EAM_logo_blue%201.svg	HTTPS	80, 443	Reject	GET
/sso/ProveIDWeb/v29/(AuthUser\|ConfigObject\|Domains)	HTTPS	80, 443	Allow	GET, POST
/sso/ProveIDWeb/v29/Password	HTTPS	80, 443	Allow	PUT

Load Balancing

Imprivata recommends that you maintain Imprivata appliance affinity for the duration of a user session, rather than proxying HTTPS traffic to only one Imprivata appliance for all users. A best practice for load balancing in a reverse SSL proxy environment is to proxy a particular Imprivata appliance, chosen at random, when the user session is created, and then to maintain that association for the duration of the user session.

Prompting Users to Enroll Security Questions

Imprivata self-service for password management requires that users enroll security questions.

NOTE: For information on enrolling security questions for MFA workflows, see Enrolling Authentication Methods for MFA Workflows.

To enforce the enrollment of security questions when users log into Imprivata Enterprise Access Management for the first time:

In the Imprivata Admin Console, go to the Users menu > User Policies page to create or modify a user policy.
Click the Self-Service Password/Imprivata PIN Reset tab.
In the section Enroll options — Prompt to enroll security questions, select:
- Prompt and must enroll;
- Prompt and may delay enrolling; or
- Do not prompt to enroll (this is the default.)
Enter the number of security questions that users in the policy must enroll.
Enter the number of security questions that users in the policy must answer correctly to authenticate.
Click Save.

The authentication questions are drawn randomly from the total entered at enrollment, so a user policy might specify six questions, and present three of the six questions when the user authenticates either to reset a primary authentication password or to request application credentials (Single Sign-On only).

NOTE:

The answers to security questions are not case-sensitive.

You can create new questions, as well. When you create new questions, you can make them mandatory. Mandatory questions are always presented.

Users who are in a user policy configured for Self-Service Password Reset are prompted to enroll the next time they authenticate to Imprivata Enterprise Access Management.

Even if you select Do not prompt to enroll, the Imprivata enrollment utility always appears after login if the user has only password enrolled.

Users can defer enrolling in Imprivata password self-service. You can set a Self-Enrollment Declined notification to notify you whenever any user or a specific user declines to enroll in password self-service. The procedure for this and all other notifications is detailed in Configuring Event Notifications.

You can edit the password self-service questions, including adding and deleting questions to suit the needs of your organization.

Modifying Self-Service Password Reset Questions

You can access the list of security questions in the following ways:

From the user policy:

Go to the Self-Service Password/Imprivata PIN Reset tab > Reset options section, and click View and modify security questions.
Go to the Authentication tab > Primary factors section. If emergency access is enabled, click View and modify security questions.
Go to the Authentication tab > Authentication method options section, and click View and modify security questions.

From the Settings page:

Go to the gear icon menu > Settings page.
Go to the EAM self-service web app section, and click Modify security questions.

See Configuring Authentication Methods in User Policies

Languages

Imprivata self-service supports the language setting from the user's browser.

If the browser is set to Brazilian Portuguese, Czech, Danish, Dutch, Finnish, English, French, Italian, German, Spanish, or Swedish, the Self Service Password Help feature will display in that language. If any other language is selected as the default language in the browser, the Self Service Password feature displays in English. For information on languages available for the Imprivata agent, see About the Imprivata Agent.

Technical Considerations

Imprivata self-service password management requires a secure SSL connection to the user directory.

When the user interacts with Imprivata Enterprise Access Management during enrollment and all subsequent logons to an Imprivata-enabled workstation and/or the Imprivata Self-Services home page, and if the user’s Microsoft Active Directory (AD) password is authenticated from LDAP, then the password is stored in the Imprivata database.

The AD password and challenge/response answers, like all of Imprivata Enterprise Access Management’s data, are stored in an encrypted Oracle database on the appliance. When the user answers the challenge questions, the Imprivata appliance will authenticate the user’s responses against the answers captured during enrollment.

When the user correctly answers the challenge questions, Imprivata Self-Services will verify if the user account is locked. If the account is locked, then Imprivata Enterprise Access Management will unlock the account in AD.

When a user accesses Imprivata self-service to change their password, Imprivata Enterprise Access Management resets the user's AD password to a temporary password of randomly generated characters. This first password change is done using the privileged Imprivata service account in case the user's account has been locked. The privileged service account has the ability to reset an expired account, and will do so as part of the password change.

When the user types in a new password, the Imprivata appliance uses the now-cached temporary password of randomly generated characters to submit the password change using the end user's account (instead of the privileged service account). The reason this happens is to ensure the new password entered conforms to the AD complexity rules set for the user.

Because of this, use of Imprivata self-service for password management requires that the domain's Computer Configuration > Windows Settings > Security Settings > Account Policies >“Minimum password age” policy is set to zero days, otherwise the password change will fail with a “password not meeting complexity” error.

Imprivata self-service has two paths for changing passwords:

When Imprivata Enterprise Access Management has a valid stored AD password and the user account is not locked in AD, then Imprivata Enterprise Access Management will use the user’s credentials to initiate a password change in AD. The user will then be prompted to enter the new password.
Imprivata Enterprise Access Management changes the password in AD to a temporary strong password that it subsequently enters into the password change dialog for the user where the user may enter a new password. This is all automated for the user and the user will only see the password change dialog.

Keep in mind the following various reasons for a user not being able to login to the domain:

The user’s stored password in Imprivata Enterprise Access Management is not valid. This could be for a number of reasons, such as:
- The user changed his password on a non- Imprivata enabled workstation.
- The help desk changed the password to a temporary password.
The user account is locked because the user has attempted the wrong password too many times and AD policy has locked the account.
NOTE: This is different than if an account is disabled in AD. A disabled account will require intervention from the help desk.
The user account is restricted by time of day policies in AD. Imprivata Enterprise Access Management does not do anything to change this or allow access.

Imprivata self-service works using Microsoft APIs and proprietary functionality built by Imprivata and does not require an agent to be installed on the AD controller.

Imprivata Self-Service Password Reset

Configuration

Expected User Workflow

Legacy — Password Reset with Security Questions

Prerequisites