Imprivata OneSign Self-Service Password Reset

Imprivata OneSign Self-Service Password Reset lets Imprivata OneSign users answer security questions to securely identify themselves and reset their primary password if they have forgotten their primary password or lost an authentication device. Self-Service Password Reset is enabled and configured in user policies.

NOTES:

  • This feature requires the Use TLS for secure connection option to be enabled for the Imprivata Directory (domain). For details, see Managing Domains (Directories).

  • This feature requires that the account used to synchronize with the directory have Account Operator privileges (or higher) on the domain.

  • If you want users to be able to view their application passwords, then a Single Sign-On license is required for each user to which the policy is assigned.

  • Self-Service Password Reset is not the same as the Password Manager detailed in The Imprivata OneSign Password Manager, which allows users to manage their application passwords from the Imprivata agent menu.

Allowing Self-Service Password Reset

If a user attempts to log into Imprivata OneSign and fails, the user can use the Forgot password prompt to change their password after answering one or more challenge questions that were set at enrollment.

To enable this option for each user to which the user policy is assigned:

  1. Click the Self-Service Password Reset tab and select Allow users to reset their primary authentication password.

  2. Optional – Click View and modify security questions to delete default questions or to add new questions.

NOTE: The account lockout settings of the user policy (Authentication tab > Lockout section) control the lockout behavior for both self-service password reset and authentication through security questions (emergency access). If the policy is configured with both features, verify that the lockout settings meet your needs for both emergency access and self-service password reset.

By default, a user is logged in after they change their password. Requiring re-authentication ensures that authentication is enforced after a successful password reset.

Select Require users to re-authenticate after resetting their password to prompt the user to re-authenticate using the authentication factors specified in their Imprivata OneSign user policy.

NOTE: This functionality does not apply to users that are using security questions (emergency access) if they have forgotten their credentials.

If you want to allow remote users to use Imprivata OneSign Self-Service Password Reset, then you can publish the Imprivata OneSign Self-Services web application via reverse SSL proxy. The following instructions are intended to provide a general overview of this functionality; your environment may require a different configuration.

Only allow HTTPS traffic to the following URLs and ports (the URLs are formatted as regular expressions). Do not allow POST requests to any URL other than the URL listed in the following table. For all other URLs, only allow GET requests.

The application startup URL is https://%ONESIGN_APPLIANCE_HOST_NAME%/sso/passwordhelp.

URL Protocol Port URL Query String Parameters Methods
/sso/(passwordhelp|sslogin|ssauthenticate|ssenrollinit|ssenroll|sschallengeinit|sschallenge|ssresetinit|ssreset) HTTPS 80, 443 Allow GET, POST
/sso/js/(selfservice|common|dictionaryss|util/pngfix)\.js HTTPS 80, 443 Allow GET
/sso/css/sspw/(sspw-common|sspw-ie6|sspw-non-ie6)\.css HTTPS 80, 443 Reject GET
/sso/servlet/ssimagedownload HTTPS 80, 443 Reject GET
/sso/images/sspw/[^/\\]+\.(png|jpg|ico) HTTPS 80, 443 Reject

GET

Load Balancing

Imprivata recommends that you maintain Imprivata appliance affinity for the duration of a user session, rather than proxying HTTPS traffic to only one Imprivata appliance for all users. The best known good strategy for load balancing in a reverse SSL proxy environment is to proxy a particular Imprivata appliance, chosen at random, when the user session is created, and then to maintain that association for the duration of the user session.

Requiring Self-Service Password Enrollment

Users enrolled in Imprivata OneSign Self-Service Password Reset for password management can:

  • Enter a new password upon successfully answering their security questions.

  • Request their application credentials (SSO only) — You can allow users to view a list of their Imprivata OneSign-enabled application passwords. For added security, you can require them to successfully answer one or more challenge questions first.

To customize the Imprivata OneSign Self-Services home page, see Customizing the Imprivata OneSign Self-Services Home Page.

Imprivata OneSign Self-Service Password Reset requires that users enroll security questions. To enforce the enrollment of security questions when users log into Imprivata OneSign for the first time:

  1. In the Imprivata Admin Console, go to the Users menu > User Policies page to create or modify a user policy.
  2. Click the Self-Service Password/Imprivata PIN Reset tab.
  3. In the section Enroll options — Prompt to enroll security questions, select:
    • Prompt and must enroll;
    • Prompt and may delay enrolling; or
    • Do not prompt to enroll (this is the default.)
  4. Enter the number of security questions that users in the policy must enroll.
  5. Enter the number of security questions that users in the policy must answer correctly to authenticate.
  6. Click Save.

The authentication questions are drawn randomly from the total entered at enrollment, so a user policy might specify six questions, and present three of the six questions when the user authenticates either to reset a primary authentication password or to request application credentials (Imprivata OneSign Single Sign-On only).

You can create new questions, as well. When you create new questions, you can make them mandatory. Mandatory questions are always presented.

Users who are in a user policy configured for Self-Service Password Reset are prompted to enroll the next time they authenticate to OneSign.

Even if you select Do not prompt to enroll, the Imprivata enrollment utility always appears after login if the user has only password enrolled.

Users can defer enrolling in Imprivata OneSign password self-service. You can set a Self-Enrollment Declined notification to notify you whenever any user or a specific user declines to enroll in password self-service. The procedure for this and all other notifications is detailed in Configuring Event Notifications.

You can edit the password self-service questions, including adding and deleting questions to suit the needs of your organization.

Modifying Self-Service Password Reset Questions

You can access the list of security questions via the following methods:

  • Click View and modify security questions on the Self-Service Password/Imprivata PIN Reset tab of a user policy
  • Click View and modify security questions next to the Answer security questions check box on the Authentication tab of a user policy.
  • Click View and modify security questions in the Security questions section of the Authentication method options section of the Authentication tab of a user policy.

See Configuring Authentication Methods in User Policies

The Self-Service Password Reset feature supports the language setting from the user's browser.

If the browser is set to Brazilian Portuguese, Danish, Dutch, Finnish, English, French, Italian, German, Spanish, or Swedish, the Self Service Password Help feature will display in that language. If any other language is selected as the default language in the browser, the Self Service Password feature will display in English. For information on languages available for the Imprivata agent, see About the Imprivata Agent.

Imprivata OneSign self-service password management requires a secure SSL connection to the user directory.

When the user interacts with Imprivata OneSign during enrollment and all subsequent logons to a Imprivata OneSign-enabled workstation and/or the Imprivata OneSign Self-Services home page, and if the user’s Microsoft Active Directory (AD) password is authenticated from LDAP, then the password is stored in the Imprivata OneSign database.

The AD password and challenge/response answers, like all of Imprivata OneSign’s data, are stored in an encrypted Oracle database on the appliance. When the user answers the challenge questions, the Imprivata appliance will authenticate the user’s responses against the answers captured during enrollment.

When the user correctly answers the challenge questions, Imprivata OneSign Self-Services will verify if the user account is locked. If the account is locked, then Imprivata OneSign will unlock the account in AD.

When a user accesses Self-Service Password Reset to change their password, Imprivata OneSign resets the user's AD password to a temporary password of randomly generated characters. This first password change is done using the privileged Imprivata service account in case the user's account has been locked. The privileged service account has the ability to reset an expired account, and will do so as part of the password change.

When the user types in a new password, the Imprivata Appliance uses the now-cached temporary password of randomly generated characters to submit the password change using the end user's account (instead of the privileged service account). The reason this happens is to ensure the new password entered conforms to the AD complexity rules set for the user.

Because of this, use of Self-Service Password Reset requires that the domain's Computer Configuration > Windows Settings > Security Settings > Account Policies >“Minimum password age” policy is set to zero days, otherwise the password change will fail with a “password not meeting complexity” error.

Self-Service Password Reset logic has two paths for changing passwords:

  • When Imprivata OneSign has a valid stored AD password and the user account is not locked in AD, then Imprivata OneSign will use the user’s credentials to initiate a password change in AD. The user will then be prompted to enter the new password.
  • Imprivata OneSign changes the password in AD to a temporary strong password that it subsequently enters into the password change dialog for the user where the user may enter a new password. This is all automated for the user and the user will only see the password change dialog.

Keep in mind the following various reasons for a user not being able to login to the domain:

  • The user’s stored password in Imprivata OneSign is not valid. This could be for a number of reasons, such as:
    • The user changed his password on a non-Imprivata OneSign enabled workstation.
    • The help desk changed the password to a temporary password.
  • The user account is locked because the user has attempted the wrong password too many times and AD policy has locked the account.

  • NOTE: This is different than if an account is disabled in AD. A disabled account will require intervention from the help desk.

  • The user account is restricted by time of day policies in AD. Imprivata OneSign does not do anything to change this or allow access.

Self-Service Password Reset works using Microsoft APIs and proprietary functionality built by Imprivata and does not require an agent to be installed on the AD controller.