Password Manager

Custom workflow - email user random generated password

 Hello guys,

 

I have just recently installed One Identity Password Manager version 5.7.0.1525 in our test-environment. We see that the existing workflows can not apply to our situation, and need to create a new simple custom workflow. We are looking for a self-selvice portal for our users where they simply can reset their password.

 

The workflow should consist of a user searching after his AD-user and then choose the custom workflow "Password email reset" workflow, a random generated password is set on the user account in AD (in addition: "user must change password at next logon" is checked), and an email is sent to the user with the password.

 

The best would be to email the user a link which he then access and set a new password - like the way facebook, gmail, etc do it. Is this possible? :)

 

Best regards

Bilal

  • Hello Bilal,

    There are a few problems which I see with this request, from a security standpoint.

    First, emailing a password is not a secure method. The services which allow you to reset your own password, like Facebook and Google, always send a link to a secure portal. The URL which is sent contains a single-use, time-sensitive token which allows you to authenticate for the purposes of resetting your password. This is generally accepted as a secure method.

    Second, how is the User going to access their email account, if their Active Directory account is locked out and it uses the same password?

    Password Manager has the access to reset the User's password directly. Once the User is registered, they can trigger that operation themselves. This is much simpler to implement than a secure portal which tracks single-use tokens, which also would have to tie into an external email system.
  • Hi Terrance,

    Thanks for your reply. Just to clarify our environment design, we want to implement Dell Password manager in our test environment which is seperate domain from the production. When a user reset his password an email would be sent to his account in the production domain. There is no AD trust between the domains. A user has to have acccess to production, before he can access the test environment.

    So the need is how we can create this custom workflow in Powershell with either, the first option as suggested in the main post. Or as you are mentioning the secure single-use, time-sensitive token. How can we implement this in our environment? Any examples would help us a lot.

    Kind regards
    Bilal
  • Using a token for authentication would involve implementing a secure portal, as well as an API to tie into it. This is beyond the scope of the Password Manager solution, and I do not have any sample code which may help.

    We strongly recommend not emailing a password, so I don't have sample code for that, either. But an alternate solution which may meet your needs is to email a PIN.

    1) The User logs into the Password Manager portal, finds their Active Directory account, and triggers a Workflow.
    2) The Workflow would retrieve the User's Production email address which is stored in an attribute on the linked account in the test environment.
    3) The Workflow sends an email to this User's Production email address. The email contains a PIN, which the User would retrieve and enter into the Password Manager portal.
    4) The User resets their password.

    This would be similar to the passcode samples which are included with the Password Manager installation media in the SDK.
  • Hi,

    Thanks again for the suggestion, I was not aware of the samples. I like your suggestion and I have just tried to implement the SetPasscode example to test it. However having some difficulties.

    I created a new workflow with the name "Set Passcode" containing one custom acitivity "Passcode" where I pasted in the powershell-script which was provided in the SetPasscode.txt, I uncommented the lines beginning with $EMAIL_SUBJECT and $EMAIL_BODY. In the "User Interface Designer" I did not do anything and on the "Activity name" I just prode "Passcode"


    When I then access the PMUser interfae and search for a specific user and then get logged in as the user I choose the "Set Passcode" workflow and receive the following error:

    *Domain not specified


    ---
    Do I need to specify domain anywhere? Since it manages to retrieve the AD user and therefor also should be able to retrieve the domain.

    Please let me know if I am doing anything wrong, that would be really helpful.

    Kind regards
    Bilal
  • I don't believe that implementation is a useful sample for this design.

    From the readme.txt:

    This sample demonstrates a custom web service that assigns passcodes to users.

    The web service allows interacting with external systems so that they can trigger passcode assignment and know the passcode that was assigned.

    To use this sample:

    1. Create a custom web service with the script provided in the "SetPasscode.txt" file.

    2. Form and open the following URL:
    http://<pmserver>/PMUser/ws/<service_URL>?user=<user_sAMAccountName>&domain=<domain_FQDN>
    Where:
    - pmserver - name of the computer on which the Password Manager Service is installed.
    - service_URL - URL specified when creating the custom web service.
    - user_sAMAccountName - sAMAccountName of a user to whom a passcode is assigned.
    - domain_FQDN - fully qualified domain name of a domain to which the user belongs. Note: a connection to this domain must be configured in Password Manager.

    3. Expected result is an XML document that contains the passcode and passcode creation log.



    You'd want to take snippets from it instead of the entire implementation.

    For example, this is relevant:

    #Obtain user's GUID
    $userId = $user.objectGUID

    #Generate a passcode for a user
    $PASSCODE= $global.GeneratePasscode($PASSCODE_LENGTH)
    $log += "Generated passcode $PASSCODE"

    #Assign passcode to a user
    $global.QAProfileAssignPasscode($connection, $userId, $passcode, $PASSCODE_LIFETIME)
    $log += "Passcode assigned to user $userName"

    if ($EMAIL_SUBJECT -ne "" -and $EMAIL_BODY -ne "")
    {
    #Send e-mail with passcode, if user has an e-mail address
    if ($user.mail -ne "")
    {
    $log +="Sending passcode to $($user.mail)"
    $subject = $ExecutionContext.InvokeCommand.ExpandString($EMAIL_SUBJECT)
    $body = $ExecutionContext.InvokeCommand.ExpandString($EMAIL_BODY)
    $global.EmailUserHtml($mail, $subject, $body)
    }
    else
    {
    $log +="User account has no mail, will not send e-mail with passcode"
    }
    }