This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Recovery with Secret Questions - Identity Server 5.0.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

As an alternative to recovering passwords using Recovery with Notification, the WSO2 Identity Server also supports recovery using secret questions. Follow the instructions below to configure this. 

  1. Edit the <IS_HOME>/repository/conf/security/identity­-mgt.properties file with the following configurations.

    Identity.Listener.Enable=true
    Notification.Sending.Enable=true
    Notification.Expire.Time=3
    Notification.Sending.Internally.Managed=true
    UserAccount.Recovery.Enable=true
    Captcha.Verification.Internally.Managed=false

    See the following table for descriptions of these configurations.

    ConfigurationDescription
    Identity.Listener.Enable=true
    This enables the identity listener.
    Notification.Sending.Enable=true

    This enables the email sending function when recovering the account and verifying the user creation.

    Notification.Expire.Time=3
    The time specified here is in minutes. In this case, the recovery expires after three minutes.
    Notification.Sending.Internally.Managed=true

    This enables the internal email sending module. If false, the email sending data is available to the application via a Web service. Thus the application can send the email using its own email sender.

    UserAccount.Recovery.Enable=true
    This enables the user account recovery process.
    Captcha.Verification.Internally.Managed=false
    Set this to true if you do not have an existing captcha validation module.
  2. Login to the management console and navigate to Configure>Claim Management>http://wso2.org/claims/.

  3. Ensure that the default challenge question claim URIs, Challenge Question 1 and Challenge Question 2, are mapped with the correct attributes in the underlying data store. 

  4. Invoke the UserIdentityManagementAdminService API and set the challenge question for a user using the setChallengeQuestionsOfUser serviceThe WSDL for this service is as follows: https://localhost:9443/services/UserIdentityManagementAdminService?wsdl.

The following sequence of service calls for recovery with secret questions, uses the UserInformationRecoveryServicehttps://localhost:9443/services/UserInformationRecoveryService?wsdl.

  1. getCaptcha() ­- Generates a captcha.
  2. verifyUser() ­- Validates the captcha answer and username and returns a new key.
  3. getUserChallengeQuestionIds() ­- Retrieve the cliam URI IDs specified for the user with the generated key. Need to provide the key from the previous call.
  4. getUserChallengeQuestion() ­- Retrieve the user’s challenge question for the specified claim URI ID from the previous call. Need to provide the key from the previous call.
  5. verifyUserChallengeAnswer() ­- Validates the answer and confirmation code for the specified question. Need to provide the key from the previous call.
  6. updatePassword() ­- Updates the password in the system. Need to provide the key from the previous call, the new password and return the status of the update, i.e. true or false.

The password recovery flow should be used for the two challenge questions as follows: 

  • Get the captcha using the getCaptcha()operation and provide the captcha details with the username to the verfiyUser() operation. 
  • You will receive a code with the call. 
  • After the verification, you can get the challenge question IDs using the getUserChallengeQuestionIds() operation, which returns the defined claim URIs along with a code. 
  • Retrieve the question for the user with the getUserChallengeQuestion() operation using the code you received. 
  • You can define two steps to answer the challenge questions in your web application in order to maximize security.  
  • The verifyUserChallengeAnswer() operation is used to verify a particular answer for a question. If both answers are correct, you can call the updatePassword() operation to change the user password.

Tip:  You can see this in action when using this sample web app.

  • No labels