Tuesday, November 24, 2015

OpenAM 12 - New Forget Password Self-Service

Most of my customers build their own User Self-Service module. That includes Change Password and Forget Password. And most of the times, they interact with the backend data source (e.g OpenDJ or Active Directory) directly.

I seldom have to worry about enabling the Forget Password feature in OpenAM. Well, good time is up for me. :) I have a customer that wants to utilize the Forget Password in OpenAM 12. 

Well, so based on my past exploration with OpenAM Password Reset feature, our discussion revolved around Challenge Questions & Answers and how the flow will be. Note that this customer only wanted the new XUI. No way to use legacy UI as discovery and customization times have been invested into rebranding the XUI.

Today, I had a shock when I started to read more about the Forget Password feature in OpenAM 12. The more I read, the more confused I become. The documentation keeps talking about Resetting Forgotten Passwords (legacy). 

OpenAM can provide self-service password reset for forgotten passwords when end user pages are served by the classic UI. To enable self-service password reset, you must configure the password reset service itself, which consists mainly of setting up secret questions, and configuring an SMTP mail server to send reset passwords to the users of the service.

But Mr Customer wants nothing, but the new XUI.

Now, during XUI rebranding, I did come across the following scripts in one of the template files.

There is definitely something to configure via the OpenAM Administration console to make the Forget Password hyperlink appears in XUI.

So I searched around and reached Configuration > Global > User Self Service. There you are! The Forgot Password for Users is disabled by default.

So I went ahead to enable the feature. Another great feature out there is the Forgot Password Token LifeTime (seconds). This expires the hyperlink which is sent to users. (Will talk about this in a while ...)

Nice, the Forgot password hyperlink finally appears!

The next screen is what you'll see when the Forgot password hyperlink is clicked.

When a correct username (default is to match with UID) is entered, an email will be sent.

The user will receive an email like the following:

This is where the Forgot Password Token LifeTime (seconds) kicks in. I suppose the hyperlink in the email will expires in the configured time. (I'll need to fully test this function. Still at high-level investigation now)

Once the hyperlink is clicked, the user will be redirected to the Change forgotten password page.

Pretty cool right? Initially I thought Mr Customer would reject it because the long-discussed Challenge Questions & Answers feature is no longer available in the new XUI. But, to my surprise, he prefers this new feature, especially the Forgot Password Token LifeTime.

And what surprised me more?

This new feature is not mentioned at all in OpenAM documentation, not in stable release. And I just searched the draft documentation for OpenAM 13, it's not mentioned as well. Maybe it's hidden somewhere, but it's really not obvious to customers and integrators like us.

The documentation is not catching up with development? Super strange! 



  1. Thanks, always good to get feedback on our documentation. I've just raised https://bugster.forgerock.org/jira/browse/OPENAM-7526 . In short, the new forgotten password and registration functionality is only partially documented under the Dev Guide it appears.

  2. Hi,

    Is there any way to customize the email that we receive for password reset. I want change some wording in the subject and body. The snapshot of email in this article is not the one that I get at the time of reset password. I believe there was some customization was done on your side. Request you to please let us know how to make the email customizable