Configure password self-service

Adaxes enables users to reset their own passwords and unlock their accounts without any assistance from the help desk or IT staff. The user's identity can be verified by answering security questions and/or entering a verification code received via SMS, email, or authenticator app like Google Authenticator or Authy.

In this tutorial, you will learn how to configure and assign policies for password self-service, customize options for resetting passwords from the Windows/macOS logon screen and Adaxes web interface.

Policies

All aspects of the self-service password reset process are defined in password self-service policies. A policy controls how users have to verify their identity (security questions and/or verification codes), the number of questions to be answered, mandatory and optional questions, whether user can create their own questions, whether users can unlock thier accounts, what email notifications are sent, etc.

The policy-based approach allows you to apply different levels of security to different users. For example, you can enforce strict policies to privileged users, such as administrators and help desk operators, and less severe policies to other users. A policy can be assigned to:

  • All users in a domain
  • Users located in an organizational unit
  • Members of groups or business units
  • Individual users

If necessary, you can exclude specific users, groups, OUs, and business units from the policy scope.

Users that don't have an assigned policy will be unable to use password self-service. Out of the box, there are no password self-service policies defined in Adaxes. You need to create and assign the policies to allow users to reset their forgotten passwords and unlock accounts.

To create a password self-service policy:

  1. Launch Adaxes administration console.

     How {id=launchConsole}

    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Password Self-Service and select Policies.

  3. In Password Self-Service Policies on the right, click New.

    Follow the instructions in the wizard.

  4. On the Activity Scope step, click Add.

    Select from the following items:

    • All Objects – select to apply the policy to all users in all domains managed by Adaxes.

    • Domain – select to apply the policy to all users in a specific domain.

    • OU or Container – select to apply the policy to the users located in an organizational unit or container.

    • Group – select to apply the policy to members of a group.

    • Business unit – select to apply the policy to members of a business unit. To select a business unit, open the Look in drop-down and select the Business Units item.

    You can exclude specific users, groups, organizational units and business units from the policy scope. For example, if you applied the policy to all users in a domain, but do not want to apply it to members of a certain group, you can exclude the group from the scope. To exclude an object, select the Exclude the selection checkbox in the Assignment Options dialog box.

     Step by step

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection checkbox.

    • Click OK.

    When done, click OK and then Finish.

  5. If a user falls within the scope of two or more policies, the policy with a higher precedence is applied. To change the precedence of a policy, select it and use the buttons.

    To view all users a policy applies to, select the policy and click the Show all affected users. To view the policy applied to a user, click Lookup policy for user.

Web interface

Out of the box, the Password self-service component is enabled in all built-in web interfaces, which means any web interface can be used to reset forgotten passwords, unlock accounts, and enroll for password self-service.

If you would like to disable the Password self-service component or configure it differently for a particular web interface, for example, the interface for administrators, follow the steps below.

  1. Open Adaxes web interface configurator.

     How

    • On the computer where web interface configurator is installed, open Windows Start menu.

    • Click Adaxes Web Interface Configurator.

    To configure the web interface, you need to have the appropriate permissions.

     Permissions

    The permissions to configure the web interface are delegated via security roles. By default, only service administrators have the appropriate permissions. To enable other users to configure the web interface, grant them the corresponding permissions.

    To create a security role that grants the permissions to configure web interface:

    • In Adaxes administration console, right-click your Adaxes service, point to New and click Security Role.

    • Enter a name for the new security role and click Next.

    • On the Permissions step, click the down arrow embedded into the Add button and click Configure Web Interface.

    • Click Next and follow the steps in the wizard.

  2. In the top left corner, select the web interface you want to customize.

  3. In the left navigation menu, click Components.

  4. Use the Password self-service checkbox to enable or disable the Password self-service component.

  5. To periodically prompt users to enroll for password reset, select the Prompt users to enroll checkbox and select how often the prompt should be displayed.

    To require users to enroll for password self-service immediately after signing in, select the Enforce enrollment checkbox. Users won't be able to access any web interface features until they complete enrollment.

  6. To configure the password self-service form, click Customize the password reset form.

    Settings you can configure:

     Available actions {id=actions}

    • Generate
      Allows generating a random password that meets complexity requirements of the password policy assigned to the user.

    • Spell out
      Allows viewing the new password spelled out using the phonetic alphabet. You can change the default phonetic alphabet should you need to. For details, see Configure password spell out.

     Custom message

    You can place a custom message on the password reset form:

     Screenshot

  7. To display self-service options in My menu, click Configure menu items and configure which items will be available.

     Where is My menu

    My menu is located in the top-right corner of the web interface.

  8. To allow users to enroll, re-enroll, and cancel enrollment for password self-service right from the Home page of the web interface, you can enable the Password self-service card. The card is not visible when there are no password self-service policies assigned to the user.

    For details, see Customize the Home page.

    For information on how to configure Adaxes to automatically enroll users, see Autoenroll users for self-password reset.

Password self-service for Entra users

Adaxes web interface authenticates Entra users via the native Microsoft sign-in page. By default, this page includes a Forgot my password link to Microsoft's own self-service password reset system. If you want Entra users to reset their passwords via Adaxes instead, you can configure this link to point to the self-service password reset page of your Adaxes web interface.

This change is applied tenant-wide and cannot be scoped to specific users. Configure this setting only if you want all users in your Entra organization to reset their passwords exclusively via Adaxes.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Entra ID > Custom branding and select Default sign-in.

  3. Click Edit.

  4. Activate the Sign-in form tab.

  5. Scroll down to the Self-service password reset section and select the Show self-service password reset checkbox.

  6. In the Common URL field, enter the base URL of the web interface plus /#/SelfPasswordReset.

    https://<base-url>/#/SelfPasswordReset

    You can either specify the URL of the common sign in page or specify the URL of a particular web interface configuration like Admin – in the second case, the link will point to the self-service password reset page of that configuration.

    Examples:

    https://acme.com/Adaxes/#/SelfPasswordReset

    https://acme.com/Adaxes/Admin/#/SelfPasswordReset

    https://adaxes.acme.com/#/SelfPasswordReset

  7. Click Review + Save and then click Save.

OS login screen

To enable users to reset their passwords right from the Windows/macOS login and unlock screens, you need to install the Adaxes self-service client on each computer where you want the feature to be available.

To download the Adaxes self-service client:

  1. Launch Adaxes administration console.

     How {id=launchConsole}

    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Password Self-Service and select OS Integration.

  3. In the Client Setup section located at the bottom, download the self-service client for the required operating system. For information on how to deploy the client and configure the OS integration settings, see the Self-service client installation guide.

You can integrate the password self-service feature into your web sites and applications by adding a link to the Reset Password page of Adaxes web interface.

Example 

<a href="http://example.com/Adaxes/SelfService/#/SelfPasswordReset?ReturnUrl=http%3A%2F%2Fwebsite.com">Forgot password?</a>

Use the ReturnUrl parameter to specify the URL which should be opened when the user completes or cancels resetting the password.

For details on how to limit the hosts allowed in the parameter, see Limit hosts allowed in ReturnURL for password self-service.

Reset authenticator app

If a mobile authenticator app (Google Authenticator, Okta Verify, Authy, etc.) is used as a verification method for self-service password reset and a user loses their mobile device or gets a new one, they need to re-activate the app on the new device. This can be done in one of the following ways:

  • Transfer the activation to the new device by means of the authenticator app.

  • Use the Change device option.

  • Reset the app activation using the Reset multifactor authentication operation.

Change device

The Change device option is available via the Multifactor authentication card that is enabled by default in the Self-service web interface.

 How to enable the card

  • Open Adaxes web interface configurator.

  • In the top left corner, select the web interface you want to customize.

  • In the left navigation menu, click Home page.

  • In the Cards section, select the Multifactor authentication checkbox.

  • Save the changes.

The card is only visible if the signed in user has already activated an authenticator app, and the app is used for self-service password reset or required to sign in to a web interface.

Reset multifactor authentication

Activation of a mobile authenticator app can also be reset with the help of the Reset multifactor authentication operation which is available in both, administration console and web interface.

The operation is available in the web interface to users that have the permissions to execute it. By default, it allows resetting multifactor authentication required for password self-service, Adaxes web interface sign-ins, and Microsoft 365 sign-ins.

For details on how to grant the permissions to perform the operation and how to configure it in the web interface, see Grant rights to reset multifactor authentication.

The Reset multifactor authentication operation in the administration console can only be used to reset multifactor authentication required for password self-service or web interface sign-ins.

© Softerra 2022. All rights reserved.
Contact us