Ubisecure Password is a web application that provides a user interface for changing and resetting a password. It is included in the Ubisecure SSO Server installation package but needs to be activated before use.
The password reset application is shown below
|Figure 1. Password Reset Application|
The password change application requires user login using an existing authentication method.
Ubisecure Password requires that the AD password authentication method has been installed. Please make sure that the AD password authentication method works before proceeding to the Ubisecure Password installation.
Ubisecure Password SP activation
First install the UAS SAML metadata by selecting the [SAML 2.0] link on the Ubisecure Server Management front page. Save the metadata file in the directory
|Figure 2. Select SAML 2.0 to save IDP metadata file.|
Then generate the SP identity and metadata. Use your public visible hostname in the Generate command URL parameter.
Generate SAML SP identity and metadata (in Windows use '\' instead of '/')
In Ubisecure Server Management, select System → Password → Applications → Password → Activate. Then upload the generated ubilogin-sso/password.xml file.
|Figure 3. Select Activate to upload SAML Metadata of the Password application|
Configure mail settings
Ubisecure Password uses email when performing the password reset functionality. Mail settings need to be configured to the
ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.
Enable access to Ubisecure Password
- In Ubisecure Server Management, navigate to the Password site: select System → Password
- Add the password.ad.1 authentication method to the site: select Site Methods → Add… → password.ad.1 → OK
- Add AD users to the Password Users group by using the dynamic members functionality. (The following configuration is just an example. You will probably have a more detailed definition for the included users.)
Select Groups → Password Users→ Dynamic Members → Add
- Server: ldaps://ad.example.com/
- Distinguished Name: dc=ad,dc=example,dc=com
- Attributes: <empty>
- Scope: sub
- Filter: (objectClass=person)
- Extensions: <empty>
See Figure 4 and Figure 5 below for examples.
Figure 4. The group Password Users defines which users can change their password
Figure 5. Add AD Users to the Password Users group using Group Dynamic Members
- Enable password.ad.1 authentication method for the Password web agent:select the site Password → Applications → Password → Allowed Methods → password.ad.1 → Update
Enable Password web application
Remove the file
ubilogin-sso/tomcat/conf/Ubilogin/idp.example.com/password.xml. Then run update the update:
Password application user interface customization
All user interface text, including text used in emails sent to users are configured in the resource files of the application using a text editor. The keys are self-explanatory and default texts are provided.
The use of CSS style sheets is currently not supported. Further user interface style changes, including reference to style sheets requires minor modifications to the following files:
Any changes to the above files must be followed by the update command as described below:
Linking to the Password application
For password change, direct the user to the following link. Locale is optional but desirable.
For password reset, you must specify in the link which method the user is resetting. Locale is optional but desirable.
Links can be added to the Ubisecure SSO user interface using the *LINKS settings described in Login screens - SSO.
Password application audit log
The audit log is written by default to
The log records all password reset and change actions and failures.