Skip to content

Password Management with Pass-Through Authentication

Note

This feature is available when pass-through authentication is in use and can only be used to reset the password for a pass-through-authentication application.

When IdentityIQ is configured for pass-through authentication, the Forgot Password option can be turned on to enable a user to reset their password in the authenticating application. A user can then authenticate to IdentityIQ through security questions when they are unable to remember their password.

To enable this feature, from the Navigation bar, go to the gear icon > Global Settings > Login Configuration > User Reset tab and select Enable Forgot Password.

This feature causes the Forgot Password? link to appear on the IdentityIQ login window. When a user clicks this link, they are prompted to answer one or more security questions that enable IdentityIQ to verify their identity. After a user successfully answers the security questions, the user is prompted for a new password. The pass-through application is then updated with that new password.

Pass-Through Authentication Requirements

Though the setup of pass-through authentication is not the focus of this document, there are a few configurations that are required for Pass-Through Authentication to work. If these configurations are not properly completed, authentication features related to Pass-Through Authentication can be prevented from working.

The Authentication Search Attributes field for the application must contain the names of the application account schema attribute(s) that contain the Username entered during sign-on. This field tells IdentityIQ which application fields to search to locate the matching application account. One or more attribute names can be specified in this field.

Defining the Security Questions

To specify the security questions, from the Navigation bar, go to the gear icon > Global Settings > Login Configuration > User Reset tab > Security Question Configuration > Questions area. A default set of security questions is provided. Any of these can be removed from the list by clicking the icon next to the question to be deleted. Custom questions can be defined as needed by clicking the icon next to the last question in the list and entering a new question in the box that appears.

Configuring the Security Question Settings

To configure security questions, from the Navigation bar, go to the Gear icon > Global Settings > Login Configuration > User Reset tab > Security Question Configuration > Settings area. See User Reset (Link).

Security Questions Tab

The Security Questions tab allows users to change the security questions and answers they use for a forgotten password.

  1. Select the desired questions from the dropdowns and provide the answers in the Answer field.

  2. Select Save.

The Security Questions tab is only displayed when Forgotten Password and Security Question is enabled from the Login Configuration > User Reset page. See User Reset (link).

Recording Security Answers

A user can only be authenticated through these questions if the answers are pre-recorded in IdentityIQ. Users can be required to provide these answers or they can choose to provide (or modify) their own answers.

Requiring Security Answers

Users can be forced to provide answers to these questions by selecting Prompt users for answers to unanswered security questions upon successful login in the Authentication Questions Settings. This causes the system to check whether each user has the required number of authentication answers recorded during the login process. If too few answers are recorded for a user, the Answer Authentication Questions window is display and the user is required to answer these questions before they can gain access to IdentityIQ. The number of questions shown depends on the required number of answers in the Security Question Settings (Number of authentication answers a user must have defined in IdentityIQ). The user can select any of the configured questions from the question dropdown lists.

Users who have already provided the required number of answers are not prompted again; this window is bypassed in subsequent logins and they are taken directly to the normal IdentityIQ interface.

Independently Providing or Editing Security Answers

If users are not forced to provide authentication answers, users can choose to provide the answers through the Edit Preferences page. Users can also update their authentication answers on this window, including changing their answers or choosing different questions.

  1. From the Navigation menu bar, click the user name and select Preferences.

  2. Select the Password tab.

  3. Select the desired questions from the question lists and provide the appropriate answer for each question. Click Save to save the changes.