Skip to main content

Common password-related and other tasks

This chapter covers few tasks which are not part of daily routine, but which are important and deserve to be covered.

Using only the LDAP Server in Trivore Identity Service (WebUI is only used to change/recover password)

This is a special use case. These organisations only use Trivore Identity Service as their primary master data for user accounts, and no other Trivore Identity Service functionality. They have also normally integrated several external services and applications to authenticate user accounts from Trivore Identity Service LDAP Server.

As the master data is in Trivore Identity Service and LDAP is read-only, the user account password must be changed in Trivore Identity Service WebUI. To make this task easy, the Trivore Identity Service sign in view has a special link in it to do just this password change.

Please note, not all external applications and services check for password expiration when performing LDAP authentication. This might cause some surprises and service or support cases. Therefore, it is important to instruct users to go to Trivore Identity Service WebUI in those cases and verify they can sign in to there. If the password has expired, they will be asked for new password and this will resolve the sign in issue.

A good mitigation to password expiration is not to expire passwords at all. This is actually the current best practise and recommendation.

Change password without signing in to Trivore Identity Service

This is a special task most often related to LDAP-only use case described above, but can be used for other circumstances, too.

This process only works for changing passwords. If your 2FA is currently not functioning (TOTP or SMS), please contact you organisation Account Admin for further assistance.

Password change is launched by replacing /ui with /changePassword on the normal Sign in address. There are also other options which can be embedded to the address: ?ns=namespacename and ?username=email@address. Here namespacename refers to the actual name of the namespace in question.The table below should help with all of the options related to this task.

Task in details

Example address

1

General direct address to start password change process. Username, current password, and namespace code are asked to change the password.

https://oneportal.trivore.com/changePassword

2

Direct address to start password change process. Username and current password are asked to change the password.

The example address is for organisation “namespacename”.

https://oneportal.trivore.com/changePassword?ns=namespacename

3

Direct address to start password change process. Current password only is asked to change the password.

The example address is for organisation “namespacename ” with sign in username “email@address”.

https://oneportal.trivore.com/changePassword?ns=namespacename&username=email@address

4

Direct address to start password change process. Current password, and namespace code are asked to change the password.

The example address is for sign in username “email@address”.

https://oneportal.trivore.com/changePassword?username=email@address

5

Direct address to start password change process. Current password only is asked to change the password.

The example address is for namespace code “company1” with sign in username “administrator”. Locale and UI language is also enforced to be English.

https://oneportal.trivore.com/changePassword?ns=company1&username=administrator&locale=en

Table 7.1: Assistive table with different options for password change task.

This method of password changing is designed and implemented to be unbranded and compatible with iframes, so it is possible to embed it to other websites rather easily.

Password change view asking for username, password and namespace

Below is shown the password change process in few pictures. This process is for the general direct address use case described in table above as first example.

To be able to change password, you are required to enter all current credentials.

An error message is shown if the credentials are entered wrong.

After certain number of wrong passwords, the user account will be locked. Details on this vary between organisations, so please consult your administrator for those details.

Example URL: <https://oneportal.trivore.com/changePassword?ns=namespacename>

Tip: See the URL examples in the table above.

Image

It is strongly recommended, and even mandatory in some organisations to have second factor for stronger authentication. The second factor might be either proper strong TOTP, or a weaker SMS (text message) OTP PIN. The SMS 2FA is shown here as an example.

Enter the code you received to the mobile number defined in your user account data. The code might be numbers, text, or both.

After proper authentication, you may enter the new password. You only need to enter it once. For convenience, you may reveal it to verify you entered it right.

If the password you enter does not meet the defined requirements, you may see an error message in a red box. These requirements can be configured per user namespace.

Password recovery

Password self-recovery is normally enabled for a namespace, but it is possible for Namespace Admin to disable it. It is also possible to disable it for only some user accounts. Self-recovery is normally disabled for special service-like user accounts, and enabled for all others.

This recovery process only works for forgotten passwords. If your 2FA is currently not functioning (TOTP or SMS), please contact your organisation Account Admin for further assistance.

This method of password recovery is designed and implemented to be unbranded and compatible with iframes, so it is possible to embed it to other websites rather easily.

There are two ways to launch password recovery:

  1. From Sign in screen by selecting the link “Password forgotten?”. This is the normal interactive way. User is expected to enter sign in username and namespace code to continue with the process.

  2. By directly going to the recovery address. This recovery address is the Trivore Identity Service Appliance address with “/resetPassword” added to the end. For example if Trivore Identity Service Appliance address is “https://oneportal.trivore.com”, the Password recovery address is “https://oneportal.trivore.com/resetPassword”. At the end of “/resetPassword”, it is possible to embed information on the namespace and user account for which this recovery process will take place.

Task in details

Example Address

1

Default password recovery address. Username, Email address or phone number and Namespace are required to start password recovery.

https:/oneportal.trivore.com/resetPassword

2

Direct address to start password recovery. Username, Email address or phone number will be required to start password recovery. Namespace is always all lower case and it has no spaces. If embedding the recovery WebUI to another website, it is generally recommended to add the namespace information on to the called URI.

In the example address the namespace name is “namespacename”

https://oneportal.trivore.com/resetPassword?ns=namespacename

3

Direct address to start password recovery. Username, Email address or phone number and Namespace are required to start password recovery. Locale is set through the address

In the example address the locale is set to English

https://oneportal.trivore.com/resetPassword?locale=en

4

Direct address to start password recovery. Username, Email address or phone number will be required to start password recovery. Locale is set through the address. If you will add more than one parameter, separate the parameters with “&”.

In the example address the namespace name is “namespacename” and the locale is set to English

https://oneportal.trivore.com/resetPassword?ns=namespacename&amp;locale=en

Both methods above launch the same recovery process. The password recovery is visually and technically designed to work properly on small screen devices, and to be embeddable into another website or mobile application.

Image

Follow the next steps to execute this recovery task:

  1. Type in your username as you would when signing in normally, you may also need to type in the namespace of your user account. Select “Continue” to proceed. Depending on how the recovery process WebUI was called, some data might already be present in the fields. If you enter your basic information wrong, you will get an error message “Entered username or namespace is unknown.”

  2. Next phase is for Trivore Identity Service to send a password recovery email. A notification with text “A confirmation email will be sent..” is shown.

  3. Check your email. You should receive email from Trivore Identity Service in a few seconds.

  4. Open the recovery email. You will notice it came from Trivore Identity Service. It is still recommended to verify the actual address and path on the email before continuing. The server address is Trivore Identity Service server address, and the path at the end has the form of “/resetPassword?dt=ABCDEFGHIJKLMNOP”. If you receive multiple recovery emails by accident, the latest one is the valid one.

  5. Click on the link on the email. It will open on web browser. Alternatively, copy the link on email to clipboard and paste it to the address field of your web browser.

  6. On the opened dialogue, your new password is asked. Enter it to field “New password” and select “Change password” to continue. It is also possible to select “Cancel” if you do not want to enter new password at this time. Remember, all passwords must obey the rules defined by Namespace Admin for length, complexity and other rules. If the new password does not obey all rules, an error dialogue is shown, and password is not changed.

  7. After you have entered acceptable new password, you are able to go to the Sign in screen and sign in to Trivore Identity Service with the new password.

  8. It is strongly recommended to verify the new password and ability to sign in immediately.

    Image

Password expiration

Tip: As per latest NIST SP 800-63-3 recommendation <https://pages.nist.gov/800-63-3/> on passwords from 22 June 2017, password expiration is no longer recommended. By default Trivore Identity Service follows the latest recommendation revision.

Part of a traditional system and service usage life-cycle was the expiration of account passwords, and Trivore Identity Service is not an exception if expiration has been enabled. Before the password actually expires, there is a warning shown about the expiring password. This warning is shown at sign-in when the following three are all true:

  1. Current password has not yet expired.

  2. Current password has not been changed recently, and 25 % or less of its life-time is left before it expires. “Full life-time” in this context is the maximum age of a password.

  3. Current password has maximum of 15 days (360h) life-time left before it expires.

As an example, if maximum password age is 730 days, the expiration warning is first shown 15 days before the password actually expires until it is changed or it expires.

Password expiration usually happens at some time for all user accounts. What has to be done at this time, is to change the password to another one fulfilling all the rules for a new password (minimum length, uniqueness, complexity, etc.).

There are four different ways to change password.

  1. While signed in, open Personal Menu and select Change password to initiate the most common method for the change.

  2. While not signed in, use a special address. This is the only method to change password for those who do not have permissions to sign in to Trivore Identity Service WebUI.

  3. Wait until the “password expiring soon” notification shows up, select password change there. This method is effectively the same as step 1 above.

  4. Wait until you can not sign in any more due to expired password. You are forced to change it. This method is effectively the same as step 2 above.

Until an expired password is changed in Trivore Identity Service, sign in via LDAP is not possible.

Disabling WebUI sign in for all accounts in a namespace

There are special use cases of Trivore Identity Service where accounts in a namespace do not need to be able to sign in on the web user interface. This is most often the case when Trivore Identity Service is used for authenticating users for external services. This can be achieved by removing all Contexts from the namespace settings. In this case if users try to sign in they only see an error message instead of successful sign-in.