Self-Service Password Reset & Notifications – Technical Setup

Posted on 10th August 2017

Introduction

Using this feature, users are able to reset / change a forgotten Active Directory password without involving the IT support help desk.  As with the other password features in Foldr, it requires LDAPS to be enabled on the domain controllers and the LDAP Server in Foldr Settings must be prefixed appropriately using ldaps://

See here for more information on LDAPS and enabling this on your domain controller.

Self-service password reset works by the user selecting the forgotten password link on the web app sign in screen, passing the captcha and then selecting a notification method to receive a reset code.  Once the code is received by the user, they can reset their password.

The Foldr administrator must enable and configure the notification channels as required.

Notification channels

Directory Email Address – This is the email address as specified for the user in Active Directory (the AD attribute labelled ‘mail’).  If available, this will be automatically populated in and shown in Foldr within the ‘Me’ menu item in the web app.

User Email Address – User configurable email address, typically a personal email address will be used.  This must be configured in advance by the user before it can be used for self-service password reset.

Directory Mobile Number – This is the mobile telephone number as specified in Active Directory >> Telephones >> Mobile (the attribute labelled ‘mobile’).  If available, this will be automatically populated in Foldr within the ‘Me’ menu item in the web app.

User Mobile Number – User configurable mobile telephone number, typically a personal mobile number would be used.  This must be configured in advance by the user before it can be used for self-service password reset.

Telegram Messenger – Allows a user to sign up for notifications to be delivered via the Telegram Messenger app.  Telegram must be configured in advance by the administrator, which involves creating a Telegram ‘bot’ for the organisation which will automatically send codes to users as they are requested.

Requirements

1.  LDAPS must be enabled on the Active Directory domain.

2.  The main service account (configured under Foldr Settings >> General >> Configuration) must have permission to reset user’s passwords and read user information, this is used to query group membership.  Follow the delegation of control wizard instructions as shown here

Notifications

For notifications to be available for selection by the administrator within the Self-Service Password Reset feature in Foldr, they must be enabled and configured:

Security >> Notifications provides an overview of the Notification Channels that are currently enabled or disabled on the appliance.

If no notification channels are enabled on the appliance, the administrator will be unable to make them available to users with the self-service password reset option.

Email – By enabling this notification, users will be able to select from either the email address specified for their account in Active Directory, or a personal email address which can be set within the Top right menu >> ‘Me’ item in the web app.

SMS – When enabled, the administrator can choose between the following SMS providers:

Nexmo
Twillio
Amazon AWS

You will need to do sign up with one of these services and plug in their API key / secret etc within Foldr Settings >> Services as appropriate.

Telegram Messenger – When enabled, users can receive notifications / password reset codes through the popular Telegram Messenger app.

Configuring Email Notifications

Email notifications require the appliance’s Mail Settings to be configured correctly so the Foldr system can send emails. Once this has been configured and the appliance can send successfully send email, corporate email addresses are pulled automatically for users from Active Directory &/or users can register their own personal email in Foldr from the web app.

Configuring SMS Notifications

1.  Firstly, sign up for an account with the SMS provider.  Nexmo provided API key and secret.  Twilio refer to this as the ‘Account SID’ and ‘Auth Token’, Amazon uses a service account which can be configured under General >> Service Accounts.  You can create multiple Amazon service accounts if you require different credentials for presenting S3 storage areas and SMS services.

Configure the Nexmo SMS Service within Foldr Settings >> Services

Select Nexmo

Enable the integration and enter the API Key and API Secret

Navigate to Foldr Settings >> Notifications and Enable the SMS Notifications, select Nexmo as the provider and enter your Sender ID and Default Country code.

 

At this point you can test the integration with the ‘SEND TEST MESSAGE’ button.

If the SMS is successfully received, the integration is complete.

Configuring Telegram Messenger

Telegram Messenger is a popular instant messenger service and has client apps for all major platforms.  Foldr can integrate with the Telegram API to provide self-service reset codes to users, without the cost associated with using an SMS provider.  Telegram is free to use, but requires users to link their Telegram account to Foldr.

Password reset codes are sent via a Telegram bot (an automated service that receives the self-service notification from the Foldr appliance and delivers the codes to end users)

Creating the Bot

If you haven’t already done so, sign up for Telegram by downloading the app from the iOS / Android app store and register with the service by entering your mobile number.

Once you have Telegram on your device, send a blank message to @BotFather and proceed through the following steps:

1.  You will receive a welcome message.

2. Type /newbot to create your bot.

3. Give your bot a name.

4. Enter a username for your bot.

You will receive a confirmation message stating the bot was created and the unique API token will be displayed.The username and API token can now be copied into the Telegram Messenger service within Foldr Settings >> Services >> Telegram Messenger.The integration steps are now complete. The administrator can now enable Telegram Messenger within Foldr Settings >> Notifications and make it available for use with self-service password reset through Foldr Settings >> Security >> Self-Service Password Reset.

Before it can be used in a self-service password reset scenario, users will need to link their Telegram account from within the Foldr web app >> Me (Top right menu) >> Services and it is recommended this is done on a PC or Mac with the Telegram client installed.

 

Enabling Self-Service Password Reset

Now the notifications have been configured and enabled, the self-service password reset feature must be enabled.

Within Foldr Settings >> Security >> Self-Service Password Reset

Firstly, select the notification channels that you would like to make available to users when using the password rest feature.  Once this is done you must enable the Self-Service Password Rest feature for users or groups as required.

Click ‘+ Add User or Group’ to search Active Directory to locate the users or groups required.  If you wish to enable the feature for all users, you can use the built-in ‘Foldr Users’ group.

The example screenshot above shows the notification channels that are available to users when using self-service password reset, and only members of the Marketing group are allowed to use the rest feature.

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io