Self-service password reset allows users to securely reset their Active Directory password without involving the IT support help desk. As with the other password features in Foldr, it requires LDAPS to be enabled on the domain controllers and the LDAP Server in Foldr Settings must be prefixed appropriately using ldaps://
How does it work?
If a user forgets their Active Directory password, with the feature enabled they can click a ‘forgotten password’ link on the web app sign in screen. They will be shown a captcha and after passing this they must select a pre-defined method to receive a verification reset code. Once the code is received by the user, they can reset their password.
The Foldr administrator must enable and configure the notification channels as required.
Notification channels
Directory Email Address – This is the email address as specified for the user in Active Directory (the AD attribute labelled ‘mail’). If available, this will be automatically populated in and shown in Foldr within the ‘Me’ menu item in the web app.
User Email Address – User configurable email address, typically a personal email address will be used. This must be configured in advance by the user before it can be used for self-service password reset.
Directory Mobile Number – This is the mobile telephone number as specified in Active Directory >> Telephones >> Mobile (the attribute labelled ‘mobile’). If available, this will be automatically populated in Foldr within the ‘Me’ menu item in the web app.
User Mobile Number – User configurable mobile telephone number, typically a personal mobile number would be used. This must be configured in advance by the user before it can be used for self-service password reset.
Telegram Messenger – Allows a user to sign up for notifications to be delivered via the Telegram Messenger app. Telegram must be configured in advance by the administrator, which involves creating a Telegram ‘bot’ for the organisation which will automatically send codes to users as they are requested.
Requirements
1. LDAPS must be enabled on the Active Directory domain.
2. The main service account (configured under Foldr Settings >> General >> LDAP) must have permission to reset user’s passwords and read user information, this is used to query group membership. Follow the delegation of control wizard instructions as shown here
Notifications
For notifications to be available for selection by the administrator within the Self-Service Password Reset feature in Foldr, they must be enabled and configured:
Foldr >> Notifications provides an overview of the Notification Channels that are currently enabled or disabled on the appliance.
If no notification channels are enabled on the appliance, the administrator will be unable to make them available to users with the self-service password reset option.
Email – By enabling this notification, users will be able to select from either the email address specified for their account in Active Directory, or a personal email address which can be set within the Top right menu >> ‘Me’ item in the web app.
SMS – When enabled, the administrator can choose between the following SMS providers:
Nexmo
Twillio
Amazon AWSffsad
Should you wish to use SMS notifications, you will need to do sign up with one of these services and plug in your account details (i.e. their API key / secret) etc within Foldr Settings >> Integrations as appropriate.
Telegram Messenger – When enabled, users can receive notifications/password reset codes through the popular Telegram Messenger app.
Configuring Email Notifications
Email notifications require the appliance’s Mail Settings (Foldr Settings >> General >> Mail Settings) to be configured correctly so the Foldr system can send emails. Once this has been configured and the appliance can send successfully send email, corporate email addresses are pulled automatically for users from Active Directory &/or users can register their own personal email in Foldr from the web app.
Configuring SMS Notifications
1. Firstly, sign up for an account with the SMS provider. Nexmo provided API key and secret. Twilio refer to this as the ‘Account SID’ and ‘Auth Token’, Amazon uses a service account that can be configured under General >> Service Accounts. You can create multiple Amazon service accounts if you require different credentials for presenting S3 storage areas and SMS services.
Configure the Nexmo SMS Service within Foldr Settings >> Integrations
Select Nexmo
Enable the integration and enter your Nexmo API Key and API Secret (this is shown in https://dashboard.nexmo.com when logged in with your Nexmo account)
Navigate to Foldr Settings >> Notifications and Enable the SMS Notifications, select Nexmo as the provider and enter your Sender ID and Default Country code.
At this point, you can test the integration with the ‘SEND MESSAGE’ button.
If the SMS is successfully received, the integration is complete.
Configuring Telegram Messenger
IMPORTANT – When configuring Telegram Messenger, the admin must be connected to Foldr Settings using the PUBLIC address of the server and not the internal IP address or hostname. (When the Telegram configuration is saved, the Telegram service attempts to connect to the current server address used in the browser). A signed SSL certificate must also be installed for the configuration to save successfully.
For the purposes of Telegram setup, the admin can simply adjust the hosts file on their workstation while configuring this service.
Telegram Messenger is a popular instant messenger service and has client apps for all major platforms. Foldr can integrate with the Telegram API to provide self-service reset codes to users, without the cost associated with using an SMS provider. Telegram is free to use, but requires users to link their Telegram account to Foldr.
Password reset codes are sent via a Telegram bot (an automated service that receives the self-service notification from the Foldr appliance and delivers the codes to end users)
Creating the Bot
If you haven’t already done so, sign up for Telegram by downloading the app from the iOS / Android app store and register with the service by entering your mobile number.
Once you have Telegram on your device, send a blank message to @BotFather and proceed through the following steps:
1. You will receive a welcome message.
2. Type /newbot to create your bot.
3. Give your bot a name.
4. Enter a username for your bot.
You will receive a confirmation message stating the bot was created and the unique API token will be displayed.The username and API token can now be copied into the Telegram Messenger service within Foldr Settings >> Integrations >> Telegram Messenger.The integration steps are now complete. The administrator can now enable Telegram Messenger within Foldr Settings >> Notifications and make it available for use with self-service password reset through Foldr Settings >> Security >> Passwords >> Self-Service Password Reset.
Before it can be used in a self-service password reset scenario, users will need to link their Telegram account from within the Foldr web app >> Me (Top right menu) >> Services and it is recommended this is done on a PC or Mac with the Telegram client installed.
Enabling Self-Service Password Reset
Now the chosen notification method(s) have been configured and enabled, the self-service password reset itself feature must be enabled.
Within Foldr Settings >> Security >> Self-Service Password Reset select the notification channels that you would like to make available to users when using the password reset feature.
Finally, click ‘+ Add User or Group’ to search Active Directory to locate the users or groups required. If you wish to enable the feature for all users, you can use the built-in ‘Foldr Users’ group.
Bulk Importing Users Recovery Information
It is possible to use the Bulk Actions option in Foldr Settings > Users & Groups > + Add New > Bulk Actions to import recovery personal email address and mobile numbers en-masse using a .CSV file. If you only wish to use personal email as the recovery option, user_mobile in the .csv can be left blank.
Note that it is important that the ‘type’ must be ldap for Active Directory users, otherwise ‘local’ may be used for local accounts.
The sample .csv file for bulk importing email addresses and mobile numbers can and be found here.
Prompting Users for Account Recovery Information
Rather than bulk importing, if you would like users to be prompted to provide recovery account information (provide personal mobile or email address to be used for self-service reset) when they sign-in, enable the prompt option as shown below.
Users may by-pass the prompt, however it will be displayed every time they sign in until the information has been supplied. This prompt is displayed in the Foldr web app, mobile and desktop apps, providing ‘web sign-in’ is enabled on the apps. Example shown below requesting a Personal Email address.
The user would select the notification method (only one is enabled in the example) and click Next. They would then supply a personal email address.
When the user clicks next, an email is sent to that addrsess from the Foldr server containing a verification code which must be entered.
The user can copy/paste the code into the verificaiton box and the user’s personal email address is stored on the server, ready for use with self-service password reset.
Accessing Self-Service Password Reset as a Dedicated App
Once configured, users can access the self-service password reset feature either using the ‘forgot password’ link in the web app sign-in page or via the dedicated URI below. This can be useful if redirecting users to an external IdP with Foldr such as Microsoft AD FS:
https://address-of-foldr/?self_service=1