Skip to main content

Reset a password

By default, if users forget their password used to access IDaaS or an application, they must contact an account administrator to have it reset.

You can enable password reset to allow users to reset their password without contacting the administrator. When set, a Forgot your password? link appears on the login page. When a user clicks this link, the user is asked for their user name and second-factor credentials. If both are valid, the user is prompted to create a new password.

Password reset is supported when logging in to the following:

  • IDaaS
  • OIDC and OAuth applications
  • SAML applications
  • Active Directory
note
  • Password reset cannot be performed when logging in to RADIUS or Entrust Identity Enterprise applications.
  • Password reset is not available in the Entrust Identity app if the Soft Token PIN policy in IDaaS is set to false (disabled). See the setting, PIN Required in Modify Entrust Soft Token (ST) authenticator settings.

Prerequisites

Configure the following settings of your IDaaS account to enable password reset:

  • Enable password reset. See Enable password reset.
  • Set Authentication Decisions—Set first-factor to password in the Resource Rule Authentication Decision settings (see Create and manage resource rules).
  • Assign password reset groups to users. If you have configured the Password Reset Settings of your account to require users to be part of specific groups, assign those groups to users accordingly (see Add users to IDaaS).
  • Assign required second-factor authenticators to users. If you configured an additional second factor for password reset, users must have at least one authenticator from Second-factor Authenticators Allowed to perform a Password Reset before they can reset their password (see Manage and assign user authenticators).

Active Directory password reset

You can customize your account settings so that users can reset their Active Directory password. This is useful for users who need to complete password authentication but forget the password assigned to them on their Active Directory. See Enable password reset.

Requirements

Active Directory password reset only works under the following conditions:

  • Your account is configured with a 4.0 IDaaS gateway or higher.
  • You are using Active Directory DS or Active Directory LDS with native users.
  • The IDaaS directory configuration that syncs Active Directory users to your IDaaS account is configured with SSL and with an Active Directory administrator that can reset password (the administrator is allowed to modify the following attributes: unicodePwd, lockoutTimeout, and pwdLastSet)

Limitations

The Minimum Lifetime (Minimum password age in Active Directory) is not enforced during a password reset.

A password reset URL is available at /#/reset/<userID> where userID is optional. 

For example, if the User ID is aliceg, then the password reset link would be mycorp.<region>.trustedauth.com/#/reset/aliceg

  • If set, userID allows a user to skip entering their username and enter directly into the password reset flow.
  • If a user navigates directly to the reset URL when they are already logged in, the user will be logged out and they will go into the password reset flow.
  • If an invalid user ID is passed, an error message appears and the user is prompted to enter their username.
  • If the user clicks Cancel while in the password reset flow then they will be redirected to /#/reset.
  • If during the password reset flow it is determined that the user is unable to reset their password then they will be redirected to the login page.