Hi Ayesha, On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne <is...@wso2.com> wrote:
> Hi Ayesha, > > We can extend Ask Password feature we developed in IS 5.3.0 to support > this feature. So, we can send a confirmation email rather than an OTP. > There can be different user cases. If we think about a call center scenario then customer will call to support center and asked to reset the password and will communicate that to the client that time, then use can login and 1st attempt he need to reset the password. Then we can set an additional flag to user attribute that indicate that this password reset by admin. And then this can be checked in Password Policy Authenticator. And secured way to handle this extending Ask password implementation and send a email and rest the password. or send a OTP to customer and enforce to rest in 1st login. I think better to implement the 1st scenario and extent to these cases. Thanks, Ishara > > Thanks > Isura > > > *Isura Dilhara Karunaratne* > Senior Software Engineer | WSO2 > Email: is...@wso2.com > Mob : +94 772 254 810 > Blog : http://isurad.blogspot.com/ > > > > > On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka <aye...@wso2.com> > wrote: > >> Hi, >> >> I have created public jira IDENTITY-5166 >> <https://wso2.org/jira/browse/IDENTITY-5166> to track this >> implementation. >> >> Thanks! >> -Ayesha >> >> >> >> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka <aye...@wso2.com> >> wrote: >> >>> Hi, >>> >>> I have started working on [1], which forces password reset for a user >>> after a administrative password recovery action. >>> >>> Based on the off-line discussion with Darshana, this flow can be as >>> follows. >>> >>> 1. User, '*Bob*' forgets password and request administrative person >>> for a password reset action >>> 2. Admin person reset the password and provide a new password to >>> *Bob* off-line >>> 3. This can be performed using management console >>> 4. When *Bob* tries to log-in with newly provided password, login >>> page should prompt password reset UI to *Bob* >>> 5. And without changing the password Bob cannot login to the system >>> 6. There should be a way to distinguish *user password reset* vs. *admin >>> password reset*. >>> >>> But additionally, there can be enhancements to this flow by sending an >>> OTP in an email to the user, 'Bob' and enforcing password reset by >>> directing to a provided link. >>> >>> What are your thoughts on this? >>> >>> [1] https://redmine.wso2.com/issues/5417 >>> >>> Thanks! >>> -Ayesha >>> >>> -- >>> *Ayesha Dissanayaka* >>> Software Engineer, >>> WSO2, Inc : http://wso2.com >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>> 20, Palmgrove Avenue, Colombo 3 >>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>> >> >> >> >> -- >> *Ayesha Dissanayaka* >> Software Engineer, >> WSO2, Inc : http://wso2.com >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >> 20, Palmgrove Avenue, Colombo 3 >> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
