RapidIdentity Product Guide: Legacy UI

Extended Tab
Email Templates

Profiles Email Templates allow administrators to configure predetermined Profiles Action Messages that are automatically sent once the Profiles action occurs.

RapidIdentity Portal currently supports Profiles Email templates for:

  1. Profile Changed

  2. Password Resets

  3. Retrieved User ID

Email_Templates.png

Email templates are broken down as follows:

  • Email Templates - Profile

    • Password Reset - This email message will be sent to a User when their password has been reset by a third party.

    • Profile Changed - This email message will be sent to a User when their profile has been updated.

    • Retrieved User ID - This email message will be sent to a User when they retrieve their User ID.

  • Email Templates - Sponsorship

    • Add Account - This email message will be sent to the Sponsor when a new Sponsored Account is created.

    • Delete Account - This email message will be sent to the Sponsor when a Sponsored Account is deleted.

    • Edit Account - This email message will be sent to the Sponsor when a Sponsored Account is edited.

    • Expiration Warning - This email will be sent to a Sponsor when they have at least one Sponsored Account expiring within a week.

    • Expire Account - This email message will be sent to the Sponsor when a Sponsored Account is expired.

    • Certify Account - This email message will be sent to the Sponsor when a Sponsored Account is Certified.

    • Transfer Account - This email message will be sent to both the Old Sponsor and the New Sponsor when a Sponsored Account is transferred.

  • Email Templates - Workflow

    • Workflow Task Addressee Expiration Warning - This email message will be sent to all Addressees of any Workflow Tasks which will expire in the next 7 days.

    • New Request For Approval - This email message will be sent to all possible Approvers when a request is pending approval.

    • Entitlement Granted - This email message will be sent to the Recipient and Requestor of an Entitlement when it has been Granted.

    • Entitlement Owner Expiration Warning - This email message will be sent to the owners of all Entitlements which have at least one user whose access will expire within 7 days.

    • Entitlement Revoked - This email message will be sent to the Recipient and Requestor of an Entitlement when it has been Revoked.

Web Templates

Web Templates allows administrators to configure three different display options:

  1. Claim Account - This web template will be used when users go through the account claim process.

  2. Forgot Username - This web template will be used when users go through the forgot username process.

  3. Forgot Password - This web template will be used when users go through the forgot password process.

  4. Expired Password - This web template will be used for the expired password pages.

Web_Templates_1.png

The Web Template editors all adopt the same layout and functionality.

Claim_Account.png
Forgot_Username.png
Forgot_Password.png
Expired_Password.png

To insert the WebRoot and Page Content token values, place the cursor at the desired location within the editor and then click the token.

Challenge Policy

The Challenge Policy Manager allows administrators to define Challenge Questions and Restricted Answers along with allowing users to define their own Challenge Questions and Answers. Administrators can determine the numbers of questions required to answer, both in terms of administrator-defined questions and user-defined questions. 

Legacy_Challenge_1.png

The advantage of this policy manager is to provide users with a mechanism to recover a forgotten password; the organizational benefit is to reduce IT-HelpDesk workflow and to delegate action (responsibility) to end-users.

The Profiles Module supports multiple policies; the most prioritized policy is on top, bolded, and subordinate policies are grayed.

To manage policy priority, select a policy and click the corresponding Up or Down arrows to adjust policy priority accordingly.

General Tab

The General tab allows administrators to define global settings with respect to a specific policy.

For each policy, RapidIdentity Portal assigns a fixed, unique ID. The policy Name is the only required field.

Table 255. General Tab

Field Name

Description

Friendly Policy Description for Users

The Description is text to help identify this policy. Click the Legacy_Pencil_Icon.png icon next to the Description field to open a Rich Text editor for easier formatting of any setup instructions that need to be conveyed to the user.

Enabled

Enables or disables the challenge policy.

Default Policy

Enables or disables this policy as the default policy.

RapidIdentity Portal requires a default policy and only supports a one default policy at a given time. Default policies cannot have a group DN restriction associated with them. The default policy always applies to users that do not match any other challenge policies.

No Challenge

Users assigned to this policy are not required to answer challenge questions. They will also not be able to use the forgotten password system.

Users Can Skip Setup

If selected, users are allowed to bypass the challenge setup process. Otherwise, all users are required to set up challenge questions and may not move past the setup screen until they have completed the challenge setup process.

Enable RBAC

Associate this policy with a certain role. Administrators can choose either RBAC or ABAC, but not both, to limit visibility.

Enable ABAC

Associate this policy with a certain attribute. Administrators can choose either RBAC or ABAC, but not both, to limit visibility.

Enforce Unique Answers

No two answers to challenge questions may be the same.

Helpdesk Challenge Questions to Setup

The minimum number of user-defined questions that must be set up for use by the Helpdesk to verify a user's identity.

Minimum Admin Defined Questions to Setup

Admin-defined questions are set up by an administrator, compared to questions that are user-defined. This field defines the minimum number of admin questions that a user must answer when setting up their challenge set responses.

Admin Questions to Ask for Authentication

The number of admin-defined questions to ask users during authentication. Required questions supply the question list. If the number of questions defined as required is lower than the total defined here, then random questions will be drawn from the remaining pool of questions until the total question count is satisfied.

Allow User Defined Questions

If selected, users can define their own challenge questions to answer. When this box is checked, further options appear.

*Minimum User Defined Questions to Set Up

Set the minimum number of user-defined questions that must be configured for each user this policy applies to.

*Maximum User Defined Questions to Set Up

Set the maximum number of user-defined questions that can be configured for each user this policy applies to.

*User Defined Questions to Ask for Authentication

Set the number of user-defined questions that must be configured for these policy users to authenticate.

*Minimum User Defined Question Length

Set the minimum number of characters the user-defined questions must possess. The default for this field is 3.

*Maximum User Defined Question Length

Set the maximum number of characters the user-defined questions must possess. The default for this field is 255.

Minimum Answer Length

Set the minimum number of characters that all answers to challenge questions must possess. The default for this field is 3.

Maximum Answer Length

Set the maximum number of characters that all answers to challenge questions can possess. The default for this field is 255.

Oldest Allowed Responses

User-defined questions older than this date will be deemed as invalid and users will be prompted to provide updated responses at their next login. Clicking Set to Now will update the field to contain today's date.



Questions

The Questions tab allows administrators to define the default questions to appear for all RapidIdentity Portal authenticated users.  

Legacy_Challenge_2.png

Administrators can define the number of questions to ask at setup and login, and these question numbers can be different.

If a question is marked as Required, users must answer these questions when Challenge Questions are an Authentication Policy method.

Table 256. Questions Tab

Field Name

Description

Question

Click the field to edit question text to be displayed.

Required

Check this box to force the user to answer this challenge question upon



Restricted Answers

The Restricted Answers tab allows administrators to define illegal answers to Challenge Questions.

Administrators can choose to define answers by the text itself or by a directory service attribute value, along with whether answers to Challenge Questions must match fully. Administrators can also manually add answers that are forbidden.  

Legacy_Challenge_3.png
Table 257. Restricted Answers

Field

Description

Restrict Words from Question in Answer

When selected, this option prevents any of the words contained in the question from being allowed within the answer itself. This option prevents users from using the question for their answer.

Blacklisted Values

The exact values that cannot be chosen as answers to any challenge questions.

Blacklisted Attribute Values

Choose an attribute from the drop-down list to disallow the attribute value from being used as the answer to a challenge question.

Full Matches Only

Check this box in either column to enforce a match check on the entered values. The tables below explain how this feature is applied to selected answers.



Restricted Answers that Match by Text and Match by Attribute value are case-insensitive.

Table 258. Answer Fields

Match by Value (text = AUTO)

Your Challenge Answer

Full Match Enabled

Accepted?

Full Match Disabled

Accepted?

AUTO

No

No

My DOG'S NAME IS AUTO

Yes

No

MY DOG'S NAME IS AUTOMATION

Yes

No



Table 259. Attributes

Match by Attribute Value (directory attribute: givenName, with this value equal to "James" for the user)

Challenge Answer

Full Match Enabled

Accepted?

Full Match Disabled

Accepted?

JAMES

No

No

MY NAME IS JAMES

Yes

No

MY LAST NAME IS JAMESON

Yes

No



Challenge Policy Manager

The Challenge Policy Manager allows administrators to define as many policies as necessary for Challenge Questions configuration and defining Restricted Answers.

The advantage of this policy manager is to provide users with a mechanism to recover a forgotten password; the organizational benefit is to reduce IT-HelpDesk workflow and to delegate action (responsibility) to end-users.

Legacy_Challenge_Policy.png

The Profiles Module supports multiple policies; the most prioritized policy is bolded, and subordinate policies are grayed.

To manage policy priority, select a policy and click the corresponding Up or Down arrows to adjust policy priority accordingly.

Password Policy Manager

The Password Policy Manager allows administrators to define a global password through the following criteria:

  • Policies

  • Syntax

  • Restricted Password Values

The overall functionality is similar to the Challenge Policy Manager.

General Tab

The General tab allows administrators to compose the default message end users see and to determine various action buttons available to users when updating a password.

Legacy_General_Tab_5.png
Table 260. Fields

Field Names

Description

Friendly Policy Description for Users

This is where the defined policy is described in simple terms that an end-user will be able to reference and understand. This description is displayed to the user on the change password screen.

Enabled

Enables or Disables this policy.

Default Policy

If selected, this becomes the default policy.

Allow Password Reset to Attribute Value

Allows the help desk to reset the user's password to a value based on an LDAP attribute. This is a useful way to have users know what their default password is and have it provisioned to an attribute.

Allow Random Password Generation

Allow RapidIdentity Portal to generate a random password for a user if requested.

Default for "User must change password at next login"

Determines the selected state for the change password dialog's “User must change password at next login” checkbox.



Defining and Prioritizing Password Policies

Password policies can be created to serve different users or groups. If two password policies exist, one policy must be selected as default. The default policy does not support RBAC or ABAC, thus the default policy is for users and groups that do not match any custom policy. Users or groups are required to adhere to the highest prioritized custom policy for which their roles and / or directory service attributes match.

In many implementation use cases, the default policy is configured to match the minimum directory service password complexity requirements. For example, it may be decided that all users in the administrator (admins) role are required to have more complex password criteria than all other users. This configuration could appear as follows:

Legacy_Password_Policy_1.png

In this example, admins are assumed to be "staff employees", however, the admin password policy is of higher priority than the staff password policy.

Legacy_Password_Policy_2.png

Thus, all users in the admin's role are required to adhere to the password syntax defined in the Admin PWD Policy.

Staff members not in the admin's role are required to adhere to the password syntax defined in the Staff PWD Policy.

Finally, any user that is neither a member of the admin's role nor a staff employee ((employeeType!=Staff)) is required to adhere to the password syntax defined in the Default Password Policy.

Syntax Tab

The Password Syntax tab allows administrators to define specific password requirements. There are five subtabs:

  1. General

  2. Upper Case

  3. Lower Case

  4. Special

  5. Non-US ASCII

Legacy_Syntax_Tab.png

The General subtab allows administrators to Enforce Password Length Restrictions and, if checked, the option to set Minimum (1) and or Maximum (255) character password lengths.

Administrators can also toggle between enforcing password histories on delegated resets performed by administrators or users in a Help Desk role by checking or unchecking the Enforce Directory Password History on Delegated Resets checkbox.

Match Active Directory Complexity Requirements

This option configures the Password Policy to match the standard Active Directory complexity password requirements.

Restricted Passwords Tab

The Restricted Passwords tab allows administrators to prevent certain words and values within a user's password. Administrators can blacklist passwords by:

  1. Text

  2. Regular expression

  3. Matching attribute values

Legacy_Restricted_Password.png

Administrators have the option to require Case Sensitive Value Matching and Full Matches Only. More information on password configuration is available in Password Blacklist Standards.

Table 261. Fields

Field Name

Description

Case Sensitive Value Matching

By default, blacklisted passwords must match in case. Enable this field to ignore case.

Full Matches Only

Password comparisons behave differently depending on this option.

Case Sensitive Value Matching

By default, blacklisted passwords must match in case. Enable this field to ignore case.

Full Matches Only

Password comparisons behave differently depending on this option.



Blacklisting Passwords by Text

Use this field to enter specific password values that should not be allowed.

The plus button adds entries while the delete button removes entries.

Adding a Blacklisted Value entry of AUTO, produces the following results:

If Full Matches Only is enabled

Table 262. Options

Answer

Accepted?

AUTO

No

AUTO-MATIC

Yes

LOVE_AUTOMATION

Yes



If Full Matches Only is disabled

Table 263. Options

Answer

Accepted?

AUTO

No

AUTO-MATIC

No

LOVE_AUTOMATION

No



Blacklisting Passwords by Regular Expression

RapidIdentity Portal can support any regular expression pattern that Java can accommodate. The regular expression must match the entire password, including the values that make it eligible for blacklisting.

For example, [^  ] allow administrators to negate (blacklist) any character following the carat symbol. For example, entering .*[^at].* allows any password that does not contain lower case "a" and "t". The .* in this expression means any character zero or more times.

Another example is excluding (blacklisting) any password containing a particular set of characters such as tabs, commas, and spaces with .*[\t, ].*.

Note

Regular expressions do not need to be enclosed in forward slashes as with Connect actions.

Exclude Passwords that match these attributes values

The functionality on this tab is exactly the same as Blacklisted Passwords by Text but takes attribute directory values as input. This allows for the prevention of passwords that contain values such as the user's name or ID.

Adding a Blacklisted Value entry of GIVEN_NAME, and my name is James, produces the following results:

If Full Matches Only is enabled

Table 264. Options

Password

Accepted?

JAMES

No

JAMES123

Yes

A$ZJAMESZ$A

Yes



If Full Matches Only is disabled

Table 265. Options

Password

Accepted?

JAMES

No

JAMES123

No

A$ZJAMESZ$A

No



Password Blacklist Standards

The National Institute for Standards and Technology released an update to their Digital Authentication Guidelines in NIST Special Publication 800-63-3. NIST now recommends that organizations employ a Password Blacklist to prevent the use of known bad choices. RapidIdentity has safeguards that will support settings configured for these purposes.

Acceptance of this feature includes the following:

  • A RapidIdentity System or Tenant Administrator should successfully:

    1. Upload at least 2 delimited blacklists

    2. Associate 1 of the 2 uploaded blacklists to at least 2 password policies, and each of those to two different policies

    3. Replace at least 1 of the delimited blacklists

    4. Delete at least 1 of the delimited blacklists

  • A User should receive an error message when trying to:

    1. Change their password to match a blacklisted password defined in the UI

    2. Change their password to match a blacklisted password defined in the initial delimited blacklist

    3. Change their password to match a blacklisted password defined in a replaced blacklist

  • A User should successfully change their password when not using a blacklisted password defined in the UI and in the delimited blacklist.

Claim Policy

The Claim Policy Manager allows administrators to define a policy allowing new users to claim an account as their own.  

Multiple claim policies can be created to service different user groups.

Legacy_Claim_Policy_1.png

One use case for multiple Claim policies is that users with privileged access are required to answer more specific questions (i.e. a specified Global Attribute List attribute), match a specific LDAP filter (i.e. the User Matching Filter), or be grouped according to a particular organizational unit in the directory service (i.e. the Search Base DN) to claim their account.

A claim policy consists of a list of attributes that a user must know about themselves in order to prove account ownership. For example, the attributes list could be a special code that HR emailed a user (and stored in the LDAP directory) and or a list of personal attributes such as birthdate, address information, or other specific identity values.

A new Claim Policy can be created by cloning an existing policy or clicking the plus icon. Existing Claim policies can be removed by clicking the minus icon.

When more than one Claim Policy exists, the up and down arrows can prioritize the Claim policies.

The General Tab allows administrators to name and enable the Claim policy along with defining the user population to which the Claim policy applies.  

Legacy_Claim_-_General_tab.png

The Claim policy can be enabled or disabled by clicking the Enabled checkbox. The Affected Users fields determine which users match the Claim Policy.

Table 266. Claim Policy - General Tab

Field Name

Description

Enabled

Enables or disables the claim policy. Enabled Claim policies contain a checkmark to the right of the Claim policy name. A disabled Claim policy only contains the Claim policy name.

Description

A description to help identify this policy.

Search Base DN

An optional field to restrict the scope of users that are affected by this challenge policy. If left blank it defaults to the User Base DN.

User Matching Filter

An LDAP filter to use to restrict the scope of this challenge policy even further. It can be used in conjunction with the search base DN or used separately.

Message to Show on Complete

This field can be used to tell users what they should do next. For example, a message could appear directing users to check their email for more information.

Administrators can click the arrow to the right of the text box to open a rich text editor to customize the message.



The Questions tab allows administrators to populate a required list of attributes the user must know about their account in order to claim it. 

Legacy_Claim_-_Questions_tab.png
Table 267. Claim Policy - Questions

Column Name

Description

GAL Item

Choose the appropriate GAL attribute to associate with this question.

Display Name

This Display Name is the label for the attribute that appears to users during the Claim account process.

Description

The Description is a friendly name or other necessary information to help the user understand the information that is necessary to answer the question.



User Agreement

Administrators can define a user agreement to which users must agree as a condition to claim their account. 

Legacy_Claim_-_User_tab.png

The intended configuration agreement can be a note or require a user to check a box to affirm agreement with the text.

Table 268. Claim Policy - User Agreement

Field Name

Description

Enabled

If checked, the user agreement will be used for this claim policy and must have a valid value for the message.

Agreement Label

Optional - this is the text that appears above the agreement Body. The title should describe the Body text that follows.

Agreement Text

Optional - this is the text of the agreement. This text could describe legal or compliance requirements along with any other information necessary for the user to understand in order to claim their account.

Agreement Message

Required. This is the message that appears under the agreement text.

This field is the minimum value required for a user agreement. For example, “By checking the box I agree to the text above…”

Agreement Required

If selected, the Agreement Message is preceded by a checkbox that a user must check before they are allowed to claim their account.



User Agreement

Administrators can define a user agreement.

Legacy_User_Agreement.png

The intended configuration agreement can be a note or require a user to check a box to affirm agreement.

Table 269. User Agreement Configuration

Field Name

Description

Enabled

If checked, the user agreement will be used for this claim policy and must have a valid value for the message.

Agreement Label (optional)

The text that appears above the agreement text. This should describe the text that follows.

Agreement Text (optional)

The text of the agreement.

Agreement Message

This is the message that appears under the agreement text.

This field is the minimum value required for a user agreement. This message could be something like, “By clicking OK I agree to …”

Agreement Required

If selected, the Agreement Message is followed by a checkbox that a user must check before they are allowed to claim their account.



Delegation Definition Manager

The Delegation Definition Manager allows administrators to define user groups that can see and, potentially take action, on other user groups.

For each user Profiles tab, administrators can configure:

  1. Actions

  2. Attributes

  3. Layout

Each delegation will have a unique, fixed ID string.

General Tab

The General tab allows administrators to define properties for the My/My Team/Other Profiles delegations, and also create or remove delegations.

The visible fields depend on the delegation selected and whether the selected delegation type is My or Custom.

Delegations are enabled by clicking the Enabled box.

Legacy_General_Tab_5-2.png
Table 270. Fields

Field Name

Description

Name

The delegation name that will be used within the RapidIdentity Portal user interface tab.

Type

My: single user tab

Custom: multiple users

Description

A high-level description of the custom delegation. Only visible in this screen.

Pre-Load All Results

Custom delegation only. Enabling this option causes RapidIdentity Portal to fetch and cache all of the items matching this particular custom delegation. This can create a significant amount of overhead for delegations that contain a large number of objects.

Enable Source Filter

Enables or disables the use of source filters.

Source Base DN

The base location to begin searching for the objects that are able to use this delegation. Note that sub-trees are searched as well.

Source Attribute ACL

The specific objects that may use this delegation.

Enable RapidAppliance Roles

Enables or disables the use of RapidAppliance roles.

Source Roles

The specific roles that may use this delegation.

Target Attribute ACL Base DN

Custom delegation only. The base location to begin searching for the objects that will be displayed in the delegation. Note that sub-trees are searched as well.

Target Attribute ACL

Custom delegation only. The specific objects to be displayed. This field supports the use of Attribute Tokens. The format for token use is attribute=%attribute% This will cause the attribute identified on left to be equal in value to the current value assigned to the authenticated user.

Edit Profile Message

Administrators can configure a custom Profiles message to inform users of Profiles edits.



Actions Tab

The Actions tab allows administrators to enable and configure visibility for action button delegations and tool buttons.

Delegation_Actions_Legacy.png
Attributes Tab

The Attributes tab allows administrators to configure Profiles attributes to display.

Legacy_Attributes_Tab_1.png

Administrators can Edit any attribute to match organizational preference (culture) and all required attributes must be editable.

Legacy_Attributes_Tab_2.png
Layout Tab

The Layout tab allows administrators to configure a single user's summary section found at either the top of the My Profile or in the details section of the Custom delegation.

Legacy_Layout.png