SAP IdM - Self Service password reset

Hi All
Has anyone configured the Self-service password reset option yet?
I have a question that the documentation doesn't answer. We plan on using the IdM on our SAP landscape which would involve at least 9 seperate systems, meaning the Dev, QA and Prod systems for BW 3.5, CRM 2007 & ECC.
My question is if we have a user that has access to all these systems, but only needs to reset their password in 1 of them. How does the Self-service password reset option know which system that user's id is locked in or would it be resetting the password in every one of the systems?
Ken

That's right. Users would have to repeat the same process if they want to change the password for say 2 systems out of the 9. Its a quick and easy way to get it up and running without much customization.
But if you want to eliminate this repetition, the ideal way would be to customize the UI (some thig like this which comes as part of RDS)
Cheers,
Murali.

Similar Messages

Self service password reset issue

Hello Experts,
An issue about self service password is being encountered. I am setting the new password over self service password reset page, but unfortunately it is not being triggered to the target systems(SAP and AD). In the job log, instead of running the pass 'changepasswordabapuser' or 'setadspassword', IDM is running pass 'update abap user' or 'update ads user'.
But if I change password of a user via Administrator login(in change identity), the password is getting changed on all target systems. Kindly suggest!
Version: IDM 7.2
Thank you,
Girish

Hello Girish,
see if note
1936431 - Self Service Password Change - Modify task is called rather than
Set Password task
can help in this case.
Regards,
Chris

Is multi-factor auth required for self-service password reset and portal registration?

Hi, hoping someone can give some clarity on this. I'm dealing with strictly online accounts, no AD sync to local servers. I have enabled and configured self-service password reset in AzureAD. In that config I have required users to register
their alt contact info when logging into the portal. While testing this, I don't get prompted to register unless I've enabled multi-factor auth for the test user account. I need users to register in case they need to use SSPR, but I don't want
to force them into MFA. I've gone over the following article and it says nothing about requiring MFA for SSPR or forced portal registration to work.
https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
I know there is a separate link for the registration portal that will guide users through the process, but that's a separate link. Maybe they'll set it up, maybe they won't. I'd like for the first sign-on to be a smooth process that gets them
set up for SSPR if needed. Can someone clarify and point me in the right direction? Thanks.

Hey acook15,
I work on the password reset engineering team. Right now, you are correct, you cannot enforce registration for password reset during first sign in. This is a feature that we are working on right now, which will be available very soon for sign
ins to Azure, your connected apps, and the access panel, and will come a bit later for Office 365 sign ins, as well.
In the interim, you can configure SSPR to require users to register when they access the access panel at myapps.microsoft.com by following the instructions here: http://aka.ms/customizesspr (search for "Require users to register when signing in to the
access panel?").
You can also read more about other ways to get SSPR data in the system for your users here: http://aka.ms/ssprbestpractices. Let me know if this helps, and if you need to get in contact with me, feel free to email me at [email protected]
Regards,
Adam.
Adam Steenwyk | Senior Program Manager | [email protected]

Self-service password reset - ADFS - AAD

Hello,
We have a full AD FS setup with dirsync to enable our office 365 users to logon.
Is it possible with the new Azure AD Sync tool and the Azure AD premium licence for the end users to do a self service online password reset?
If so, is it ease to upgrade the current Dirsync version to the latest release and what could go wrong?
Can we have an azure AD premium trial account on our already free Azure AD (office 365)?
Regards,
Nis

Hi Nisse Versi,
Thanks for posting here!
Here is a short
Video to configure self-service password reset for users in Windows Azure AD.
You might also want to check this link:
https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
Let us know if you need further assistance on this.
Regards,
Sadiqh

Getting the ROI on your self-service password reset solution

Get on the Specops bandwagon and join our third product training webinar to learn all about Specops Deploy / App. We will cover: Group Policy - Strategies/Best Practices - GP Basics, Targets, etc...Real Time Feedback on deployment healthDissecting packagesTargetsDeploymentsRegister here!
This topic first appeared in the Spiceworks Community

Hi Sadiqh!
Edit: Nevermind, turned out the MA Service account had no permissions to reset passwords.
I am getting the exact same error as Marcel. Is it possible that there is another issue?
Details: Azure AD Premium license assigned to users, synchronized with on-prem AD. Password write back works fine, after logging on to myapps.microsoft.com i can change the password. This gets synced back to the on-prem AD.
However, self service password reset does not work. I get the codes sent to alternate email address and mobile phone, and i get to enter a new password. This password meets the on-prem password policy.
I have set up Self Service Password Reset in Azure today, it it possible i just have to wait a bit longer?
Regards,
Erik Roozen

Attribute #MX_MSKEYVALUE_DN could not be found Self Service Password reset

Hi,
I use NetWeaver 7.02 and IDM 7.2
I've just created the Self Service-Task Password Reset.
If I call the page http://<host>:<port>/idm/pwdreset I get the following error message:
Attribute #MX_MSKEYVALUE_DN could not be found
DE: Attribut #MX_MSKEYVALUE_DN konnte nicht abgerufen werden
The attribute MSKEYVALUE is available in my Identity Store.
The Task for "Edit authentication questions" is available.

Hi Chris,
I use NetWeaver 7.00 SP14 and IDM 7.2 SPS 3 (tried IDM 7.1 before, but had same error) on Windows Server 2003 SP2 with an Oracle DB 10.2.0.1
The IDM is working fine except the PwdReset Application. Maybe it has to do something with the Anonymous User?
Executing SELECT * FROM MC_LANGUAGE_TRANSLATIONS WHERE LANGKEY = '#MX_MSKEYVALUE_DN'
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=AR
LANGIDSTORE=1
LANGVALUE=?????? ??????
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=BG
LANGIDSTORE=1
LANGVALUE=???????? ??
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=CA
LANGIDSTORE=1
LANGVALUE=Identificador unÌvoc
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=CS
LANGIDSTORE=1
LANGVALUE=JednoznacnÈ ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=DA
LANGIDSTORE=1
LANGVALUE=Entydig ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=DE
LANGIDSTORE=1
LANGVALUE=Eindeutige ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=EL
LANGIDSTORE=1
LANGVALUE=???ad??? ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=EN
LANGIDSTORE=1
LANGVALUE=Unique ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=ES
LANGIDSTORE=1
LANGVALUE=ID unÌvoco
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=FI
LANGIDSTORE=1
LANGVALUE=Yksiselitteinen tunnus
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=FR
LANGIDSTORE=1
LANGVALUE=ID unique
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=HE
LANGIDSTORE=1
LANGVALUE=????? ??????
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=HR
LANGIDSTORE=1
LANGVALUE=Jedinstveni ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=HU
LANGIDSTORE=1
LANGVALUE=EgyÈrtelmu ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=IT
LANGIDSTORE=1
LANGVALUE=ID univoco
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=JA
LANGIDSTORE=1
LANGVALUE=?? ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=KO
LANGIDSTORE=1
LANGVALUE=?? ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=MX
LANGIDSTORE=1
LANGVALUE=Unique ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=NL
LANGIDSTORE=1
LANGVALUE=Unique ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=NO
LANGIDSTORE=1
LANGVALUE=Entydig ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=PL
LANGIDSTORE=1
LANGVALUE=Jednoznaczny ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=PT
LANGIDSTORE=1
LANGVALUE=ID unÌvoco
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=RO
LANGIDSTORE=1
LANGVALUE=ID univoc
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=RU
LANGIDSTORE=1
LANGVALUE=??????????? ??.
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=SH
LANGIDSTORE=1
LANGVALUE=Jedinstveni ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=SK
LANGIDSTORE=1
LANGVALUE=JednoznacnÈ ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=SL
LANGIDSTORE=1
LANGVALUE=Enoznacen ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=SV
LANGIDSTORE=1
LANGVALUE=Entydig ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=TH
LANGIDSTORE=1
LANGVALUE=ID ?????????
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=TR
LANGIDSTORE=1
LANGVALUE=Benzersiz tanitici
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=UK
LANGIDSTORE=1
LANGVALUE=?????????? ?????????????
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=ZH_CN
LANGIDSTORE=1
LANGVALUE=????
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=ZH_HK
LANGIDSTORE=1
LANGVALUE=?? ID
LANGKEY=#MX_MSKEYVALUE_DN
LANGCODE=ZH_TW
LANGIDSTORE=1
LANGVALUE=?? ID
Kind Regards,
Tobias

How can we force a single user to re-register to Self service password reset?

In my scenario, I trying to figure out how I can force a user to re-register if he forgets his answers for his pwd reset questions? I tried to force it by checking the re-register check box on Password reset set, but it enforces it on every user.
Thanks

If one were to do that using PowerShell it might look like this:
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
### Get the User object
$xPathFilter = "/Person[AccountName='HoofHearted']"
$queryResult = Export-FIMConfig -OnlyBaseResources -CustomConfig $xPathFilter
### Display the object
$queryResult | foreach{$_.resourcemanagementobject.ResourceManagementAttributes
| ft -AutoSize}
### Get the object ID and the AuthNWFRegistered attributes
$objectId = $queryResult.ResourceManagementObject.ResourceManagementAttributes
| where{$_.AttributeName
-eq 'ObjectID'}
$AuthNWFRegistered = $queryResult.ResourceManagementObject.ResourceManagementAttributes
| where{$_.AttributeName
-eq 'AuthNWFRegistered'}
### Create a new ImportObject for the User
$update = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
$update.ObjectType
= "Person"
$update.SourceObjectIdentifier
= $objectId.Value
$update.TargetObjectIdentifier
= $objectId.Value
$update.State
= 1 ## Put
### AuthNWFRegistered is multivalued
foreach($AuthNWFRegisteredValue in $AuthNWFRegistered.Values)
### Create an ImportChange for each value in AuthNWFRegistered
    $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
    $importChange.Operation
= 2 ## Delete
    $importChange.AttributeName
= "AuthNWFRegistered"
    $importChange.AttributeValue
= $AuthNWFRegisteredValue
    $importChange.FullyResolved
= 2
    $importChange.Locale
= "Invariant"
    $update.Changes
+= $importChange
### Finally, import the change to FIM
Import-FIMConfig $update
CraigMartin – Edgile, Inc. – http://identitytrench.com

Info About self service password provisioning

Hi Guys ,
Does any one got a chance to work on self service password provisioning in OIM 11gr2.??
If yes ,Please share relevant docs related to same.

Password expiry period = 90 days with warning of password expiration given to the user at least five (5) days but no more than ten (10) prior to expiry and at every logon during that time
All Password Resets must be verified through a ‘closed loop’. That is there must be verification to a service (e.g. eMail address or Phone Number) known only to the system and the user requesting the reset. Changes should be notified to the User’s Administrator.
Email should be sent to user on unsuccessful and successful password change .
Your help would be highly appreciated .

Self Serve Password Resets

Self Serve Password Resets
Is anyone using RequestCenter (or other newScale module) to do self-serving password resets?

we are integrated with Sun IDM to do that, not within RC alone ....

Self Service Password Registration Page taking more time for loading in FIM 2010 R2

Hi,
I have beeen successfullly installed FIM 2010 R2 SSPR and it is working fine
but my problem is that Self Service Password Registration Page taking more time for loading when i provide Window Credential,it is taking approximate 50 to 60 Seconds for loading a page in FIM 2010 R2
very urgent requirement.
Regards
Anil Kumar

Double check that the objectSid, accountname and domain is populated for the users in the FIM portal, and each user is connected to their AD counterparts
Check here for more info:
http://social.technet.microsoft.com/wiki/contents/articles/20213.troubleshooting-fim-sspr-error-3003-the-current-user-account-is-not-recognized-by-forefront-identity-manager-please-contact-your-help-desk-or-system-administrator.aspx

Changing/Adding Self Service Password Challeneg Questions

We currently use SSPR functionality of FIM 2010 R2 and we are looking to add additional challenge questions. I am unclear on how this will impact users already registered and haven't been able to confirm the answer. If a user is already registered
for our current questions and we add say 5 more questions to choose from (in addition to current ones), will they be required to re-register or will it only impact them should they choose to register again. We would not be removing or changing the current
questions. Thanks!

If you modify the existing password reset AuthZ workflow(including adding/removing questions), it will require a re-registration for the registered users.
They will not be able to reset their password until they do so. They will receive an error saying "An error has occured, please contact the system administrator". This is because their registered and reset workflows are different.

Azure Pack Self-Serve Password Reset

I currently have Azure Pack installed and I am trying to setup the notification for users to reset their passwords, account validation, and forgot password.I have exchange 2013 internally that I would use as a relay, and when I setup the relay in azure pack
and test it work. but when trying to get the password as a user from tenant site it fails.
In azure management site under outbox i get the following message.
Any help is appreciated.
Exception: System.Net.Mail.SmtpException: Service not available, closing transmission channel. The server response was 4.3.2 Service not available at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint ....

Thanks for the reply, Mark!
Just for sanity I deleted and made a new receive connector with the following settings.
Internal-Relay
Security -> Anonymous Users
Scoping -> Remote Network Settings
                 10.0.0.0/24
             -> Network Address bindings
                  (All available IPv4) 25
When I test from Service Management Portal
              -> User Accounts -> Notifications -> Settings -> Test
and enter an email address it sends successfully. I have configured as follows
IP of mail server, port 25, no ssl, Basic Auth, Username
[email protected] but an actual domain account, password.
On mail server I have run Get-ReceiveConnector "Your Receive Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient" for the anonymous and for the account that I
have specified.
Like I said it works when I test from Service management Portal, But when I try to use it from the tenant from end to say reset a password or validate account when registering It doesn't work. I am not sure what context it uses to send the mail.
This is the error which tells me its a relay problem but I am not sure what I am missing and why it works when I test from the management portal.
Exception: System.Net.Mail.SmtpFailedRecipientException: Mailbox unavailable. The server response was: 5.7.1 Unable to relay at System.Net.Mail.SmtpTransport.SendMail(MailAddress sender, MailAddressCollection recipients, String deliveryNotify, Boolean allowUnicode,
SmtpFailedRecipientException& exception) at System.Net.Mail.SmtpClient.Send(MailMessage message) at Microsoft.WindowsAzure.Server.Notification.NotificationHandlers.EmailNotificationHandler.SendEmailAsync(SmtpAccount smtpAccount, MailMessage mailMessage)
at Microsoft.WindowsAzure.Server.Notification.NotificationHandlers.EmailNotificationHandler.<HandleNotificationAsyncInternal>d__3.MoveNext() at Microsoft.WindowsAzure.Management.TaskSequencer.<>c__DisplayClass1e`1.<RunSequenceAsync>b__1d(Task
previousTask); Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay

Error in :OIM11gR2 - Self SErvice password change

Hi,
I have a OIM11GR1 instance upgraded to OIM11GR2 instance.
I dont have ldapsynch integrated. But, when i try to change the password from My-info page, I am getting ldapsynch error saying the directory is not reachable.
<Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method: ConnectionService/getConnection encounter some problems: Failed to get connection , Incorrect ITResource>
<Jun 14, 2013 6:32:57 PM PDT> <Warning> <oracle.iam.identity.usermgmt.impl> <BEA-000000> <An error occurred while getting a connection to LDAP directory.>
<Jun 14, 2013 6:32:57 PM PDT> <Warning> <oracle.iam.selfservice.self.selfmgmt.impl.handlers.changepwd> <BEA-000000> <An error occurred while verifying the old user password during change password operation. : An error occurred while getting a connection to LDAP directory.. >
<Jun 14, 2013 6:32:57 PM PDT> <Error> <oracle.iam.platform.utils> <BEA-000000> <An error occurred while loading the parent resource bundle oracle.iam.selfservice.resources.Logging>
<Jun 14, 2013 6:32:57 PM PDT> <Warning> <oracle.iam.platform.kernel.impl> <BEA-000000> <Orchestration validation failed on the event handler - An error occurred while verifying the old user password during change password operation.>
<Jun 14, 2013 6:32:57 PM PDT> <Error> <oracle.iam.selfservice.self.selfmgmt.impl> <BEA-000000> <Validation failed for change password.
oracle.iam.platform.kernel.ValidationFailedException: An error occurred while verifying the old user password during change password operation.
at oracle.iam.selfservice.self.selfmgmt.impl.handlers.changepwd.ChangePasswordValidationHandler.validate(ChangePasswordValidationHandler.java:248)
at oracle.iam.selfservice.self.selfmgmt.impl.handlers.changepwd.ChangePasswordValidationHandler.validate(ChangePasswordValidationHandler.java:121)
The ldapsynch eventhandlers are already deleted. (/db/ldapmetadata/EventHandlers.xml)
Any leads will help.
Thanks
Vicky

Yes. All other operations are working fine.
Not sure from where the ldapsynch configurations are getting picked up.

Unable to see the "Password Reset" tab in Indentity Store (SAP IDM 7.1)

I am trying to implement Password self-service as per the document "SAP NewWeaver Idenitty Management Identity Center Self-service password reset Implementation Guide" Version 7.1 Rev 2. In this guide, references are made to the Password Reset Tab in the Identity Store properties view in Identity Center. I do not see that tab in my view.
I followed the standard inst guides during the upgrade. Its a fresh implementation and we are on IDM 7.1 SP5
I have checked out couple of similar posts where it was resolved by installing SP3/4, does anyone have any other solution than applying the SP again ??
What do I need to do to have that tab?
Thanks

Matt,
Ours is a fresh installation
According to the PSS 7.1 V2 guide, i completed the section 1 where i creted the UME roles and the
Section 1: Creating the tasks
Creating the folder for the tasks
Creating the password reset task
Creating the password reset failed task
Then started the Section 2 Configuring the identity store and the first point the document says is "Select the identity store in the console tree and choose the "Password reset" tab: " which i am unable to see the tab in my system.
I am i missing some config steps here ? again i am just goin line - by - line what the doc says
Thanks
Edited by: Chetan on May 23, 2011 4:43 PM

Password reset in idm 6.0

Hi all,
Here's what I understand. Please correct me if I am wrong..
idm 6.0 segregates the concept of locking the account and disabling it. So, if the AccountId policy is set, the user account is locked, not disabled. if he/she has "n" failed login attempts. In previous versions, the account was getting disabled in such a case, which is why locking and disabling were synonymous to me. Anyone can throw a light on this please?
Also, the question is: How can the self-service password reset be implemented if the user account is locked? Basically, the OOTB functionality shows the questionLogin.jsp but will not proceed even on correct answers, just because the account is locked. Only the admin can unlock the account. Has anyone come across this situation?
Any help is highly appreciated. Thanks!
- Adi.

This is a correct observation.
The only way to unlock an IDM user whom is locked is via:
- an admin with unlock capabilities unlocking the user
- when the lock expires as defined in the policy
A locked user is not allowed to log in not even via the correct answers and is thus never able to change its password. That is how it is supposed to work.
WilfredS

SAP IdM - Self Service password reset

Similar Messages

Maybe you are looking for