Configurator

The PasswordReset Configurator will help you set up one or more PasswordReset tenants, aka web sites.

Through the Configuration editor you will be able to set up new target systems such as the Safewhere LDAP Web Service (LdapWS).

Prerequisite

The configurator can be launched from Start > PasswordReset > PasswordReset.

pwr-configurator

Initially the configurator will check that you have MVC 4.0 installed on your server. If missing, you must close down the configurator and install it before trying again.

pwr-prerequisite

Setting up tenants

In the following step it will therefore offer a number of actions that can be taken on a PasswordReset tenant including creating, deleting and upgrading them.

pwr-action

  • Create new instance: When you wish to set up a new PasswordReset tenant.
  • Delete an instance: When you wish to delete one of the PasswordReset tenants already installed. Currently, we manage it through "PWRConfiguration.xml" under Tools folder.
  • Upgrade existing instance: If you have upgraded the PasswordReset installation (which is done by running the system Installer with a newer version of PasswordReset), then all PasswordReset tenants, which have not yet been upgraded to this newest version, will be listed in this dropdown. Simply choose a tenant to upgrade it to the newest installed version of PasswordReset. Please notice that tenants have no problem running on older versions of PasswordReset, even when other tenants on the same installation may have been upgraded. Upgrading tenants from a working version always bares some risks; so many companies choose not to upgrade tenants that are working well and do not require any new features.
  • Delete all instances: When you wish to delete all of the PasswordReset tenants already installed.

Let us assume that "Create new instance" was selected and the 'Next' button clicked.

Configuring target system settings

This following step will configure the default target system for PasswordReset. In the first version, PasswordReset only supports LDAP Web Service as a target system.

pwr-target-system

  • Select location where Password Reset has been installed: By default the Configurator will use the folder where you initially installed PasswordReset. In the rare case that you have moved the codebase manually, you will have a chance to change location here and avoid tenant code being placed in a wrong folder.
  • Target Id: The identifier of the target system. This value must be unique for this PasswordReset tenant instance.
  • Target Name: The display name of the target system which will be displayed in PasswordReset site.
  • Enter LdapWS URL: The service URL of LDAP Web Service.
  • LdapWS service certificate raw: The service certificate of LDAP Web Service
  • LdapWS endpoint identity: The service identity of LDAP Web Service. This value automatically filled in after LdapWS service certificate raw is inputted.
  • Select client certificate from (Local Computer/Personal): The client certificate of the LDAP Web Service, which must already be stored in the server's certificate store. You can choose it using this dropdown.
  • LdapWS connection timeout: The Timeout property sets or returns the timeout period for a connection to LDAP Web Service, in seconds. Default value is 60 seconds.

Configuring common settings

This step will configure the Map and Filter criteria, which are used to find and filter the users' accounts based on User Id as specified in the target system. It also defines password validation policies and the error message that will be displayed when the new password does not meet these policies.

pwr-configuration-common

  • Search root: Defines the root level of search, in other words, the highest location scope of the search. Ex: OU = Safewhere, DC=Safewhere, DC = local: mean the system will find users under Organizational Unit "Safewhere" in Domain "Safewhere.local". If empty, mean the root directory.

  • Filter: Define how to search the user base for "user id". This is called the "mapping" phase. The example below will match users which have employeeNumber equal to a specified input. Input will be case insensitive. <filter><![CDATA[(&((&(objectCategory=Person)(objectClass=User)))(employeeNumber={0}))]]></filter>

  • Password policy: Define validation rules for new password using regex. Validate password against Active Directory complexity requirement property: If this checkbox is checked, then validation rules will include Active Directory complexity requirement property. (More detail about Active Directory complexity requirement: http://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx)

  • Password error message: The error message that will be displayed when system fails to validate the new password against the rules specified in the "Password policy" field.

  • Filter combine operation: Configure how to filter the result returned from the "mapping phase" using "And" or "Or" combinations. There are many filter properties. Each filter property is a rule to filter the result returned from the "Mapping" phase. This "filter combine operation" decides how to combine these filter properties. That means an account needs to match all of the filter properties (if the chosen operation is AND) or match any of the filter properties (if the chosen operation is OR).

  • Filter configuration fields: Define filter expression by attribute-name from AD user properties. More information about Filter operator, please read in Manual configuration.

    • Name: Attribute-name from AD user properties, e.g. displayName or postalCode.
    • Operator: operators (*) for string comparison (Equals, EqualsIgnoreCase …), for numeric (=, <, >=), and For Regular Expression (regex).
    • Expression: define expression for the above operator.
(*)Operators Description
For numeric comparison
= value = expression
> value > expression
< value < expression
>= value >= expression
<= value <= expression
between expression will be: {start}|{end}. Ex: 3|5 translated to: >=3 and <=5
For Regular Expression
regex Means that the attribute's value will be validated against an expression in expression node
For string comparison
Equals value of attribute equals to expression, case sensitive
EqualsIgnoreCase value of attribute equals to expression, case insensitive
StartsWith value of attribute start with expression, case sensitive
StartsWithIgnoreCase value of attribute start with expression, case insensitive
EndsWith value of attribute end with expression, case sensitive
EndsWithIgnoreCase value of attribute end with expression, case insensitive
Contains value of attribute contains expression, case sensitive
ContainsIgnoreCase value of attribute contains expression, case insensitive
Excepts value of attribute does NOT equal to expression, case sensitive
ExceptsIgnoreCase value of attribute does NOT equal to expression, case insensitive

Configuring IIS

You are now ready to specify settings for the IIS step of the Safewhere PasswordReset tenant setup that controls how it is set up in IIS.

pwr-iis

  • Enter Application id: The name you wish the PasswordReset tenant to be known by. Currenly, it is automatically filled by the Target Id from "Target system settings" step. This Identifier is used several places in the setup of the system, e.g. as proposed default values for domain name and application pool names. Since it will be used as proposed name for domain, you must not use spaces, symbols, or characters/numbers other than a to z and 0 to 9. For example, if you want to create a PasswordReset at https://pwrdemo.globeteam.com, the application id will by default be set to 'pwrdemo'.

  • Server IP: The IP address of the PasswordReset tenant's site.

  • Port number: The port number of the PasswordReset tenant's site.

  • Domain name: The DNS name, where the PasswordReset tenant resides (the Host Name that is specified in the IIS Site Bindings property sheet).

  • Tenant site name: The name of the tenant site as it will be displayed in the IIS Manager MMC console. This is just for display and has no functional importance.

  • Site application pool: This setting specifies the name of the application pool that will be set up and used by the PasswordReset tenant site. The options are:

    • Apply Network Service as application pool identity: Generally used in case the current machine does not belong to the domain.
    • Use specified domain account as application pool identity: Generally used in case the current machine belongs to the domain. This option is checked as default.

Configuring Certificates

PasswordReset uses SSL certificate mutual authentication binding between Safewhere PasswordReset and the client (currently, Safewhere Identify supports Safewhere PasswordReset).

pwr-ssl

  • Default certificate: Safewhere PasswordReset comes with default certificates making it quick to set up for testing purposes. Since these certificates are obviously not identifying you uniquely, they should not be used for actual production installations.
  • Auto-generated certificate: Auto-generate is used for testing when Safewhere PasswordReset is not set up using the installer, but rather set up manually.
  • Import from file: If you have a certificate file, you can immediately import it to your server's certificate store as well as relate the tenant to it.
  • Password: When importing a new certificate to your server's certificate store, you will be required to specify its password in order to activate it.
  • Select from server's certificate store: If the needed certificate is already stored in the server's certificate store, you can choose it using this dropdown.
  • Import certificate to Trusted Root Certification Authorities: This field is just a supporting field for uploading a root certificate which identifies the other certificates as trustworthy (if this does not already exist on your server).

The generated certificates will be input at: [installed_path]\Certificates\

pwr-certificate-location

Licensing: After the 30-day trial period, the user will need to apply a license key.

Authentication settings

The following step will configure the WS Federation authentication setting for PasswordReset. Currently only Safewhere Identify support WS Federation authentication for PasswordReset.

pwr-wsfederation

  • Enter WS Federation issuer URL: The WS Federation issuer URL of IdP. Ex: with Safewhere Identify, it should be https://[Identifytenantid]/runtime/WSFederation/WSFederation.idp, with ADFS: https://[ADFS domain]/adfs/ls/
  • Required https: This checkbox requires system to use HTTPS connections. If this checkbox is checked but WS Federation issuer URL is HTTP only, user will get the required HTTPS error message when click "Next".
  • Select WS Federation encrypt certificate: The encrypt certificate uses for WS Federation authentication connection, get from store LocalMachine/My.
  • Select Signing certificate is used to sign requests to WS Federation: The Signing certificate uses for WS Federation authentication connection, get from store LocalMachine/My.

Execution

On clicking the 'Next' button you will reach the step where the tenant is actually created. Click 'Next' again to start this process.

pwr-execution

After execution you will have reached the last step. A link will here be available for you to immediately access the PasswordReset site for the new tenant.

pwr-done

pwr-access