tag:blogger.com,1999:blog-54722696776328207652023-11-15T23:13:17.429-08:00Chamath's BlogChamathhttp://www.blogger.com/profile/04584839413400812576noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5472269677632820765.post-64614705572731144332014-09-09T21:34:00.000-07:002014-09-09T21:34:35.754-07:00Email and normal user name configuration with WSO2 ISIn this blog post I'm going to discuss how to configure WSO2 Identity Server to support email based user names for one user store and also normal String type user names to another user store.<br />
<br />
This is supported in WSO2 IS 4.6 and 5.0 versions.<br />
<div>
<br /></div>
<div>
First you need to configure the Identity Server to support email based user names. You can refer <a href="http://sureshatt.blogspot.de/2013/07/attribute-email-based-user.html" target="_blank">this</a> [1] blog post for the this configuration steps. You can configure the primary user store to have email user name as described in the blog.</div>
<div>
<br /></div>
<div>
Then you can add a secondary user store from Configure -> User Store Management configuration. Click on add secondary user store and give the necessary details for the user store which support both email and normal user name types. We will call this user store domain as "TEST".</div>
<div>
When you configure this and strait away if you try to add an user with only String type user name which has alphanumeric chars it will complain that user name is not confirming to policy as shown below.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQpUkMUNX1Lvyo3dp4-7LgjUOwqjMbJbywnbepheFowwlQnoRKly6d7jsB26K7ttyQNzed_3MA4UK-ZBOXy1FUo3rkC50E4WXIhKo3a2IPIADA5w3HGvancKdNySUabCOssieH8u2Es0VY/s1600/error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQpUkMUNX1Lvyo3dp4-7LgjUOwqjMbJbywnbepheFowwlQnoRKly6d7jsB26K7ttyQNzed_3MA4UK-ZBOXy1FUo3rkC50E4WXIhKo3a2IPIADA5w3HGvancKdNySUabCOssieH8u2Es0VY/s1600/error.png" height="177" width="400" /></a></div>
<div>
<br /></div>
<div>
So in order to have both type of user names for TEST domain we need to add the following configuration for the user store. </div>
<div>
<Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property></div>
<div>
This property defines the user name pattern to be used when email user name is enabled as discussed in the [1] blog.</div>
<div>
<br /></div>
<div>
However you cannot add this property from the User Store Manager configuration UI. Hence you need to edit the file manually. Usually the secondary user store properties for super tenant is placed in <IS_HOME>/repository/deployment/server/userstores/ directory with the domain name as here it will be TEST.xml</div>
<div>
<br /></div>
<div>
After adding the property you need to restart the server. Then try to add an user to TEST domain with normal String type user name (testuser1) from Configure -> Users and Roles -> Users and by clicking Add New User. Then try with email user name (testuser2@email.com).</div>
<div>
<br /></div>
<div>
With the configuration you will be able to add both type of users to this user store.</div>
<div>
<br /></div>
<div>
<b>Note:</b></div>
<div>
This is supported in super tenant mode only. So in multi-tenant deployment its recommend to have only one type of user name configuration.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Ref:</div>
<div>
[1] - http://sureshatt.blogspot.de/2013/07/attribute-email-based-user.html</div>
<div>
<br /></div>
Chamathhttp://www.blogger.com/profile/04584839413400812576noreply@blogger.com0tag:blogger.com,1999:blog-5472269677632820765.post-40017347351515604632013-12-15T23:34:00.000-08:002013-12-15T23:34:49.741-08:00WSO2 Identity Server – User creation with ask password from user<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
This post is about the configurations
and usage of the WSO2 Identity Server user account creation process
by admin which allows the user to enter the password. This feature is
included in the WSO2 Identity Server 4.5.0 and on-wards.</div>
</div>
<div style="margin-bottom: 0in;">
<br />
<h3>
Overview</h3>
</div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
When the administrator needs to create
user account from the Identity Server management console it gives
options to either enter the password by administrator directly or
allow user to specify the password. If administrator needs to give
the password to user it might become burden to admin since he/she
needs to give it to the particular user. During this period admin may
loose it before giving it to user. To avoid such situations admin can
use the ask password from user option when creating users with
Identity Server. </div>
<br />
<div style="text-align: justify;">
The user creation page can be accessed by browsing
Configure → Users and Roles → Users and clicking on Add new user
as shown in the Figure 1.
</div>
</div>
<div style="margin-bottom: 0in;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtD9kdm_2clXaYBEBMuIp5Z6SfYLBY46zxlhKGPgNEhXVXbRsu3PF1UJ7a7HgpbM6am6pz3Pab0RnX0cB1JfRqNIKXwV65ZucqUIAsvWBIc2GG09mgmSYV5YYOwFElCxMPBeElQLqgAMh8/s1600/add+new+user.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtD9kdm_2clXaYBEBMuIp5Z6SfYLBY46zxlhKGPgNEhXVXbRsu3PF1UJ7a7HgpbM6am6pz3Pab0RnX0cB1JfRqNIKXwV65ZucqUIAsvWBIc2GG09mgmSYV5YYOwFElCxMPBeElQLqgAMh8/s400/add+new+user.jpeg" width="400" /></a></div>
<br /></div>
<div style="margin-bottom: 0in;">
Figure 1 : Add new user</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
Figure 2 below shows the management
console ui with the ask password from user option selected.
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUlxOgLMhsB2bZQ6ijkD8BIaqBv2n5jAaXEGeOIEeBP7fc-zd3fBYIoO_Y0QCQgoBJaF17m9VYUVZzaCerflaaUPK3PEA0wjw40geYAb9cqldFayIjihib7XfICmWd7L-Qyw6XNZFdFdvn/s1600/ask+password+from+user.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUlxOgLMhsB2bZQ6ijkD8BIaqBv2n5jAaXEGeOIEeBP7fc-zd3fBYIoO_Y0QCQgoBJaF17m9VYUVZzaCerflaaUPK3PEA0wjw40geYAb9cqldFayIjihib7XfICmWd7L-Qyw6XNZFdFdvn/s400/ask+password+from+user.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Figure 2 : ask password from user</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
You need to provide the user's user
name and email address. The Identity Server send an email to this
address by providing the user with a redirect url in which the user
will be directed to provide the password for his/her newly created
account by admin.</div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The supporting web service is hosted in
the following WSDL by the Identity Server.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<code class="western">https://<is_</code><code class="western">s</code><code class="western">erver>:9443/services/UserInformationRecoveryService?wsdl</code></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Following operations have been used
from the above api.</div>
<div style="margin-bottom: 0in;">
getCaptcha()</div>
<div style="margin-bottom: 0in;">
verifyConfirmationCode()</div>
<div style="margin-bottom: 0in;">
updatePassword()</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
You can find the sample implementation
of this in the web application <a href="https://svn.wso2.org/repos/wso2/people/chamathg/samples/is/InfoRecoverySample" target="_blank">here</a>.</div>
</div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
<br /></div>
</div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
Now we will see the configurations
needed for this functionality.</div>
<br /></div>
<h3>
Configuration for Identity Server</h3>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
Edit the identity-mgt.properties file
with the following located in your Identity Server installation under
<is_server>/repository/conf/security/ directory.</div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<pre class="brush:csharp">Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=7200
Notification.Sending.Internally.Managed=true
Temporary.Password.Enable=true
UserAccount.Verification.Enable=true
</pre>
<div style="margin-bottom: 0in;">
<br />
<div style="text-align: justify;">
Since notification sending is
internally managed we need to uncomment the email transportSender in
axis2.xml file located under <is_server>/repository/conf/axis2.
Search for <transportSender name="mailto" and provide
your email details as required.</div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
Make sure the following email template
is defined in the email-admin-config.xml under
<is_sever>/repository/conf/email directory.</div>
<div style="text-align: justify;">
<br /></div>
</div>
<pre class="brush:csharp"><configuration type="askPassword">
<targetEpr>http://localhost:8080/InfoRecoverySample/infoRecover/verify</targetEpr>
<subject>WSO2 Carbon - Password
Change for New Account</subject>
<body>
Hi {first-name}
Please change your password for the
newly created account : {user-name}.
Please click the link below to create
the password.
{password-reset-link}
If clicking the link doesn't seem to
work, you can copy and paste the
link into your browser's address
window.
</body>
<footer>
Best Regards,
WSO2 Carbon Team
http://www.wso2.com
</footer>
<redirectPath>../admin-mgt/update_verifier_redirector_ajaxprocessor.jsp</redirectPath>
</configuration>
</pre>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
Here the <targetEpr> holds the
redirect URL which handles the password flow in the sample web
application. Also the contents with curly brases {} will be replaced
by correct values when generating the email.</div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
Then you need to restart the Identity
Server to take effect of the configuration changes.</div>
</div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
<br /></div>
</div>
<div style="margin-bottom: 0in;">
<div style="text-align: justify;">
You need to define the following claim
and map it with a valid attribute of your underlying user store. Go
to Configure → Claim Management → and select "http://wso2.org/claims" → click on Add New Claim Mapping. Here I'm going to map it
with facsimileTelephoneNumber with my ldap user store attribute.
Following are the values that I have given. Figure 3 shows the UI for
this operation.</div>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Display Name: Identity Password
timestamp</div>
<div style="margin-bottom: 0in;">
Description: Identity Password
timestamp</div>
<div style="margin-bottom: 0in;">
Claim Uri:
http://wso2.org/claims/identity/passwordTimestamp</div>
<div style="margin-bottom: 0in;">
Mapped Attribute:
facsimileTelephoneNumber</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpow93p5ocWOJOFYpD4SvHaK_FEC9x61R8u583OIkWaOx-zpz-iebTSJ44VKmBRyDOSAgD0Qz6KUYizwlgLNE_EKPEfi4loCRpSYP6oG7mUNuk0ujTZ3YJvE88LkpmZhnvBgI74uir5_vY/s1600/new+cliam+mapping.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpow93p5ocWOJOFYpD4SvHaK_FEC9x61R8u583OIkWaOx-zpz-iebTSJ44VKmBRyDOSAgD0Qz6KUYizwlgLNE_EKPEfi4loCRpSYP6oG7mUNuk0ujTZ3YJvE88LkpmZhnvBgI74uir5_vY/s400/new+cliam+mapping.png" width="400" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Figure 3: adding a claim</div>
<div style="margin-bottom: 0in;">
<br /></div>
<h3>
Configuration for sample web application</h3>
<div style="text-align: justify;">
Once you have downloaded the sample from here you can directly
deploy the InfoRecoverySample.war
under target directory or you can build it from source.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you have building from source you need to give the following
context configurations in web.xml.</div>
<div style="text-align: justify;">
Give your hosted Identity Server urls as below.</div>
<div>
<br /></div>
<pre class="brush:csharp"><param-name>carbonServerUrl</param-name>
<param-value>https://localhost:9443/</param-value>
</pre>
Give the trust store path to the Server
<br />
<pre class="brush:csharp"><param-name>trustStorePath</param-name>
<param-value>/home/chamath/apps/wso2is-4.5.1/repository/resources/security/wso2carbon.jks</param-value></pre>
<br />
Give your admin username and password of the Identity Server.<br />
<pre class="brush:csharp"><param-name>accessUsername</param-name>
<param-value>admin</param-value>
<param-name>accessPassword</param-name>
<param-value>admin</param-value></pre>
<br />
<div style="text-align: justify;">
Also you need to enable the SSL configuration of your web
application container. You can give the same key store file as below
for tomcat under <tomcat>/conf/server.xml. After this change
restart tomcat.</div>
<pre class="brush:csharp"><Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/chamath/apps/wso2is-4.5.0-7.18.2-SNAPSHOT/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" /></pre>
<br />
<div style="text-align: justify;">
If you are directly deploying the InfoRecoverySample.war
file first you need to deploy and stop and do the above
configurations and start again.</div>
<br />
<br />
Now you are ready to test the functionality.<br />
<br />
<div style="text-align: justify;">
As shown in the figure 1 go the add new user and select ask
password from user option. You need to give the user name and the
user's email. Then assign the user to a role which has login
permission. And then finish the flow which you will receive a
successful user creation message.</div>
<div style="text-align: justify;">
User will be receive a email message with password change for new
account with confirmation link. As instructed in the email click on
the link. You will be directed to a page to enter user name and
captcha as shown in Figure 4.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPNtzHH0WtdaLL0h3GmfHp12Tvd_IIMzfnc8nAJWvEDwDvLQEpeQ4XurmbB5PG9kjN9IZPn2KQ1WWmzBaTs-jfvVQ_7niZm6i-i3TCx8V-z2z3oovXItmxioPCSL2WhlVSvpGx-jRRofl4/s1600/verify+user+for+password.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPNtzHH0WtdaLL0h3GmfHp12Tvd_IIMzfnc8nAJWvEDwDvLQEpeQ4XurmbB5PG9kjN9IZPn2KQ1WWmzBaTs-jfvVQ_7niZm6i-i3TCx8V-z2z3oovXItmxioPCSL2WhlVSvpGx-jRRofl4/s400/verify+user+for+password.png" width="400" /></a></div>
<br />
Figure 4. user name and captcha page<br />
<br />
<div style="text-align: justify;">
Enter the details and submit which then you will be directed a
page to enter the new password.
</div>
<div style="text-align: justify;">
Now you can test the new password in effect by login into the
Identity Server management console by giving the user name and new
password.</div>
<br />
<h3>
References</h3>
<a href="https://svn.wso2.org/repos/wso2/people/chamathg/samples/is/InfoRecoverySample" target="_blank">Sample source code</a><br />
<br />Chamathhttp://www.blogger.com/profile/04584839413400812576noreply@blogger.com2tag:blogger.com,1999:blog-5472269677632820765.post-10738234154561728322013-12-02T01:42:00.000-08:002013-12-15T23:38:38.089-08:00Password Recovery with WSO2 Identity Server<h2 class="western">
</h2>
<h3>
This blog shows the password recovery feature usage in the Wso2
Identity Server 4.5.0. The Identity Server provides email based
password recovery as well as secret question based password recovery
for the registered users. Currently password recovery only supports
for super tenant users. However in the future versions it will
support for tenant users as well.</h3>
<div>
<br /></div>
With the Identity Server as a middle ware you can configure it to
recover user password securely after registering users with the
Identity Server User store. The Identity Server exposes secure APIs
which your application can invoke to recover user's password. You can
view the available APIs by accessing the following WSDL.<br />
<code class="western"><br /></code>
<code class="western">https://</code><code class="western"><isServer></code><code class="western">:9443/services/UserInformationRecoveryService?wsdl</code><br />
<br />
First I will explain how to recover the password using email
notifications.<br />
<br />
<h3>
Recover password with email notification</h3>
The API methods available through the above WSDL shown below for
email notification based password recovery.<br />
1. getCaptcha()<br />
2. verifyUser()<br />
<span style="font-weight: normal;">3. </span><strong><span style="font-weight: normal;">sendRecoveryNotification()</span></strong><br />
<strong><span style="font-weight: normal;">4. getCaptcha()</span></strong><br />
<strong><span style="font-weight: normal;">5.
verifyConfirmationCode()</span></strong><br />
<strong><span style="font-weight: normal;">6. updatePassword()</span></strong><br />
<br />
<br />
The flow of password recovery by email notification is as follows
using the above WSDL.<br />
First you need to get the captcha using getCaptcha(). The captcha
details returned should be passed along with the visible captcha
answer and user name to verifyUser() which is for user verification.
Upon successful verification it will return a code. Then you need to
call the <strong><span style="font-weight: normal;">sendRecoveryNotification</span></strong><strong><span style="font-weight: normal;">()</span></strong><strong><span style="font-weight: normal;">
</span></strong><strong><span style="font-weight: normal;">to </span></strong>send
the notification along with the code to the user. Then the generated
email with the password reset link will be emailed to the user. Upon
user clicking the reset link the user should be directed to a another
captcha page for verification by calling getCaptcha(). Then it needs
to verify the confirmation code along with the captcha answer by
calling <strong><span style="font-weight: normal;">verifyConfirmationCode</span></strong><strong><span style="font-weight: normal;">()</span></strong>.
This will generate another code which needs be passed to the
<strong><span style="font-weight: normal;">updatePassword</span></strong><strong><span style="font-weight: normal;">()</span></strong><strong><span style="font-weight: normal;">
</span></strong><strong><span style="font-weight: normal;">to </span></strong>update
the password.<br />
In order to recover the password using email notification
following configuration needs to be done.<br />
You need to configure the email sender and here we use the axis
transport Sender. Following configureation needs to be done in the
axis2.xml file located in the Identity Server installation under
<is_home>/repository/conf/axis2 directory. Uncomment the
following and give your email details.<br />
<br />
<pre class="brush:csharp"><transportsender class="org.apache.axis2.transport.mail.MailTransportSender" name="mailto">
<parameter name="mail.smtp.from">wso2demomail@gmail.com</parameter>
<parameter name="mail.smtp.user">wso2demomail@gmail.com</parameter>
<parameter name="mail.smtp.password">mailpassword</parameter>
<parameter name="mail.smtp.host">smtp.gmail.com</parameter>
<parameter name="mail.smtp.port">587</parameter>
<parameter name="mail.smtp.starttls.enable">true</parameter>
<parameter name="mail.smtp.auth">true</parameter>
</transportsender>
</pre>
Then you need to configure the identity management module
properties in identity-mgt.properties file under
<is_home>/repository/conf/security directory. You can give the
following configuration for this.<br />
<br />
</is_home><br />
<pre class="brush: csharp">Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=3 # expire the recovery after 3 minutes.
Notification.Sending.Internally.Managed=true
UserAccount.Recovery.Enable=true
Captcha.Verification.Internally.Managed=true
</pre>
<br />
You also can configure the email format and confirmation code urls
in the email-admin-config.xml under <is_home>/repository/conf/email
directory. For password recovery sending email you need to have a
email template type as “passwordReset”. Following shows a sample
configuration.<br />
<br />
<pre class="brush: csharp"><configurations>
<configuration type="passwordReset">
<targetepr>https://localhost:8443/InfoRecoverySample/infoRecover/verify</targetepr>
<subject>WSO2 Carbon - Password Reset</subject>
<body>
Hi {first-name}
We received a request to change the password on the {user-name} account
associated with this e-mail address. If you made this request, please
click the link below to securely change your password:
{password-reset-link}
If clicking the link doesn't seem to work, you can copy and paste the
link into your browser's address window.
If you did not request to have your {user-name} password reset, simply
disregard this email and no changes to your account will be made.
</body>
<footer>
Best Regards,
WSO2 Carbon Team
http://www.wso2.com
</footer>
</configuration>
</configurations></pre>
In the email template shown above the <targetEpr> tag
defines the call back url which handles the users confirmation
request. The contents of the tag is used to create the
password-reset-link by appending a confirmation code.<br />
You can find the sample from <a href="https://svn.wso2.org/repos/wso2/people/chamathg/samples/is/InfoRecoverySample/" target="_blank">here</a>. You can follow the “I forgot
my password” link to see the demo.<br />
<div>
<br />
<h3>
</h3>
<h3>
Recover password with secret questions</h3>
The Identity Server provides another way of recovering the
password using secret questions. User is able to select two security
questions on the two sets of questions and provide answers using the
Account Recovery option under My Identity in the management console
as shown below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirEye-4ietUEV66vXFw8pySvW8uKS81ws0xVEDzqdT4tAr9NWOFJ5E5faCd62NeZONqWytCfVZUeonECYljavdbYb_OqTa5yoa5xkJapKtLqsk4P_X8fK8yl0pfKC2ofPfBPXWdJ_RCcTM/s1600/account_recovery.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirEye-4ietUEV66vXFw8pySvW8uKS81ws0xVEDzqdT4tAr9NWOFJ5E5faCd62NeZONqWytCfVZUeonECYljavdbYb_OqTa5yoa5xkJapKtLqsk4P_X8fK8yl0pfKC2ofPfBPXWdJ_RCcTM/s640/account_recovery.png" width="640" /></a></div>
Figure 1. Account Recovery menu in management console.<br />
<br />
You need to do the same configuration as recover with email
notification except the email related configurations.<br />
Also make sure that you have mapped correct attributes for the
challenge question attributes under Claim management for
<a href="http://wso2.org/claims/challengeQuestion1">http://wso2.org/claims/challengeQuestion1</a>
and <a href="http://wso2.org/claims/challengeQuestion2">http://wso2.org/claims/challengeQuestion2</a>
claim URIs.<br />
<br />
There are 6 methods defined through the API as follows.<br />
<br />
1. getCaptcha()<br />
2. verifyUser()<br />
<span style="font-weight: normal;">3. </span><strong><span style="font-weight: normal;">getUserChallengeQuestionIds()</span></strong><br />
<strong><span style="font-weight: normal;">4.
getUserChallengeQuestion()</span></strong><br />
<strong><span style="font-weight: normal;">5.
verifyUserChallengeAnswer()</span></strong><br />
<strong><span style="font-weight: normal;">6. updatePassword()</span></strong><br />
<br />
Following is how the password recover flow should be used for two
challenge questions.<br />
<br />
Get the captcha using getCaptcha() and provide the captcha details
with user name to verfiyUser(). You will be getting a code with the
call. After the verification you can get the challenge question ids
using the <strong><span style="font-weight: normal;">getUserChallengeQuestionIds</span></strong><strong><span style="font-weight: normal;">()
which returns the defined claim URIs along with a code. You need to
have this to retrieve the question for the user with the
</span></strong><strong><span style="font-weight: normal;">getUserChallengeQuestion</span></strong><strong><span style="font-weight: normal;">().
In your web application you can define two steps to answer the
challenge questions to maximize security. The
</span></strong><strong><span style="font-weight: normal;">verifyUserChallengeAnswer</span></strong><strong><span style="font-weight: normal;">()
is used to verify a particular answer for a question. If both answers
are correct you can call the updatePassword() to change the user
password.</span></strong><br />
<br />
You can find a sample web app is implemented this feature from
<a href="https://svn.wso2.org/repos/wso2/people/chamathg/samples/is/InfoRecoverySample" rel="nofollow" target="_blank">here</a><span id="goog_1831655296"></span><span id="goog_1831655297"></span><a href="http://www.blogger.com/"></a>. <br />
<br />
<h4>
References
</h4>
<a href="http://docs.wso2.org/display/IS450/Recover+with+Notification">http://docs.wso2.org/display/IS450/Recover+with+Notification</a><span id="goog_1831655304"></span><span id="goog_1831655305"></span><a href="http://www.blogger.com/"></a><br />
<a href="http://docs.wso2.org/display/IS450/Recover+with+Secret+Questions">http://docs.wso2.org/display/IS450/Recover+with+Secret+Questions</a></div>
Chamathhttp://www.blogger.com/profile/04584839413400812576noreply@blogger.com6