Introduction -:

In this blog, we will explore how to customize the USC password reset policy in IBM Verify Identity Access (IVIA) to add custom logic during the password reset flow. The default policy provides a standard flow for users to reset their passwords, but in some cases, we may need to impose additional checks. For instance, in this blog, we will focus on preventing users from resetting their passwords if they are disabled in Active Directory (AD). This functionality can be particularly useful in organizations where users may be temporarily or permanently blocked, and it's crucial to prevent them from bypassing such restrictions through the password reset flow.

We will walk through the steps required to implement this feature, explaining how to integrate AD status checks into the reset process. While this blog demonstrates one use case, the solution is flexible, and you can adapt it to your specific requirements. You may need to tweak the configuration or logic depending on the unique needs of your organization or system.

By the end of this post, you will have a clear understanding of how to extend the USC password reset flow to enhance security and tailor it to meet your business needs.

Pre-requisite: 

1. A well configured appliance with Web and AAC module configured.
2. SCIM should be configured to connect to the AD server over a secure SSL connection.
   1. Verify that the SCIM API is functioning correctly by testing the endpoint: https://<applianceIp>/scim/Users.
   2. Refer this given link for SCIM setup Link
3. A SMTP server which is used to deliver the OTP

Configurations Steps.

1. Enable the USC Password Reset policy

   1. Go to  AAC -→ Authentication -→ USC Password Reset -→ select the enable checkbox and save. 
      
      
2. Modify the SCIM  Endpoint Configuration mechanism to point the SCIM
   1. Go to AAC -→ Authentication -→ Mechanisms -→  Search for SCIM  Endpoint Configuration -→ Select and click on edit option
   2. Go to properties -→ Click Server Configuration -→ Select SCIM option -→ Click ok and save
      
      
3. Add the SMTP server details which will be used to send the OTP via emails
   1. Go to AACA -→ Authentication -→ Mechanisms -→ Search for Email One-time Password  -→ edit -→ go to properties and following details. You could get this details from your SMTP server 

      1. Add SMTP Host Name, SMTP Host Name, SMTP Password, SMTP Port, SMTP User Name, Sender Email, and modify if only if you are using ssl connection with SMTP server.

         

          

4. Disable the ReCaptcha part
   1. For this flow, I am disabling the reCAPTCHA functionality temporarily, in order to narrow down the broader configuration changes.
       Note If you intend to use reCAPTCHA in this flow, do not follow the steps described in this section. Instead, refer to the additional settings that need to be validated, link
   2. Modify collectEmail.html.   
      Go to AAC  -→ Template files -→ collectEmail.html 
      
      
      
      
      1. Before:
               <BUTTON TYPE="submit" ID="submitButton" DISABLED>Submit</BUTTON>
         
         After: 
              <BUTTON TYPE="submit" ID="submitButton" >Submit</BUTTON>
          
      2. Go to AAC  -→ Mapping Rules
         Modify below mapping rule
         
         
         
         Remove below  Recaptcha part
         /*
* ReCAPTCHA
*/
if (rc == true) {
 var captchaResponse = context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "g-recaptcha-response");
 IDMappingExtUtils.traceString("captchaResponse is: "+captchaResponse);
 var captchaVerified = (captchaResponse != null && captchaResponse.trim() != "") && RecaptchaClient.verify(captchaResponse, macros.get("@RECAPTCHASECRETKEY@"), null);
 IDMappingExtUtils.traceString("RecaptchaClient.verify : "+captchaVerified);
 if (captchaVerified == false) {
   errors.push("CAPTCHA Failed.");
   rc = false;
 }
}
          
5. Modify the Mapping Rule.
   1. Go to AAC -→ Mapping Rules -→ Search for USC_PasswordReset_CollectEmail
   2. Add the code snippet which is in between Start and Finish block,

   3. Here I am taking a default value 514 which is populated for userAccountControl in AD when users is disabled as per link 

      // --> Start
      
      importPackage(Packages.com.ibm.security.access.ldap.utils);
      importPackage(Packages.com.ibm.security.access.scimclient);
      importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
      importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
      importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
      importPackage(Packages.javax.naming.directory);
      importClass(Packages.com.ibm.security.access.recaptcha.RecaptchaClient);
      importClass(Packages.com.ibm.security.access.ldap.utils.AttributeUtil);
      importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
      
      //  --> End
      
      IDMappingExtUtils.traceString("entry USC_PasswordReset_CollectEmail.js");
      
      // Skipping few lines 
      
      if (respJson.totalResults == 1) {
            IDMappingExtUtils.traceString("Found a user with the correct email address: "+JSON.stringify(respJson.Resources[0]));
      
            var scimSurname = (""+respJson.Resources[0].name.familyName).toLowerCase();
            var reqSurname  = (""+surname).toLowerCase();
            IDMappingExtUtils.traceString("Surname [SCIM]    : "+scimSurname);
            IDMappingExtUtils.traceString("Surname [Request] : "+reqSurname);
            if (scimSurname.length == 0 || reqSurname.length == 0) {
              IDMappingExtUtils.traceString("Surname is missing!");
              errors.push("Invalid data.");
              rc = false;
            } else if (scimSurname != reqSurname) {
              IDMappingExtUtils.traceString("Surnames do not match!");
              errors.push("Invalid data.");
              rc = false;
            } else {
              context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username", respJson.Resources[0].userName);
            }
      
      // --> Start       
      
          // Change as per your user suffix in AD
          var userSuffix = "DC=mohishcompany,DC=com"; 
          // Change according to your user location in AD. 
          var userLocationDir = "CN=Users,"+userSuffix;
          // Get the first Name 
          var givenName =  (""+respJson.Resources[0].name.givenName).toLowerCase();
          // Form the complete DN from name + surname + user location Dir 
          var distinguishname = "CN="+givenName+" "+scimSurname+","+userLocationDir;
          //
          var attrUtil = new AttributeUtil();
          attrUtil.init("AD",userSuffix );
          var attrSearches = attrUtil.getAttributeValue(distinguishname, [ 'userAccountControl']).getAttributes();
          var userAccountControlVal = attrSearches.get("userAccountControl");
          var userAccountControl = (userAccountControlVal != null && userAccountControlVal.size() > 0) ? userAccountControlVal.get(0) : "";
      
                  IDMappingExtUtils.traceString("MyScimStatus status : " + userAccountControl);
                  // Checking if Account is Disable 
                  if (userAccountControl.length == 0 ) {
                      IDMappingExtUtils.traceString("Attribute is Missing" + userAccountControl);
                      errors.push("Invalid data.");
                      rc = false;
                  } else if (userAccountControl == "514") {
                      IDMappingExtUtils.traceString("User is Not Active and  Disable or blocked, So you cannot reset password of blocked users");
                      errors.push("User id Blocked, Cannot reset password. userAccountControl : " + userAccountControl);
                      rc = false;
                  } else {
                       IDMappingExtUtils.traceString("User is Active and Not Disable or blocked ");
                  }
                  
      // --> End
      
      
          } else {
            IDMappingExtUtils.traceString("Could not find a user with the given email address.");
            errors.push("Invalid data.");
            rc = false;
          }
      

   4. In above snippet change the following things according to your environment.
      1. Replace the var userSuffix value as per your AD
      2. Change the value of var userLocationDir as per your AD, for me it is "CN=Users,"
      3. if (userAccountControl.length == 0 ) { ... } else if (userAccountControl == "514") { ... }   --→ The  code checks if userAccountControl is empty or equals “514”,   indicating either missing data or a blocked user. 
         And  If the attribute is missing or the user is blocked, an error message is pushed to the errors array accordingly which is further render on the HTML  page.
         errors.push("Invalid data.");  // or
errors.push("User id Blocked, Cannot reset password.");
          
6. Now test the flow.
   1. Lets test the normal flow when user is not disabled.

   2. Hit the policy  URL -→ https://<Reverse_Proxy_IP>/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:uscPasswordReset

      
   3. Add the email address and Surname, Submit
      
      
      1. Type OTP received on the email address 
         
         

      2. Type new password ( Make sure it fulfills the password policy criteria  )
         
         

         

      3. And password got reset. 
         
         
7. Now test it by Disabling the user from AD.
   1. 'Hit the URL -→ https://<Reverse_Proxy_IP>/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:uscPasswordReset
   2. Add the email address of user and its surname and click submit, Now it will block the further execution and will show error.
      
      
      
8. In this way you can prevent the reset of password when your account is disabled on AD using IVIA USC Password Reset Utility.

Authors

• Nilesh Amrutkar - nilesh_amrutkar@in.ibm.com
• Mohish Khadse  - mohishkhadse55@ibm.com