I need to implement password reset functionality in ISIM. It looks like ISIM is capable of fulfilling all requirements except one.

• User can reset the password by submitting user id or email and receiving a reset link

 

In ISIM this seems to be possible if the user answers security question(s) (challenge response) firstly.  

So my question is: Can ISIM be configured to send out the reset link without asking the questions?  

If no to the first question, a backup question. Can we configure ISIM to post a pre-defined question and answer (e.g. What is 1+1? Answer=2)

------------------------------
Svavar Thrastarson
------------------------------

ISIM currently supports 2 things for getting access to ISIM without password (outside SSO that is) :

1.Shared Secret - this is basically some data stored in an attribute - this was originally thought as a mechanism to solve the initial password problem at a point in time where the intranet was thought of as a secure and trusted environment. This is extremely insecure and should not be used.

2. Challenge Response (C/R) - this was added to ISIM to solve the problem of password reset without having to involve the help desk. This has 2 problems - ensuring that users setup the questions and answers (and remember them) and the general security level as C/R is normally quite easy to find the answers for. I do not recommend to use C/R for systems where a just a reasonable security level is required.

The password reset and intial password problem is inherently linked to the process of authenticating a user. And in both cases there is no password challenge possible so it has to rely on other mechanisms such a other factors (OTP over mail/SMS), other MFA mechanism, trusted third party authentication and things like behavioral analytics/biomtrics like used in e.g. Trusteer. The complexity of this process is normally very underestimated as the problems are so simple to state.

So before digging into technicalities I will point at the IBM Security Essentials offering that allows your client to have the possibility to get consultancy on topics like this on a reasonable priced package without having to foresee what kind of help you need upfront.

If I understand you requirement correctly the process needed is to have the enduser require a password reset from ISIM and then a mail should be send to the users mail including a link that when clicked will trigger the actual password reset ?

Based on the assumption this is not possible for ISIM ootb - you will need some kind of frontend application that is trusted that can perform the task of triggering ISIM to do this.

ISIM provides a rich set of APIs that can do this - Java APIs are the most flexible - there are remote APIs available (PasswordManager is probably what is the best fit here : https://www.stephen-swann.co.uk/javadoc/sim6.0/index.html?com/ibm/itim/apps/provisioning/PasswordManager.html) - Java API are good if you are running your application on the ISIM WAS server - if you want to run externally the process gets clunky as it ISIM java classes may need to be kept in synch. For external applications the WSPasswordService is a better option or the newly released REST interfaces although less powerfull. All methods will trigger a Password Change operation workflow process that will need to handle the last part of the process.

To solve this part ISIM provides a WorkOrder workflow extension that can halt the the workflow until the user clicks the embedded link in the supplied email - the WorkOrder is documented here : https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.2/com.ibm.isim.doc/planning/cpt/cpt_ic_wkflo_node_workorder.html Doing requires some workflow programming as you will need to filter password changes not coming from this process unless the mail is a standard process (which is a problem if you have lost your password to your mail e.g. cannot login to your Microsoft Outlook).

I will advice you also to look at other possibilities - utilizing SSO with ISIM may reduce the issue and allow people an asy way through SSO to reset passwords not covered by SSO - also most SSO systems like Security Verify Access (aka ISAM - Acces Manager) has password reset functionality that can be utilized to send a password reset through the unsolicited event processor on ISIM (this is way password synch and event based reconciliation is working on ISIM) of utilizing the above mentioned password APIs. This of course has to be based on a trusted and secure setup beiween the involved applications so there is a decent amount of analysis to be performed upfront.

I hope this can bring you forward in the process - on last advice remember the KISS principle - do not over do your solution - ISIM is primarily a provisioning system and the complexity of password handling in terms of doing a good authentication is better placed in other systems :-)

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Thu January 21, 2021 06:24 AM
From: Svavar Thrastarson
Subject: ISIM - Reset Password

I need to implement password reset functionality in ISIM. It looks like ISIM is capable of fulfilling all requirements except one.

• User can reset the password by submitting user id or email and receiving a reset link

 

In ISIM this seems to be possible if the user answers security question(s) (challenge response) firstly.  

So my question is: Can ISIM be configured to send out the reset link without asking the questions?  

If no to the first question, a backup question. Can we configure ISIM to post a pre-defined question and answer (e.g. What is 1+1? Answer=2)

------------------------------
Svavar Thrastarson
------------------------------