• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • Forgot password management using Oracle Access Manager

    Posted by "" in "idm, oam" on 2010-06-16

    Hi all,

    Today I have implemented Lost Password Management using Oracle Access Manager  The infrastructure I have is OAM, Sun DS 5.2 as User store and Policy Store.

    There is a web application deployed in OHS 11g protected with Form based authentication.  When we install OHS 11g webgate, a folder /oamsso gets created under WebGate/oblix location. This folder has login.html with Forgot Password button given. If you dont have such login file, then you can add the below code in your custom login file.

    <script content=”text/javascript” language=”JavaScript” >

    function lostPassword()
    var elements = document.forms[0].elements;
    name = “”;
    for (i=0; i<elements.length; i++)
    name = “”+ elements[i].name;
    if (name == “userid”)
    if (isEmpty(document.forms[0].elements[i].value) == true)
    alert(“Please enter a valid User Name”);
    var newFormInput = document.createElement(‘input’);

    // REPLACE host:port with host & port of Webserver where WEBPASS is installed

    document.forms[0].action = “http://host:port/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?backUrl=” + document.URL;
    <input type=”submit” onclick=”lostPassword()” name=”button” value=”Lost Password”>

    The basic needs to achieve Lost Password management functionality are some custom challenge phrase and response attributes with auxiliary object class.

    Use the below lines and add it to a LDIF file.

    # adding attributes
    dn: cn=schema
    changetype: modify
    add: attributetypes
    attributetypes: ( NAME ‘Challenge Phrase1′ SYNTAX )
    dn: cn=schema
    changetype: modify
    add: attributetypes
    attributetypes: ( NAME ‘Challenge Response1′ SYNTAX )
    #adding aux object class
    dn: cn=schema
    changetype: modify
    add: objectclasses
    objectclasses: ( NAME ‘oblixAuxPerson4LPM’ DESC ‘User defined objectclass’ SUP top AUXILIARY MAY ( ChallengePhrase1 $ ChallengeResponse1 ) )

    Here, we are adding two attributes  Challenge Phrase1 and Challenge Response1 to the LDAP schema along with Auxiliary Object class which uses two two attributes as optional.

    These attributes are used when a user is created either by administrator using Create User Identity or through User Self Registration (using Identity XML).

    You can use the below command to add those attributes and  object class to schema.

    D:\Sun\MPS\shared\bin>ldapmodify.exe -h kbmahendra.india.hcleai.com -p 30127 -D
    “cn=Directory Manager” -w admin123 -f D:\Sun\LPM.ldif
    modifying entry cn=schema

    Upon executing the ldapmodify command, you should see a success message “modifying entry cn=schema”.

    Restart the OC4J_SECURITY service to reflect the oblixAuxPerson4LPM objectclass to OAM schema.

    Now, you should add the object class oblixAuxPerson4LPM in the OAM object classes.

    For this, goto the Identity System Console ->  Common Configuration -> Object Classes.

    Click Add and select  oblixAuxPerson4LPM from dropdown. Select Object Class Type as Person. Click Modify Attributes, configure the attribute ChallengePhrase1 by selecting Challenge and DN Prefix as Semantic Type. Let the Display Type be Single Line Text and Attribute Values be Single. Similarly configure the object class ChallengeResponse1 by selecting Response as Semantic Type.

    Save these configurations and Click Done.

    Goto the Authentication scheme. Here, I am using Form Based Login.

    Goto the Validation Plugin and add the text and it should appear as shown below.

    obCredentialPassword=”password”,obReadPasswdMode=”LDAP”, obWritePasswdMode=”LDAP”

    Please be careful with quotes (use ” and not ”).

    With this, the configuration part is completed. Now lets test the lost password functionality.

    Access the test URL protected by OAM and it should throw the login page as shown below.

    Enter the userid and click Lost Password.

    You will be prompted with Challenge Phrase that is already registered by the user. Answer the challenge phrase and click Submit.

    Now, you will be prompted to enter the new Password and click Save.

    It will display a message saying the password has been changed and click Back.

    Now, you will be prompted with login page again. Enter the credentials with new password and you will be shown the requested resource.

    15 Responses to “Forgot password management using Oracle Access Manager”

    1. Ferry says:

      Hello Mahendra,
      Do we have a feature in OAM, where after password reset using “forgot password” an email should be sent to the user with his new password.

    2. Atul Kumar says:

      @ Ferry,
      Yes this is possible. For lost password, OAM uses challenge phrase

      From the Identity System Console, click the System Configuration sub-tab, then click Lost Password Policy.

      Select the Send Email After Password Change box if you want email to be sent to
      the user after the password has been reset.



      Or you can customize OAM that change password simply send updated password via email (not safe solution) using API – http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12491/idapi.htm#sthref478

    3. Ferry says:

      Hello Atul,

      Thank You for the quick response. Appreciated !!!!!


    4. Rahul says:

      Hello Mahendra,
      I am unable to update the object class. I am getting the following error:
      modifying entry cn=schema
      ldap_modify: Undefined attribute type
      ldap_modify: additional info: Attribute dn is not supported in schema.

      I suspect that it’s unable to find the dn for schema. I am using OID 11g with OAM

    5. Atul Kumar says:

      @ Rahul,

      What command you are using ?

      Above post is to extend object class in Sun LDAP server. For OID command could be different .

    6. Rahul says:

      Hi Atul,
      I am using ldapmodify command and tried the DN: cn=subschemasubentry as well.. still fails with same error. Is there any specific command for OID

    7. Rahul says:

      I finally added the attributes & objectclasses and confirmed their existence in OID schema. However, I am unable to see them in Identity System Console.

    8. Mahendra says:


      You have to add those objectclasses and attributes explicitly in the OAM Identity Console.


    9. Rahul says:

      Hello Mahendra,
      When I click on Add under Common configuration, I don’t see them. Is there any other way to add them explicitly. Could you please elaborate…
      Thank You….

    10. Mahendra says:


      Please check whether the objectclass is added in your LDAP. I remember seeing this behavior before and re-adding the objectclass and attributes have done the trick OR it should be added as auxiliary object class.


    11. Rahul says:

      we are using a different tool for self registration. I am able to update the user & pwd directly to my ldap and able to login via OAM. however, I am not able to find a clue on how to update the challenge phrase & response. As, response value is encrpted by oam in ldap?? Any ideas ??

    12. Mahendra says:


      May I know the tool that you are using for self registration?

      To my knowledge, either we should provide the self registration link of OAM identity console or use Identity XML API to do so.

      If you are using Identity XML API for self registration, then there are specific attributes to update the challenge phrase and response. Please check some sample identity xml samples in the identity server installation directory. It must be under Unsupported folder (cannot remember the exact location though).

      Hope this helps.


    13. Ravi says:

      Hi Mahendra,

      What is the attribute used to send the email after user resetting their password?


    14. Jisha Roy says:

      Hi Atul,

      Thanks for your updates. The article was very helpful in setting up the LPM. I noticed that the challenge is prompted to the user as many times until he enters the correct response. How can we secure this functionality for eg: Prompt the challenge to the user only 3 times or so.


    15. mahendra says:


      I don’t think it is possible OOTB. Even if you try to customize it, it is very difficult to fetch the challenge response attributes and play with it.

      Anyhow, this is a good question.

      Hope this helps.


    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP