Saturday, February 20, 2016

Enforce Password Reset for Expired Passwords During the Authentication Flow

In this blog post we will look into how to enforce password reset for expired passwords during the authentication flow. This is done by writing a custom connector and engaging it into the authentication flow.

1. Download connector code from and build the project with Maven, which will result in a org.wso2.carbon.identity.policy.password-1.0.0.jar file inside the target directory.

2. Copy the file org.wso2.carbon.identity.policy.password-1.0.0.jar to [IS_5.1.0]/repository/components/dropins/.

3. Copy to [IS_5.1.0]/repository/deployment/server/webapps/authenticationendpoint.

4. Edit the file [IS_5.1.0]/repository/conf/identity/ and add the following property.


5. Start WSO2 Identity Server.

6. Create a service provider and under the 'Local & Outbound Authentication Configuration' --> 'Advanced Configuration' - define two steps. The first step with the 'basic' local authenticator and the second step with the 'password-reset-enforcer' local authenticator.

7. Once the service provider is created, we also need to create a claim and map that claim to a user store attribute to hold the timestamp of the password reset event.

8. Claims --> Add --> Add New Claim --> Select and create a claim with the claim URI and make it ReadOnly. Also uncheck 'Supported By Default'.
9. That's it. During the authentication flow, if the password is expired, you will be prompted to reset the password.