Use this guide to configure the Forgot Username page, where end-users can retrieve forgotten user IDs.
The Forgot Username tool enables an end-user to provide information associated with their directory account in order to reacquire their username to log into SecureAuth IdP realms.
Each SecureAuth IdP realm can include a Forgot Username URL Link (Overview tab) that displays on the initial login page. Clicking the link redirects end-users to the Forgot Username realm, at which the end-user enters information from a defined field (e.g. email address, phone number, etc.) to confirm the account identity.
Upon successful identity validation, the username is displayed on the page itself or sent to the user via email, as configured by the administrator.
1. Create a New Realm for the Forgot Username function
2. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:
- Overview – the description of the realm and SMTP connections must be defined
- Data – an enterprise directory must be integrated with SecureAuth IdP
- Workflow – the way in which users will access this application must be defined
- Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined
Select the type of directory integration used for the Forgot Username realm and follow the appropriate steps
This is a configuration example using an Active Directory integration and common data fields, so it is not universal for every enterprise data store, but may be used as a reference to other LDAP directory types
1. In the Membership Connection Settings section, change the searchFilter to accept the user's email address on the initial login page (instead of the username)
This would correspond to the field in the enterprise directory that contains the email address, e.g. (&(mail =%v)(objectclass=*))
2. Set the Search Attribute to the directory attribute that contains the user ID to be retrieved
Once the end-user authenticates, the ID from the Search Attribute is provided as the forgotten username
Skip to step 6
This is a configuration example using a SQL Data Store integration and common properties, so it is not universal for every enterprise data store, but may be used as a reference to other SQL-type data stores (Oracle, ODBC, others)
1. In the SQL data store, create new Stored Procedures that are specific for the Forgot Username realm, using email (or another preferred property) as the user ID
Using SecureAuth's provided Stored Procedures and Tables, replace the Stored Procedure name with a friendly name, e.g. replace GetUser with GetUserByEmail in sp_GetUser: sp_GetUserByEmail
This differentiates the Stored Procedure from the others that employ the username as the User ID
Replace UserName with Email1 in WHERE UserName = @UserName: WHERE Email1 = @UserName
This tells SecureAuth IdP to employ the user's email address stored in Email 1 as the user ID
CREATE PROC [dbo].[sp_GetUserByEmail] @UserName VARCHAR(60)
AS
BEGIN
SELECT [UserName]
,ISNULL([GroupList], '')
,ISNULL([PwdLastSet],'1/1/1900')
,ISNULL([AccountStatus], '')
FROM UserTable
WHERE Email1 = @UserName
END
Shown as an example is the Get User Stored Procedure, which must be updated for this realm
The following Stored Procedures must be updated in the same manner, but with unique, friendly names:
- Get User (new name: GetUserByEmail)
- Get Profile (new name: GetProfileByEmail)
- Update Profile (new name: UpdateProfileByEmail)
- Validate / Get Password, required only if the user's password is required in the workflow to retrieve the forgotten username (new name: ValidatePasswordByEmail / GetPasswordByEmail)
CREATE PROC [dbo].[sp_GetProfileByEmail] @UserName VARCHAR(60)
AS
BEGIN
SELECT UserName
,IsNull(FirstName, '') FirstName
,IsNull(LastName, '') LastName
,IsNull(Phone1, '') Phone1
,IsNull(Phone2, '') Phone2
,IsNull(Phone3, '') Phone3
,IsNull(Phone4, '') Phone4
,IsNull(Email1, '') Email1
,IsNull(Email2, '') Email2
,IsNull(Email3, '') Email3
,IsNull(Email4, '') Email4
,IsNull(AuxID1, '') AuxID1
,IsNull(AuxID2, '') AuxID2
,IsNull(AuxID3, '') AuxID3
,IsNull(AuxID4, '') AuxID4
,IsNull(AuxID5, '') AuxID5
,IsNull(AuxID6, '') AuxID6
,IsNull(AuxID7, '') AuxID7
,IsNull(AuxID8, '') AuxID8
,IsNull(AuxID9, '') AuxID9
,IsNull(AuxID10, '') AuxID10
,IsNull(pinHash, '') pinHash
,IsNull(Questions, '') Questions
,IsNull(Answers, '') Answers
,IsNull(ChallengeQuestion, '') ChallengeQuestion
,IsNull(ChallengeAnswer, '') ChallengeAnswer
,IsNull(CertResetDate, '1/1/1900') CertResetDate
,IsNull(CertCount, 0) CertCount
,IsNull(CertSerialNumber, '') CertSerialNumber
,IsNull(MobileResetDate, '1/1/1900') MobileResetDate
,IsNull(MobileCount, 0) MobileCount
,IsNull(ExtSyncPwdDate, '1/1/1900') ExtSyncPwdDate
,IsNull(HardwareToken, '') HardwareToken
,IsNull(iOSDevices, '') iOSDevices
,IsNull(OATHSeed, '') OATHSeed
,IsNull(OneTimeOATHList, '') OneTimeOATHList
,IsNull(GroupList, '') GroupList
FROM UserTable
WHERE Email1 = @UserName
SELECT DigitalFP
FROM UserFP
WHERE Email1 = @UserName
SELECT PNToken
FROM UserPN
WHERE Email1 = @UserName
SELECT AccessHistory
FROM UserAccessHistory
WHERE Email1 = @UserName
SELECT OATHToken
FROM UserOT
WHERE Email1 = @UserName
END
GO
Note the updates applied to this Stored Procedure from step 1
The following steps are completed in the SecureAuth IdP Web Admin
3. In the Membership Connection Settings section, set the Get User SP to the friendly name of the Forgot Username-specific Get User Stored Procedure (configured in step 1), e.g. GetUserByEmail
4. Set the Validate / Get Password SP to the friendly name of the Forgot Username-specific Get / Validate Password Stored Procedure, e.g. GetPasswordByEmail
Step 4 is required only if the user's password is required in the Forgot Username realm login workflow
5. Set the Get Profile SP and the Update Profile SP to the friendly names of the Forgot Username-specific Get User Profile and Update User Profile Stored Procedures, e.g. GetProfileByEmail and UpdateProfileByEmail
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
6. Select Forgot Username from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin
7. An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/ForgotUsername.aspx)
8. Choose the Username Delivery Option, which either is to Display on page or to Send in email to the field designated in the searchFilter / Stored Procedures (Email 1)
The username displayed on the page or sent in the email is the username stored in the directory attribute mapped to the Search Attribute field; or the User ID stored as the UserName in SQL-type data stores
Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes
9. Click View and Configure FormsAuth keys / SSO token to configure the token/cookie settings and to configure this realm for Single Sign-on (SSO)
These are optional configurations
1. If SSL is required to view the token, select True from the Require SSL dropdown
2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:
- UseCookies enables SecureAuth IdP to always deliver a cookie
- UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the token in a query string
- AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings allow it
- UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the browser's settings allow it, no matter the user's settings
3. Set the Sliding Expiration to True if the cookie remains valid as long as the user is interacting with the page
4. Set the Timeout length to determine for how many minutes a cookie is valid
No configuration is required for the Name, Login URL, or Domain fields
5. No changes are required in the Validation field, unless the default value does not match the company's requirement
If a different value is required, select it from the dropdown
6. No changes are required in the Decryption field, unless the default value does not match the company's requirement
If a different value is required, select it from the dropdown
No configuration is required for the Validation Key or Decryption Key fields
7. Enable the cookie to be Persistent by selecting True - Expires after Timeout from the dropdown
Selecting False - Session Cookie enables the cookie to be valid as long as the session is open, and will expire once the browser is closed or the session expires
No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie, or the Clean Up Pre-Auth Cookie fields
Click Save once the configurations have been completed and before leaving the Forms Auth / SSO Token page to avoid losing changes
To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration
To configure this realm for Windows Desktop SSO, refer to Windows desktop SSO configuration
Follow these steps to alter the end-user login pages to read, "Email" (or whatever is preferred) instead of "Username" in the Forgot Username realm
These optional steps are completed in the Forgot Username realm (configured above)
1. In the Advanced Settings section, select Content and Localization
2. Search for useridview_userIdLabel and change Username: to Email: (or the preferred verbiage), which displays on the initial login page, prompting the user for the User ID
3. Change the passwordview_userLabel from Username: to Email: (or the preferred verbiage), which displays on the subsequent login page, prompting the user for the password
This is only necessary if the realm's workflow has username and password on separate pages
The Username / Email field is greyed out and displays the information entered on the previous page
4. Search for useridview_usernameplaceholder and change Username to Email Address (or the preferred verbiage), which displays as a placeholder on the initial login page (with step 2) in the text box
Click Save once the configuration is complete and before leaving the Content and Localization page to avoid losing changes
Follow the step to add the Forgot Username realm link to other SecureAuth IdP realms, which displays on login pages for end-users to quickly retrieve lost credentials
This optional step is NOT completed in the Forgot Username realm, but rather in other SecureAuth IdP realms
1. In the Page Content section, update the Forgot Username URL field and its Location on the login page within the other SecureAuth IdP realms in which the function is available
The URL would be: /SecureAuth[ForgotUsernameRealm#]
Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes