1. Download connector code from https://github.com/facilelogin/aratuwa/tree/master/carbon-security/org.wso2.carbon.identity.policy.password and build the project with Maven, which will result in a org.wso2.carbon.identity.policy.password-1.0.0.jar file inside the target directory.
2. Copy the file org.wso2.carbon.identity.policy.password-1.0.0.jar to [IS_5.1.0]/repository/components/dropins/.
3. Copy https://github.com/facilelogin/aratuwa/blob/master/carbon-security/org.wso2.carbon.identity.policy.password/src/main/resources/pwd-reset.jsp to [IS_5.1.0]/repository/deployment/server/webapps/authenticationendpoint.
4. Edit the file [IS_5.1.0]/repository/conf/identity/identity-mgt.properties and add the following property.
Authentication.Policy.Password.Reset.Time.In.Days=20
5. Start WSO2 Identity Server.
6. Create a service provider and under the 'Local & Outbound Authentication Configuration' --> 'Advanced Configuration' - define two steps. The first step with the 'basic' local authenticator and the second step with the 'password-reset-enforcer' local authenticator.
7. Once the service provider is created, we also need to create a claim and map that claim to a user store attribute to hold the timestamp of the password reset event.
8. Claims --> Add --> Add New Claim --> Select http://wso2.org/claims and create a claim with the claim URI http://wso2.org/claims/lastPasswordChangedTimestamp and make it ReadOnly. Also uncheck 'Supported By Default'.
9. That's it. During the authentication flow, if the password is expired, you will be prompted to reset the password.
http://blog.facilelogin.com/2016/02/enforce-password-reset-for-expired.html
Tags:
Identity Server 5.3