Changing Passwords with the Authentication Application

Through the Authentication Application, DirX Access enables users to change their passwords, regardless of their origin. This feature can be configured for two main use cases:

Use Cases

Implicit Password Change

The implicit password change use case is "unintentional" from the user’s perspective; when a user attempts to use their standard authentication method, they are conditionally prompted to change their password instead. This scenario can occur in situations such as:

  • User password rotation based on enterprise security policy

  • Password change requested by the user at the help desk

This process is entirely user-specific. In the user record, either in DXA’s application repository or an externally managed user repository, there exists a marker attribute indicating that the password for this account must be changed. This marker can be set by an administrator, help desk operator, automated process, or similar.

The algorithm for this use case is as follows:

  • The user executes any appropriately configured authentication method:

    • If the marker indicates that the password must be changed:

      • The user is redirected to a password-change page.

      • Without completing the password change, no authenticated session can be created for the user.

    • Otherwise, the authentication method is successful, and the user is authenticated.

Configuration

The parameter Enforced for the Password Change authentication method must be set to false.

Explicit Password Change

In contrast to the implicit password change, this use case is "intentional" from the user’s perspective; the user explicitly wishes to change their password and initiates the process themselves. The password change is accessible as a dedicated authentication method from the selection of authentication methods in the Authentication Application.

Depending on whether the password change is linked to an additional authentication method, we recognize two scenarios:

  • Composite Authentication Method: In this scenario, the password change is directly tied to the desired authentication method. This allows the administrator to choose the necessary strength and assurance level of the method (e.g., PKI-only).

  • Standalone Password Change: This can only be executed when the user already has an existing authenticated session in DXA.

Configuration

The parameter Enforced for the Password Change authentication method must be set to true.

Password Sources

Passwords can be changed in either DXA’s Application Repository or in a User Repository that is managed outside of DXA.

Regardless of where the password resides, the number of login failures is reset to zero as a byproduct, and the "enforced" flag in the user’s record is set to false. This means that the user can immediately log in using the new password without being forced to change it again.

If the password resides in the User Repository, any changes must be made via the corresponding component managing the user records. This can be done either synchronously (by the DXA Server) or asynchronously (via the user’s client application), utilizing the appropriate callout implementation. The Password Change authentication method contains the callout handler reference parameter for this purpose. Please see the Password Propagation Plug-ins page of the DirX Access Integration Guide for more details about callout handler integration.