Password Policy History Check Not Enforced for Password Reset by Administrator

(Doc ID 726094.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Identity - Version: 7.0.4 to 10.1.4 - Release: to 10g
Information in this document applies to any platform.
Checked for relevance on 12-Apr-2010

Symptoms

Oracle Access Manager (OAM) password policy history check is not applied when a user password is reset by an Administrator user. 

Example scenario: a Lost Password plugin is developed for an OAM-protected application which necessarily connects with IDXML as an administrator user in order to set the new password specified by the user after the user has correctly answered multiple challenge questions for identity verification. With this plugin password history is not checked so the user can reset their password to a password used in the past.

The custom Lost Password plugin is being implemented in order to present the user with multiple challenge-response questions before they are permitted to reset their lost password. OAM release 10.1.4 provides multiple challenge-response functionality for Lost Pssword Management out of the box. Release 7.0.4 allows configuration of only a single challenge-response question for the out of the box OAM Lost Password Management functionality.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms