Hi Volks
In a roll out scenario where we want to migrate enduser into the Litiium system.
- We have an email to customer
- We will send out an email like “welcome. Please sign up on the new Litium site” url xxx.xxx
we have preparared the system with:
- importing organizations
- importing users with userName == email
- connected user with organizaion
- password NOT set (of course)
We want:
The user to enter the site
give their email adress (or prefilled since could pass it through the URL)
system prompt to set password
Based on the fact that email match, and we think that litium can send a secure link to the given email, we hope it works.
My question is:
-How should we do? Should we simply send the URL to forgotten password to the users. Or should we do in another way? Do we need to set flag “user must change password at next login” ? (but this imply that we need to set a temporary password, which in my opinion is not safe)
Thanks. Happy day!
/Erik
I found a good way, not far away from initial post. Just to share with the community if anybody will re-use the approach.
-
customer was imported to Litium (whatever integrationkit is uses)
-
Customer imported. Verified in back office
NEED ACTION. We need to set the userMustChangePassword flag.
-
configure web.config smtp (whatever your smtp setting you have. Papercut is a good option for testing)
-
Simulate receive an email and enter front end forgotten pwd page
-
passord sent to the email
6.mail received (via papercut or your production email service)
- User go to Litium log in page, using the generated password
8 User prompt to create his own password
2 Likes
I know some projects that they know about the hashing algorithm that was used in the old system have also migrated the password hash into Litium and store that on the person object.
Then changed the login function to if the password check is failing they verifying the old password hash with an old encryption of the password and if that is matching the password in Litium is set for the user based on the provided password. The old password hash is also removed.