Forgot Password
Typically, your application would not need to direct a user to reset his or her password. A user would reset it by clicking the Forgot Password link on the NYC.ID Login page. You may want to direct a user to reset his or her password when you are integrating NYC.ID with an existing application that meets the following criteria:
- Your application supports SAML, and
- your application has enabled authentication via social identity providers, and
- a user has authenticated with your application and is attempting to re-authenticate via the Authenticate Web Service v2 or Authenticate Web Service v3, and
- a reason of
notFoundis returned. This indicates that the user authenticated with a social identity provider and does not have a linked NYC.gov account.
Integrating Forgot Password
In the above scenario, your application should send the user to this relative URL to reset his or her password:
GET /account/forgotPassword.htm
For additional functionality, you can include the following optional parameters.
| Parameter Name | Parameter Description |
|---|---|
| fromKiosk (Deprecated) | This parameter is passed to the Create Account page. Learn about Registration. |
| target | The URI (encoded in Base64) that the user is sent to after completing the forgot password process. The "target" query string parameter must have a domain name of doitt.nycnet, nyc.gov, nycid.nycnet, csc.nycnet, cloudapp.net, hpd.nycnet, nycgovparks.org, finance.nycnet, hpdnyc.org, cs.nycnet, gcomsoft.com, records.nycnet, dcas.nycnet, dhs.nycnet, redcapcloud.com, cityofnewyork.us, dynamics.com, dynamics365portals.us, getinfo.nyc, fdnycloud.org, microsoftonline.com, mkscloud.com, samaritan.com, ivalua.us, sbs.nycnet, communityneeds.nyc, ukrosoft.com.ua, appgeo.com, azurewebsites.net, or gigya.com. Please contact nycidintegration@doitt.nyc.gov to add your domain name to the list of valid domains. |
| lang | A language code. Learn about Internationalization and Localization for a list of supported language codes. Defaults to en. |
| emailAddress | The value to display and populate within the Email Address or Username field |
| spName | Your application's SAML Service Provider (SP) Metadata name, found in the NYC.ID Console. This value is used to override the Application Brand Banner computed from the "target" parameter. Learn more about Application Brand Banner Logic |
! IMPORTANT: If the "target" parameter isn't specified or is invalid, NYC.ID will send the user to NYC.gov.
When a user visits the Forgot Password page,
- the user enters his or her email address or username and clicks the Submit button.
- A user will be directed to reset his or her password
- via email, or
- by answering a security question
- If the user is logged in and the user has a validated email address, NYC.ID will direct the user to his or her Account Profile.
NOTE: If a user doesn't have security questions and has a username, the user cannot reset his or her password.
Resetting via Email
If the user has an email address,
- the user receives an email, which contains a reset password link.
- When the user clicks the link, the Reset Password page appears.
NOTE: The password reset link in the email expires in 72 hours.
- The user must enter a new password. If a user's account does not have security questions associated with it, the user will be prompted to select and answer them.
- The user clicks the Save Password button.
! IMPORTANT: All active OAuth access tokens for the user are revoked. Learn about Mobile.
- To return to your application via the URL specified in the "target" parameter, the user clicks the Continue button.
Resetting via Security Questions
If the user does not have an email address,
- a user is prompted to answer the security question associated with the user's account.
- When the user clicks the Continue button, the Reset Password page appears.
- The user must enter a new password.
- The user clicks the Save Password button.
! IMPORTANT: All active Oauth access tokens for the user are revoked. Learn about Mobile.
- To return to your application via the URL specified in the "target" parameter, the user clicks the Continue button.
! IMPORTANT: After five consectuve failed attempts to answer the security question, a user must wait fifteen minutes before making a consecutive attempt.