ArchivesSpace Password Reset Feature
Beginning in ArchivesSpace v3.5.0 there is an optional configuration to enable a password reset function that will allow a staff user to request a password reset via email. This article details which ArchivesSpace accounts that feature applies to as well as how to ensure the feature works for the institutions that elect to enable it.
This feature is disabled by default; enabling it must be requested or approved by a primary, secondary, or security contact at your institution. Please read on for important considerations before requesting to enable this feature.
It has been observed that email servers using proactive spam/phishing services will invalidate the password reset link if clicked from within the password reset email. In these cases, copy and pasting the link directly into a browser address bar should ameliorate the issue. If the first link was already invalidated, you will have to request the password reset again. This issue is not related to your hosting environment here at Atlas.
A detailed bug report on this issue was submitted by Atlas, but the decision by the ArchivesSpace Development Prioritization subgroup was that this issue must be solved locally by a site's individual email provider.
Once enabled, the password reset option appears under the local account sign in fields while a user is logged out of ArchivesSpace:
Step 1: Determine whether your account uses Single Sign-On (SSO) authentication
The password reset feature only works for accounts that do not use SSO authentication. This is because the passwords being used on those accounts are managed by your institutional SSO provider. You cannot reset a SSO password from within ArchivesSpace. For this reason, if you use SSO, you should consider this feature moot for your account.
The admin account (which exists for all instances of ArchivesSpace) is not an SSO account.
It is easy to determine whether you use SSO to log in by navigating to the staff user interface login page:
- If you log in using a button in the upper-right hand side of the screen, you use SSO authentication and password reset feature is not applicable to you.
- If you log in in the center of the screen using the box labeled Please Sign In, you do not use SSO and the password reset feature is applicable to you.
Step 2: Make sure that every active non-SSO user has an email address
The password reset asks the user that is requesting a password reset to provide an email address; ArchivesSpace then looks for that email address to match a user account in ArchivesSpace, and finding one, sends an email with instructions on how to reset the password.
For this reason, the use of the password reset is dependent on there being valid email addresses for all users. Email is not a required field for User records, so chances are high that this information is missing for some or all of your users. The password reset feature will not function for users without valid email addresses in their user accounts.
Please note that if more than one user has the same email address, ArchivesSpace will only send the reset email to the first user found. Any other account using that same email address will not be able to reset their password this way until a unique email address is provided.
Step 4: Provide a 'From' address with Sender Verification
While configuring this functionality, Atlas will ask you for a "from" email address, which the server will use for sending the password reset message.
Our email service, SendGrid, enforces Sender Verification for added security. This means that any "from" address needs to have either its domain authenticated or the inbox itself needs to be authenticated via single sender verification. To ensure that recipients of emails from your ArchivesSpace server are delivered reliably to their inboxes, we recommend proceeding with implementing Domain-Based verification with your IT department. For Domain-Based verification, Atlas will provide a link that lists the required DNS CNAME records to make. Once the entries are created, simply reply to let us know and we'll complete the verification. We will communicate with you throughout this process.
Step 5: Use secure passwords for all accounts
ArchivesSpace does not enforce any password complexity on its local user account passwords when creating passwords for the first time. However, upon following the instructions from the password reset email, you will be prompted to create a new password and that new password will be subject to improved password complexity enforcement. This is currently the only way that ArchivesSpace enforces any password rules.
Atlas Systems strongly recommends the use of long, random, and unique passwords for all accounts in this and all applications. Please check with your local IT representatives for any password policies set by your institution.
For questions related to this or any other ArchivesSpace feature, please contact us at support@atlas-sys.com.