Ex Libris Identity Service
The following password considerations are applicable with the Ex Libris Identity Service:
- The password strength cannot be configured.
- The password does not have an expiry date.
- The password locks for 30 minutes after 15 unsuccessful login attempts.
- When a staff user enters a wrong user and password combination on the Alma login page, the error message includes a Forgot password? link, which links to the reset password page. In order to display a Forgot Password option in Primo/PrimoVE, a configuration update is required. For more information, see the knowledge article, How to add a 'Forgot My Password' link to the login page in the new UI when using Alma for authentication.
Identity service labels can be configured in the Internal Login Messages code table. See Configuring Identity Service Labels.
For Alma users, a Reset Password Letter is sent to an individual user by selecting the Reset your password for the identity service option in the Send message drop-down list on the User Details page. The letter is sent to a group of users by running the Update/Notify Users job and selecting the Identity Service mail option in the Send notification to user drop-down list on the job parameters page.
- The new password must be at least eight characters long and cannot include the user name or any commonly used password.
- When the Reset Password letter is sent by the Update/Notify Users job or from the Send Message drop-down list, the link is active for twenty-four hours. When the letter is sent from the Forgot Password? link, it is active for one hour.
- In the Reset Password screen, users are asked to enter their user names or email addresses. If users enter their user names, emails are sent to the users' preferred addresses. If users type in email addresses, the system searches for the specified email addresses and if they are located, uses these email addresses even if they aren't the preferred addresses. If an email address is not located or belongs to more than one user, no email is sent.
For more information on logging into Alma, see Logging Into and Out of the User Interface.
Multi Factor Authentication (MFA)
This feature requires the mfa_for_alma_hep parameter to be enabled (see User Settings).
It is possible to configure Alma to recommend (or enforce) the use of multi-factor authentication (MFA).
Recommending MFA
This requires the mfa_for_alma_hep parameter to be set to "suggest" (see User Settings).
- When logging in for the first time after setting the mfa_for_alma_hep parameter to "suggest", the user is prompted with the regular username and password.
- After logging in, a message appears recommending that the user enables multi factor authentication.
- The user can ignore the message or cancel it using the X button, or they can select Enable.
- If the user selects Enable, a message appears prompting the user to Ignore or Confirm. This message includes the user email address/es to which the login link will be sent.
- If the user selects Confirm, the next time they login, a login link is sent to their email/s and a message appears letting them know that the link was sent.
If the user selects Ignore, the MFA recommendation message will keep displaying each time the user logs in.
- The message will appear from now on, each time the user logs in (after validating their user name and password).
The link is active for one hour. Activating the link directs the user to the product home page. - The user can also enable/disable MFA from the User Management Information page at Admin > Manage Users > Staff > User Management Information.
Forcing MFA
This requires the mfa_for_alma_hep parameter to be set to "force" (see User Settings).
- After setting the mfa_for_alma_hep parameter to "force", all users will be required to authenticate with MFA.
- When logging in, the users will be prompted with the regular username and password authentication.
- Before entering the product (from the login page), a link will be sent to the user's email and a message appears.
- The link is active for one hour. Activating the link directs the users to their product home page.
With the mfa_for_alma_hep parameter set to "force", there is no way to turn-off the MFA flow for a specific user.