stormpath
Password policy from correct directory not used when resetting password
When a user tries to reset their password, the password policy from the default account store directory is always used, even if that users' account is in a different directory. What this means is that a user can attempt to set a password that doesn't comply with their directory; the site will allow them to attempt this (i.e. client side validation will complete), and they then get a only somewhat helpful error afterwards:
This also means that if there is no default account store, one cannot reset a password.
Hello Matt, thank you for the information. Can you let me know if you are using directories or organizations for your multi-tenant setup? At the moment ID site does not support directory-based multi-tenancy, you would need to use organizations.
Thanks, Robert
