Disabling Change Password and Forgot Password functionality in FA-IDM


Oracle Fusion Applications (FA) uses Oracle Identity Management (IDM) capabilities to implement the “change password” and “forgot password” functions. These functions, in turn, are enabled using capabilities provided by Oracle Access Management (OAM) and Oracle Identity Management (OIM). Frequently, in development and test environments, for the sake of convenience, the change password and forgot password functions are seen as redundant due to the non-production nature of these environments and the tasks performed in them; as such, the change password and forgot password features are typically implemented only in production environments or where production data is replicated.

In this article we explain how to disable these features in environments such as development and test. There have been cases where customers have a mandatory requirement to not display the “change password” or the “forgot password” screen upon first time login into FA. The changes proposed in this article are only recommended for non-production environments. In addition the steps described in this article must be performed again after an upgrade.

Main Article

FA uses the OAM Single Sign On(SSO) page as the main login screen and the “change password” and “forgot password” features are provided on that screen by default. These features are implemented via two configuration files – oam-config.xml and faces-config-self.xml. The steps below outline the procedures to change these files to disable these features.

Note that the documentation may indicate that the properties being manipulated, in this article, are unused.

How to disable the change password on first login feature

The following screen shot shows how the system looks using the default behavior.

Fig1:Screenshot of first login screen with password link.


The first change that will be made is to disable the change password on first login function requires you to:

1) Log into the server where IDM is running to edit the config files.
2)Go to <OIM_HOME>/server/apps/oim.ear/iam-consoles-faces.war/WEB-INF/faces-config-self.xml

3)Edit the faces-config-self.xml file and remove the #{profilePasswordLink} from the values contained in the list entry for the property name labeled welcomeLinks

4)Go to: <OIM_HOME>/server/apps/oim.ear/iam-consoles-faces.war/WEB-INF/lib/OIMUI.jar , download this file to your machine and unzip it as picture below shows.


5)Remove the entire <category> related of it:

xml structure

The image above shows 81 lines from Agent.xml (at lines 2164-2245), please remove the complete “Category” XMLelement with Id CATEGORY_CHANGE_PWD.

6)Redeploy oim.ear and restart the OIM Server


  Fig5: Screenshot of first login screen without password link.

How to remove the forgot password link

Looking from FA-IDM solution perspective, we have two different places that we need to remove forgot password link as you can see in the screenshot below:

1)Go to: oam-config.xml(Middleware_Home/user_projects/domains/IDMDomain/config/fmwconfig/oam-config.xml)

2)Set RegistrationServiceEnabled parameter to FALSE, by default it comes as true as below:

oam-config.xml structure






3)And bounce OAM Server.



Implementing “forgot password” and “change password” solution for an FA-IDM is a proposition that any business team should consider carefully. Using proper planning and understanding the various dimensions provided by these features and other security features allows an organization to discern why, or even whether, they need disable or enable these on their FA-IDM solution or even implement this using another IDM solution.

Other useful links:

How To Disable Password Management Functionality In OIM? (Doc ID 1476977.1)


  1. Philipp Grigoryev says:

    Great article Thiago, thank you very much for sharing the knowledge!

Add Your Comment