Access Manager supports any password management service that works with your user store. For an implementation example, see Configuring Access Manager for UserApp and SAML.
Configure the following options:
When you define the URL for the password service on the Contracts page, you can use the following optional tags in the parameter definitions of the URL. Use parameter names that are understood by the service you have selected to use. Identity Server does not need to understand these parameters, but the password expiration service needs to understand them.
The following table lists common parameters. Your service might not use these and require others.
|
Parameter |
Description |
|---|---|
|
<USERID> |
Provides the DN of the user with a password that is expired or expiring. |
|
<STOREID> |
Provides the name of the user store that authenticated the user before redirecting the user to the password expiration service. |
|
<RETURN_URL> |
Provides the URL at Identity Server to which the user can be redirected after the password service completes. |
|
action=expire |
Causes the password expiration service to act as though the user’s password policy is set to allow the user to reset the password even though the user’s policy might be set to show the user a hint. The user sees the page to create a new password rather than seeing a hint for an existing password. |
Example:
https://someservice.com/path/password?user=<USERID>&store=<STOREID> &returl=<RETURN_URL>&action=expire
NOTE:If you copy this text, ensure to remove the white space between <STOREID> and &returl.
Identity Server fills in these values, which results in the following URL:
https://someservice.com/path/password?user=joe.novell&store=userstore1& returl=https://myidp.com/nidp/idff/sso&action=expire
The password service can also include parameters on the return URL sent to Identity Server. Identity Server understands the following parameter:
|
Parameter |
Description |
|---|---|
|
forceAuth=TRUE |
When a user is returned to Identity Server, this parameter forces the user to authenticate with the new password. This eliminates the possibility of an old password being used in an Identity Injection policy. |
The following example sends this parameter with https://testnidp.novell.com:8443 as the base URL of Identity Server:
<form id="externalForm" action='https://testnidp.novell.com:8443/nidp/idff/sso?sid=0&id=117&forceAuth=TRUE' method="post">
When a user is redirected to the password management service URL because of an expired password, the POST data in that redirect contains sid=<> and id=<> values as part of the value used for Identity Server return URL.
If you specify a password service and do not specify a value for the number of grace logins in eDirectory, the contract redirects to the password management service only when the grace login count has reached 0 and the password has expired.
Identity Server needs to read the value of the grace login attribute to properly redirect to the password management servlet. If restricting grace logins is not important to your security model, enable grace logins and set the maximum to 9999 (the equivalent of infinite in most environments). For more information, see TID 3465171.
A user’s password does not expire and grace logins are not decremented in the following setup:
Identity Server is configured to act as a service provider
User identification is configured to allow federation
Federation is set up with SAML 2.0, Liberty, or WS Federation protocols
The password expiration service is not called because the user is not using a password for authentication. The service can only be called when the user’s account is defederated. After the user defederates the account and logs in, a password is required and the service is called.
When an Active Directory user with an expired password logs in to an authentication contract with a Password Expiration servlet configured, the user is redirected to the password management URI. If the Password Management portal is protected by Access Manager, the user is prompted again for authentication and is not permitted to login as the user password has expired.
If you want the user to be redirected to Password Management Servlet, perform the following steps:
Click Devices > Identity Servers > Edit > Local > Methods.
Select the authentication method, which is used by the contract where Password Management Servlet is configured.
Add the following property for the method used by contract with Password Expiration servlet:
Property Name = ExpiredCheck
Property Value = true
Go to Identity Servers > Edit > Local > Contracts.
Click the associated contract > Options > New.
Select AUTHENTICATE WITH EXPIRED PASSWORD in Property Type and true in Property Value.
Click OK > Apply.
Update Identity Server.