The Self-Service Registration and Password Management tool (SSRPM) allows you to empower users to register for services and to manage their credentials. It provides selected services from the NetIQ Self-Service Password Reset tool. The Self-Service User Store (SSUS) stores identity and credentials for self-registered user accounts. It is an additional identity source you can use with the appliance.
The Self-Service User Store (SSUS) is an internal identity source you can use with the appliance. However, you can use this identity source only after you configure the appliance. The Self-Service User Store cannot be enabled during the initialization process of the appliance. There are no specific requirements to use this service.
A Self-Service User Store provides self-service registration and password management services. After you enable the service, users can immediately begin to self-register on the SSUS Registration page. Self-registered users can then log in and access public applications from the landing page. Policies are required to allow the self-registered users to access private applications.
NOTE:You can enable and activate only one Self-Service User Store.
By default, SSUS requires new users to have a valid email account to create an SSUS account. Users must be able to receive and respond to a verification email.
You can also configure which service options to support for your SSUS users, such as a helpdesk, new user, change password, and forgotten password.
To enable the SSUS service:
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Drag the Self-Service User Store icon from the Identity Sources palette to the Identity Sources panel.
In the Identity Sources panel, click the new identity source, then click Configure.
On the Configuration tab, decide what options you want presented to your users and helpdesk administrators.
Click OK to enable the Service.
In the System Configuration panel of the administration console, click Apply to activate and start SSUS as a service.
Wait for the SSUS service to be activated and started across all nodes in the cluster.
In the Appliances panel, the icon on each node of the cluster spins until the service is ready on the node. Do not apply additional changes until this action is complete on all nodes.
A round green status icon in the lower left corner of the SSUS service icon indicates that the SSUS is configured and its status is healthy.
To allow the self-registered users to access to a private application that is enabled for SSUS, continue with Section 5.5.2, Using SSUS as an Authentication Source for an Application.
The applications are not available for SSUS users until you configure policies that authorize SSUS to be an authentication source for them. All SSUS users receive rights to an application when you assign a policy to the SSUS identity source.
An application can have one or more authorizations for its resources. Each authorization can have one or more appmarks associated with it. (Appmarks are essentially bookmarks for applications. For more information, see Configuring Appmarks for Connectors
in the NetIQ CloudAccess Connectors Guide.) You grant access to a private application by mapping one or more of its authorizations to the SSUS role. Users can access all of the appmarks associated with an authorization. You cannot control access at the appmark level.
NOTE:You should map authorizations for SSUS roles (groups) only to single sign-on applications. Do not map them to the SaaS applications with account provisioning (Google Apps, Office 365, or Salesforce). Provisioning is not supported for users in an SSUS identity source. For more information, see Requirements for Provisioning
in the NetIQ CloudAccess Connectors Guide.
To create a policy that grants access to an application for SSUS users:
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Click Policy on the toolbar.
On the Policy Mapping page, select Other Identity Sources from the drop-down list on the left, then select the All SSUS Users role.
On the right, select the SaaS application that you want to use for this policy, and then view its authorizations.
Some applications have multiple authorization options.
Drag the All SSUS Users role from the left side and drop it on the desired authorization on the right.
You can also select multiple authorizations under a single application, then drag them from the right and drop them on the All SSUS Users role on the left.
In the Mapping window, review the mapped settings, then click OK to accept the new policy, or click Cancel to back out of the setup.
You can remove an authorization in the list by selecting it, then clicking the Delete icon.
Under Other Identity Sources, view the Authorization column for the All SSUS Users role to confirm that the Authorization Stamp icon appears.
Under the application on the right, view the Policy column to confirm that the Policy icon appears for the mapped authorization.
The appmarks for each of the mapped authorizations are available to users at their next login.
Repeat Step 4 through Step 9 for each application for which you want to use SSUS as an identity source.
You can deny access to an application by deleting its SSUS policy. Deleting the policy does not interrupt current sessions. The application is not available to users at their next login.
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Click Policy on the toolbar.
On the Policy Mapping page, select the Self-Service User Store role from the drop-down list on the left, then select the All SSUS Users role.
In the All Users row, click the Authorization Stamp icon.
In the Edit All Users Mappings window, select the authorization you want to remove, then click Delete. Repeat this action for every authorization that you want to remove.
A strike-through line is drawn through the entry.
Click OK to accept the modified settings, or click Cancel to back out of the setup.
The application is not available to users at their next login.
After you have configured SSUS and mapped policies, users can self-register for accounts and manage their own credentials. Self-registered users can log in to the landing page for the appliance to access applications.
If you enabled the options during the SSUS configuration, users now see links on the appliance login page to create a new account or a link to reset their password if they have forgotten the password.
The user experience is as follows:
The new user accesses the appliance login page:
https://appliance_dns_name
The user clicks the link to create a new account.
The user follows the on screen prompts to create a new account that includes his name, email address, and a password.
After the account is created, the user is prompted to create security questions and answers.
If the user forgets the account password, the questions and responses are used to verify the user’s identity and allow the user to reset the password
(Conditional) If the user does not create the security questions and answers now, the user will be prompted to create them when he logs in for the first time. If the user does not set up the security questions and answers, the appliance will not authenticate the user. The user must set up the security questions and answers to authenticate to the appliance.
After the user completes the new account setup, the appliance sends a verification email to the user’s email address. The user responds to verify the account creation.
The user accesses the login page again.
The user logs in with his new user name and password.
The user sees and can access the applications that the policies entitle him to see.
After you enable the Self-Service User Store, the Self-Service User Store login page is available for users. On this page, users can register for the service as a new user, change their password, or reset their forgotten password after answering security questions.
The Self-Service User Store (SSUS) provides a helpdesk service. If a password expires or a self-registered user is locked out of an account, an authorized helpdesk user for the SSUS service can reset the password. The helpdesk user sets a temporary randomized password for the account, and the user is notified of the temporary password by email. This allows the user to log in to the account and reset the temporary password to use a custom password.
You must assign a user to the SSUS Helpdesk role to provide helpdesk services for the related self-registered users.
NOTE:You should assign a user from an identity source other than the SSUS source as the helpdesk user.
To assign a user to the SSUS Helpdesk role:
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Click Roles on the toolbar.
On the Roles page, type the name of a user you want to assign to the Helpdesk role, click Search, then select the name.
Drag the user name from the left side and drop it on the Helpdesk role on the right.
In the Add User to Role window, review the mapped settings, then click OK to accept the new role assignment, or click Cancel to back out of the setup.
After the page refreshes, view the Role column for the user to confirm that the Role icon appears.
Under the Helpdesk role on the right, verify that the authorized user’s name appears.
After you have assigned a user to the SSUS Helpdesk role, the helpdesk user can access the helpdesk tools through the CloudAccess landing page.
An authorized helpdesk user can use the SSUS Helpdesk service to reset the password for a self-registered user account. Typically, the user needs helpdesk assistance because the account is locked. If the account is not locked, the user can alternatively reset the password by using the Forgotten Password option on the Self-Service Registration login page.
To reset the password for an SSUS account as the authorized helpdesk user:
Log in to CloudAccess using your corporate credentials.
On the landing page, click the Helpdesk icon to go to the Helpdesk page.
On the Helpdesk page, search for an SSUS user account, then click the self-registered user’s name.
On the Password Policy page, view the password policy settings for the user account, then click Change Password.
On the Account Information page, confirm the user’s information, then click Change Password.
In the Random Passwords window, select a password from the list of randomly generated passwords that satisfies the password policy for this account.
You can click More to choose from additional random passwords.
View the confirmation message with the new password, then click OK.
After the self-registered user receives the temporary password, the user is prompted to reset the password at his next login.
An authorized helpdesk user can use the SSUS Helpdesk service to delete the SSUS account for a self-registered user.
To delete an SSUS account as the authorized helpdesk user:
Log in to CloudAccess using your corporate credentials.
On the landing page, click the Helpdesk icon to go to the Helpdesk page.
On the Helpdesk page, search for the SSUS user whose account you want to delete, then click the self-registered user’s name.
On the Account Information page, confirm the user’s information, then click Delete Account.
Click OK to confirm the account deletion.
You can create a custom connector that allows users to authenticate to the CloudAccess appliance through a SAML federated connection. To create this federation, you must create a custom SAML In connector.
To allow the appliance to be a SAML 2.0 service provider, you can create a SAML 2.0 Inbound connector using the Access Connector Toolkit. SAML2 Inbound as an identity source is not available during initialization of the appliance. However, after you export the connector and import it in the appliance, the SAML2 In connector appears as an identity source. You configure an instance of the identity source with information about an appropriate identity provider to enable the service provider functionality of the appliance, and to allow the identity provider to send a SAML token to the appliance using the SAML 2.0 POST profile.
After you configure the SAML2 In identity source, the appliance login page provides a link to the login page of the SAML 2.0 identity provider, located to the left of the user name and password login options. The SAML 2.0 users log in through the identity provider to gain access to the appliance landing page.
For more information, see Creating a SAML 2.0 Inbound (SAML2 In) Connector Template
in the NetIQ CloudAccess Connectors Guide.