This section discusses the configuration required for the Access Gateway to integrate it with SSPR.
You can configure SSPR as path based multi-homing or domain based multi-homing proxy service on Access Manager. For more information about these proxy services, see Domain-Based Multi-Homing and Path-Based Multi-Homing in the NetIQ Access Manager Access Gateway Guide.
The following table lists the sample configuration for path-based multi-homing setup:
Configuration |
Setup |
---|---|
Proxy service type |
Path based multi-home For example, Published DNS Name = intranet.company.com |
Ports |
SSL port of Web server: 8443 Non-SSL port of Web server: 8080 |
Configured multi-homing path |
/sspr |
Remove path on fill |
Disabled |
Host header |
SPR Web server hostname |
Rewriter configuration |
Default |
Some modules of SSPR, such as Forgotten Password and New User Registration, must be publicly accessible. To support this, configure URLs as public or restricted by using your proxy or Access Gateway configuration.
For example, assume that SSPR is set up so that the user enters the following URL to access:
http://password.example.com/sspr
You can configure the URL to be public or restricted as follows:
URL |
Mode |
---|---|
password.example.com/* |
Public |
password.example.com/sspr/private/* |
Restricted |
password.example.com/sspr/private/admin/* |
Restricted |
password.example.com/sspr/private/config/* |
Restricted |
Though SSPR has built-in protection for configuration and administrative pages, configure authorization policy in Access Manager to protect /config and /admin paths to allow only administrators to access these parts of the SSPR application.
SSPR, by default, performs an HTML form-based authentication when an un-authenticated user tries to access restricted Web pages. However, it always uses the basic authorization header if available in the HTTP request. You can configure an Identity Injection policy in Access Manager to perform single sign-on (SSO) to SSPR for the authenticated user in the Access Manager Identity Server.
Configure the Identity Injection policy for SSPR as follows and enable this policy for restricted URL paths discussed in Configuring Protected Resource for SSPR:
Configuration |
Value |
---|---|
Action for Identity Injection |
Inject into Authentication Header |
Auth Header – User Name |
Credential Profile (LDAP Credentials: LDAP User DN) |
Auth Header – Password |
Credential Profile (LDAP Credentials: LDAP Password) |
DN Format |
LDAP format (default) |
For more information about Identity Injection policies, see Creating Identity Injection Policies in the NetIQ Access Manager Policy Guide.
When Access Manager uses a non-password authentication mechanism such as Kerberos or x509 certificates, the user password is not available to use for single sign-on (SSO).
You can configure SSPR to accept only the username during SSO. In this partially authenticated state, users can perform some functions without providing their password. For example, the CommandServlet actions can be invoked without any user interaction.However, if users need to interact with SSPR, such as to change password or setup responses, they must provide their password before proceeding.
To use this functionality, configure SSPR and Access Manager as follows:
In SSPR, go to Configuration Manager > Settings > Security.
In SSO Authentication Header Name, set the value ssoAuthUsername.
In Access Manager, set the following policy for SSPR protected resources:
Configuration |
Value |
---|---|
Action for Identity Injection |
Inject into Custom Header |
Custom Header Name |
ssoAuthUsername |
Value |
Credential Profile (LDAP Credentials: LDAP User DN) |
DN Format |
LDAP format (default) |
NOTE:If SSPR is using the LDAP directory, and Read User Password is enabled (Settings > NetIQ eDirectory > Read User Passwords), and the LDAP Proxy user has permission to read the user passwords, then the user will not be prompted for their passwords when authenticated to SSPR by using this method.