10.1 Configuring Access Gateway for Self Service Password Reset

You can configure Self Service Password Reset as path based multi-homing or domain based multi-homing proxy service on Access Manager. For more information about these proxy services, see Using Multi-Homing to Access Multiple Resources in the NetIQ Access Manager Administration Guide.

The following is a list of the values for a sample configuration for path-based multi-homing in Access Manager:

Some modules of Self Service Password Reset, such as Forgotten Password and New User Registration must be publicly accessible. To support this, configure URLs as public or restricted by using your proxy or Access Gateway configuration.

For example, assume that Self Service Password Reset is set up so that the user enters the following URL to access:

http://password.example.com/sspr

You can configure the URL to be public or restricted as follows:

In the table, you can create a protected resource for the password.example.com/sspr/private/* URL. The /private/* URL includes both the /admin/* and /config/* URLs so you do not need to create three separate protected resources. If you want to restrict access to the /admin/* and /config/* URLs separately, you must create separate protected resources for these URLs and not the /private/* URL.

Though Self Service Password Reset has built-in protection for configuration and administrative pages, configure authorization policy in Access Manager to protect /config and /admin paths to allow only administrators to access these parts of the Self Service Password Reset application.

Self Service Password Reset, by default, performs an HTML form-based authentication when an unauthenticated user tries to access restricted web pages. However, it always uses the basic authorization header if available in the HTTP request. You can configure an Identity Injection policy in Access Manager to perform single sign-on (SSO) to Self Service Password Reset for the authenticated user in the Access Manager Identity Server.

Configure the Identity Injection policy you must enable this policy for restricted URL paths. For more information, see Configuring Protected Resources for Self Service Password Reset.

For more information about Identity Injection policies, see Identity Injection Policies in the NetIQ Access Manager Administration Guide.

When Access Manager uses a non-password authentication mechanism such as Kerberos or x509 certificates, the user password is not available to use for single sign-on (SSO).

You can configure Self Service Password Reset to accept only the user name during SSO. In this partially authenticated state, users can perform some functions without providing their passwords. For example, the CommandServlet actions can be invoked without any user interaction.However, if users must interact with Self Service Password Reset, such as to change a password or to configure responses, they must provide their passwords before proceeding.