This section discusses the configuration required for the Access Gateway to integrate it with Self Service Password Reset.
You can configure Self Service Password Reset as path based multi-homing or domain based multi-homing proxy service on Access Manager. For more information about these proxy services, see Using Multi-Homing to Access Multiple Resources
in the NetIQ Access Manager Administration Guide.
The following is a list of the values for a sample configuration for path-based multi-homing in Access Manager:
Self Service Password Reset uses path based multi-home. For example: Published DNS Name = intranet.company.com
Specify the port of the web server.
Non-SSL: 8080
SSL: 8443
Specify /Self Service Password Reset
Disable this option.
Specify the Self Service Password Reset web server hostname.
Use the default setting for this option.
Some modules of Self Service Password Reset, such as Forgotten Password and New User Registration must be publicly accessible. To support this, configure URLs as public or restricted by using your proxy or Access Gateway configuration.
For example, assume that Self Service Password Reset is set up so that the user enters the following URL to access:
http://password.example.com/sspr
You can configure the URL to be public or restricted as follows:
URL |
Mode |
---|---|
password.example.com/* |
Public |
password.example.com/sspr/private/* |
Restricted |
password.example.com/sspr/private/admin/* |
Restricted |
password.example.com/sspr/private/config/* |
Restricted |
In the table, you can create a protected resource for the password.example.com/sspr/private/* URL. The /private/* URL includes both the /admin/* and /config/* URLs so you do not need to create three separate protected resources. If you want to restrict access to the /admin/* and /config/* URLs separately, you must create separate protected resources for these URLs and not the /private/* URL.
Though Self Service Password Reset has built-in protection for configuration and administrative pages, configure authorization policy in Access Manager to protect /config and /admin paths to allow only administrators to access these parts of the Self Service Password Reset application.
Self Service Password Reset, by default, performs an HTML form-based authentication when an unauthenticated user tries to access restricted web pages. However, it always uses the basic authorization header if available in the HTTP request. You can configure an Identity Injection policy in Access Manager to perform single sign-on (SSO) to Self Service Password Reset for the authenticated user in the Access Manager Identity Server.
Configure the Identity Injection policy you must enable this policy for restricted URL paths. For more information, see Configuring Protected Resources for Self Service Password Reset.
Configuration |
Value |
---|---|
Action for Identity Injection |
Inject into Authentication Header |
Auth Header – User Name |
Credential Profile (LDAP Credentials: LDAP User DN) |
Auth Header – Password |
Credential Profile (LDAP Credentials: LDAP Password) |
DN Format |
LDAP format (default) |
For more information about Identity Injection policies, see Identity Injection Policies
in the NetIQ Access Manager Administration Guide.
When Access Manager uses a non-password authentication mechanism such as Kerberos or x509 certificates, the user password is not available to use for single sign-on (SSO).
You can configure Self Service Password Reset to accept only the user name during SSO. In this partially authenticated state, users can perform some functions without providing their passwords. For example, the CommandServlet actions can be invoked without any user interaction.However, if users must interact with Self Service Password Reset, such as to change a password or to configure responses, they must provide their passwords before proceeding.
To configure SSO for Self Service Password Reset using Access Manager:
In Self Service Password Reset, go to Configuration Manager > Settings > Security.
In SSO Authentication Header Name, set the value to ssoAuthUsername.
In Access Manager, set the following policy for Self Service Password Reset protected resources:
Configuration |
Value |
---|---|
Action for Identity Injection |
Inject into Custom Header |
Custom Header Name |
ssoAuthUsername |
Value |
Credential Profile (LDAP Credentials: LDAP User DN) |
DN Format |
LDAP format (default) |
NOTE:If Self Service Password Reset is using the LDAP directory and Read User Password is enabled (Settings > NetIQ eDirectory > Read User Passwords), and the LDAP Proxy user has permission to read the user passwords, then the user is not prompted for their passwords when authenticated to Self Service Password Reset by using this method.