Self Service Password Reset provides various options for integration with Access Manager including configurable redirection URLs, servlet command options, and support for HTTP basic authentication. The following are important configurations:
The following are two important redirection URLs:
forwardURL: By default, the user is redirected to the forwardURL site.
logoutURL: If the password has been modified and the Logout After Password Change setting is set to True, then the user is redirected to the logoutURL site instead of the forwardURL site.
NOTE:These URLs are configured as part of the Self Service Password Reset general configuration. However, they can be overridden for any particular session by including the forwardURL or continueURL HTTP parameters on any request during the session.
You must force the user to log out from Self Service Password Reset and Access Manager after a user completes the password change operation. Otherwise, users might experience authentication failures and intruder lockout if they continue to use the same Access Manager session. For more information about how to configure session enforcement, see Configuring the Change Password Module. The following are two instances when users are not immediately redirected to forwardURL:
When Check Expiration During Authentication is selected and the user’s password is about to expire. The user is redirected to the Change Password page instead of the forwardURL site. After changing the password, the user is redirected to forwardURL or logoutURL.
When Force Setup of Challenge Responses is selected, the user matches Challenge Response Query Match and the user does not have valid Self Service Password Reset responses configured. In this case, the user is redirected to the Setup Responses module. After completing the response setup, the user is redirected to forwardURL or logoutURL.
You must configure Self Service Password Reset to integrate with the Access Manager. The following steps help you define a password policy in Self Service Password Reset to define the groups or users that will use Access Manager with Self Service Password Reset.
To configure Self Service Password Reset to integrate with Access Manager:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Add a custom message to notify users about re-logging into their portal after a password change:
Click Policies > Password Policies.
Select the appropriate password policy. If you only have one password policy, click default.
In the Password Change Message field, add the custom message.
In the toolbar, click Save changes.
Add a URL where to forward users after completing any activity except for password changes:
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Application > Application.
In the Forward URL option, click Add Value.
Specify the URL where to forward users. For example:
intranet.company.com
In the Logout URL option, add an Access Manager logout URL.
Click Add Value, then specify the Access Manager logout URL. For example:
intranet.company.com/AGLogout
In the toolbar, click Save changes.
Enable Self Service Password Reset to log out users after a password change:
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Authenticated > Change Password.
Enable the Logout After Password Change option.
In the toolbar, click Save changes.
You can specify various parameters on URLs. These parameters are case-sensitive. You can place these request parameters on any link that accesses Self Service Password Reset.
For example, http://password.example.com/sspr/private/ChangePassword? passwordExpired=true&forwardURL=http://www.example.com
|
Parameter |
Description |
Example |
|---|---|---|
|
passwordExpired |
Setting this parameter makes Self Service Password Reset override the state of the user's password expiration. |
passwordExpired=true |
|
forwardURL |
Sets the forward URL. For example, http://www.example.com/main.html. The value must be URL encoded. |
forwardURL=http%3A%2F%2Fwww.example.com%2Fmain.html |
|
logoutURL |
Sets the logout URL to Self Service Password Reset. The value must be URL Encoded. |
logoutURL=%2Fsspr |
|
locale |
When a valid browser locale code is provided, Self Service Password Reset switches to the given locale to display all localized text. |
locale=en |
Command Servlet allows you to redirect a user to Self Service Password Reset and have it perform some specific command. You can use Command Servlet functions during a user's login sequence to a portal or another landing point.
Use Command Servlet functions with a proxy service, Access Gateway, or devices that automatically authenticate users. Otherwise, Self Service Password Reset requires that the user authenticates during each login.
You can combine Command Servlet calls with request parameters such as forwardURL.
The following table lists an example of the user login redirect sequence:
|
URL Example |
Description |
|---|---|
|
http://portal.example.com |
Initial request from the browser. |
|
http://portal.example.com/Login |
Access Gateway redirects the user to the login page. |
|
http://portal.example.com/ |
Access Gateway redirects the user to the portal root. |
|
http://portal.example.com/index.html |
Web server redirects the user to index.html. |
|
http://password.example.com/sspr/private/CommandServlet?processAction=checkAll&forwardURL=http%3A%2F%2Fportal.example.com%2Fportalpage.html |
index.html has meta redirect to the Self Service Password Reset checkAll CommandServlet with a URLEncoded forwardURL value. |
|
http://portal.example.com/portal/main.html |
Self Service Password Reset redirects the user to the actual portal URL. |
The index.html file contains the following content:
<html> <head> <meta http-equiv="REFRESH" content="0; URL=http://password.example.com/sspr/private/CommandServlet? processAction=checkAll&forwardURL=http%3A%2F%2Fportal.example.com%2Fportalpage.html"/> </head> <body> <p>If your browser doesn't automatically load, click <a href="http://password.example.com/sspr/private/CommandServlet? processAction=checkAll&forwardURL=http%3A%2F%2Fportal.example.com%2Fportalpage.html">here</a>. </p> </body> </html>
The following table lists various useful commands:
|
Command |
URL |
Description |
|---|---|---|
|
checkExpire |
http://password.example.com/sspr/private/CommandServlet?processAction=checkExpire |
Checks the user's password expiration date. If the expiration date is within the configured threshold, the user requires to change password. |
|
checkResponses |
http://password.example.com/sspr/private/CommandServlet?processAction=checkResponses |
Checks the user's challenge-responses. If no responses are configured, the user requires to set them up. |
|
checkProfile |
http://password.example.com/sspr/private/CommandServlet?processAction=checkProfile |
Checks the user's profile. If the user's attributes do not meet the configured requirements, Self Service Password Reset requires that the user sets profile attributes. |
|
checkAll |
http://password.example.com/sspr/private/CommandServlet?processAction=checkAll |
Calls checkExpire, checkResponses, and checkProfile consecutively. |