Integrating Self Service Password Reset with Access Manager provides single sign-on to your users.For the integration to work, ensure that you are running Access Manager 4.4. SP4 or later.
This integrations allows you to:
Create a proxy service for Self Service Password Reset.
Create Self Service Password Reset as a protected resource in Access Manager.
Provide single sign-on access to the users and administrations.
Provider single sign-on access with OAuth2 tokens.
Use the following information to properly configure Access Manager and Self Service Password Reset to work together.
You can configure Self Service Password Reset as path-based multi-homing or domain based multi-homing proxy service on Access Manager. For more information about these proxy services, see Using Multi-Homing to Access Multiple Resources
in the NetIQ Access Manager Administration Guide.
The following is a list of the values for a sample configuration for path-based multi-homing in Access Manager:
Self Service Password Reset uses path based multi-home. For example: Published DNS Name = intranet.company.com
Specify the port of the web server.
Appliance: 443
Linux: 8443 (Default)
Windows: 8443 (Default)
Specify /Self Service Password Reset
Disable this option.
Specify the Self Service Password Reset web server hostname.
Use the default setting for this option.
Some modules of Self Service Password Reset, such as Forgotten Password and New User Registration must be publicly accessible. To support this, configure URLs as public or restricted by using your proxy or Access Gateway configuration.
For example, assume that Self Service Password Reset is set up so that the user enters the following URL to access:
http://password.example.com/sspr
You can configure the URL to be public or restricted as follows:
URL |
Mode |
---|---|
password.example.com/* |
Public |
password.example.com/sspr/private/* |
Restricted |
password.example.com/sspr/private/admin/* |
Restricted |
password.example.com/sspr/private/config/* |
Restricted |
In the table, you can create a protected resource for the password.example.com/sspr/private/* URL. The /private/* URL includes both the /admin/* and /config/* URLs so you do not have to create three separate protected resources. If you want to restrict access to the /admin/* and /config/* URLs separately, you must create separate protected resources for these URLs and not the /private/* URL.
Though Self Service Password Reset has built-in protection for configuration and administrative pages, configure authorization policy in Access Manager to protect /config and /admin paths to allow only administrators to access these parts of the Self Service Password Reset application.
Self Service Password Reset, by default, performs an HTML form-based authentication when an unauthenticated user tries to access restricted web pages. However, it always uses the basic authorization header if available in the HTTP request. You can configure an Identity Injection policy in Access Manager to perform single sign-on (SSO) to Self Service Password Reset for the authenticated user in the Access Manager Identity Server.
Configure the Identity Injection policy you must enable this policy for restricted URL paths. For more information, see Configuring Protected Resources for Self Service Password Reset.
Configuration |
Value |
---|---|
Action for Identity Injection |
Inject into Authentication Header |
Auth Header – User Name |
Credential Profile (LDAP Credentials: LDAP User DN) |
Auth Header – Password |
Credential Profile (LDAP Credentials: LDAP Password) |
DN Format |
LDAP format (default) |
For more information about Identity Injection policies, see Identity Injection Policies
in the NetIQ Access Manager Administration Guide.
When Access Manager uses a non-password authentication mechanism such as Kerberos or x509 certificates, the user password is not available to use for single sign-on (SSO).
You can configure Self Service Password Reset to accept only the user name during SSO. In this partially authenticated state, users can perform some functions without providing their passwords. For example, the CommandServlet actions can be invoked without any user interaction.However, if users must interact with Self Service Password Reset, such as to change a password or to configure responses, they must provide their passwords before proceeding.
To configure SSO for Self Service Password Reset using Access Manager:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Single Sign On (SSO) Client > HTTP SSO.
In SSO Authentication Header Name, set the value to ssoAuthUsername.
In the toolbar, click Save changes.
In Access Manager, create the following identity injection policy for the Self Service Password Reset protected resources:
Action for Identity Injection: Select the option Injection into Custom Header.
Custom Header Name: Specify ssoAuthUsername.
Value: Select Credential Profile (LDAP Credentials: LDAP User DN).
NOTE:If Self Service Password Reset is using the LDAP directory and Read User Password is enabled (Settings > LDAP > LDAP Settings > NetIQ eDirectory > eDirectory Settings > Read User Passwords), and the LDAP Proxy user has permission to read the user passwords, then the user is not prompted for their passwords when authenticated to Self Service Password Reset by using this method.
DN Format: Select LDAP format (default).
You can provide single sign-on access to Self Service Password Reset with OAuth2 tokens generated in Access Manager. To provide single sign-on access requires configuring components in Access Manager and in Self Service Password Reset. You must understand OAuth2 and Access Manager to complete the integration. For more information, see Implementing OAuth in Access Manager
in the NetIQ Access Manager 4.4 Administration Guide.
Use the following information to perform the steps in Access Manager. For the Self Service Password Reset steps, see Configuring Self Service Password Reset to Access the OAuth2 Application.
You must enable OAuth2 and create an OAuth2 application in Access Manager that Self Service Password Reset uses to obtain the OAuth2 tokens for the users authentications. If you have multiple Identity Provider clusters that you want Self Service Password Reset to reference, you must perform the following steps for each Access Manager Identity Provider cluster
Use the following information to enable OAuth2, create an OAuth2 application, and assign the proper rights in Access Manager.
Choose an attribute to use for Self Service Password Reset to identify the user. The attribute must have a value that uniquely identifies the user when authenticating. Self Service Password Reset reads this attribute value from the user and use it to identify the user in the LDAP directory user store for Self Service Password Reset.
Ensure that you enable OAuth2 in Access Manager.
Log in to the Access Manager Administration Console.
Click Devices > Identity Servers > Edit.
In the Enabled Protocols section, select OAuth & OpenID Connect.
Click OK.
Update the Identity Server.
Ensure that you have a resource server created in Access Manager or create a resource server. For more information, see Adding a Resource Server
in the NetIQ Access Manager 4.4 Administration Guide.
Use an existing scope or create a new scope for the OAuth application with a claim type of User Attributes. This allows Self Service Password Reset to identify the user. The attribute must have a value that uniquely identifies the user when authenticating. Self Service Password Reset reads this attribute value from the user and use it to identify the user in the LDAP directory configured for Self Service Password Reset. For more information, see Defining Scopes for a Resource Server
in the NetIQ Access Manager 4.4 Administration Guide.
Select the identification attribute from the LDAP profile or create a new attribute set that contains the identification attribute you determined in Step 1. This lists the user attributes in the attribute set. For more information, see Configuring Attribute Sets
in the NetIQ Access Manager 4.4 Administration Guide.
(Conditional) Define the global settings. You might have already configured the global settings for other OAuth2 applications. For more information, see Defining Global Settings
in the NetIQ Access Manager 4.4 Administration Guide.
Create an OAuth2 client application.
Click Devices > Identity Servers > Edit > OAuth & OpenID Connect > Client Applications > Register New Client.
Use the following information to create the OAuth2 application.
Specify a name for the application. For example, SSPR.
Select Web Based as the client type.
Specify the Self Service Password Reset URL. For example:
https://sspr.example.com/sspr/public/oauth
Select all of the options except SAML 2.0 Assertion.
Select Always Issue New Token.
Click Register Client.
Record the Client ID and Secret of the newly created client application so you can use them later in the Self Service Password Reset configuration.
Grant administrative roles to an Access Manager administrator.
In the Access Manager Administration Console, click Policies > Policies.
Locate a role policy to use.
or
Create a new role to use. For more information, see Creating Roles
in the NetIQ Access Manager 4.4 Administration Guide.
In the Actions section, select Activate Role, then add the following two roles:
NAM_OAUTH2_DEVELOPER
NAM_OAUTH2_ADMINs
(Conditional) If you created a new policy, click Edit IDP > Roles > Select the new policy > Enable.
Update all Identity Servers with the configuration changes.
In the Access Manager Administration Console, click Identity Servers.
Click Update All to reconfigure all of the nodes in the cluster for the Identity Servers.
View and record the Endpoint URLs for the OAuth2 applications.
Click Devices > Identity Servers > Edit > OAuth & OpenID Connect > Endpoint Summary.
Record the Endpoint URLs to use in the Self Service Password Reset configuration.
Proceed to Configuring Self Service Password Reset to Access the OAuth2 Application to configure Self Service Password Reset to accept the OAuth2 tokens from Access Manager.