8.10 Configuring Self Service Password Reset for Single Sign-On Client

Self Service Password Reset can integrate with different systems to provide a single sign-on (SSO) experience for your users. Self Service Password Reset supports basic authentication (basic auth), HTTP SSO, and OAuth.

8.10.1 Configuring Basic Authentication for Single Sign-On

Self Service Password Reset allows you to use HTTP basic authentication for a single sign-on experience for your users. By default, Self Service Password Reset uses basic authentication.

To configure Basic Authentication:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Settings > Single Sign On (SSO) Client > Basic Authentication.

  5. Configure the following Application Security settings:

    Field

    Description

    Enable Basic Authentication

    Check Enabled to enable basic authentication.

    Force Basic Authentication

    Check Enabled to force basic authentication.

    If it is disabled, then the system presents the form page for unauthenticated users. However, if a basic authentication header is present, the system always uses it.

  6. In the toolbar, click Save changes.

8.10.2 Configure HTTP for Single Sign-On

Self Service Password Reset allows you to create a single sign-on experience using an HTTP header. Self Service Password Reset uses the HTTP header to log users into an application with a user name automatically.

To configure the HTTP header for single sign-on:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Settings > Single Sign On (SSO) Client > HTTP SSO.

  5. Configure the following Application Security settings:

    Field

    Description

    SSO Authentication Header Name

    Specify the name of the HTTP header that configures SSPR to use an upstream server to allow automatic logins with only a user name, and a password is not required. This setting controls the name of the HTTP header. When used, SSPR prompts users for their passwords to access certain functionality.

  6. In the toolbar, click Save changes.

8.10.3 Configuring OAuth Single Sign-On

Self Service Password Reset allows you to create a single sign-on experience for your users using OAuth. You must have a basic understanding of OAuth to complete the configuration because you must obtain OAuth-specific information from the application to complete the configuration. For more information, see https://oauth.net/2/.

You must gather the following information from the OAuth Identity Server of your application before you can complete the configuration:

  • URL for the OAuth login

  • OAuth code resolve service URL

  • OAuth profile service URL

  • OAuth web server certificate

  • OAuth client ID

  • OAuth shared secret

  • Attribute you want the OAuth server to use to identify the user names

Use the information you gathered to create an OAuth single sign-on experience for your users:

To configure OAuth SSO:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Settings > Single Sign On (SSO) Client > OAuth.

  5. Configure the following Application Security settings:

    Field

    Description

    OAuth Login URL

    Specify the OAuth server login URL. This is the URL to redirect the user for authentication.

    For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/grant

    OAuth Scope

    Specify the optional OAuth scope. The OAuth identity service provider (IdP) provides this value. The content provided, if any, must contain the user attribute to be read for authentication.

    For example, email

    OAuth Token / Code Resolve Service URL

    Specify the OAuth Code Resolve Service URL. The system uses this web service URL to resolve the artifact returned by the OAuth identity server.

    For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/authcoderesolve

    Skip Authorization header in Oauth Code Resolve request.

    Check Enabled to skip the authorization header in the OAuth Code Resolve request.

    OAuth Profile/UserInfo Service URL

    Specify the URL of the web service provided by the identity server to return attribute data about the user.

    For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes

    OAuth Server Certificate

    Import the certificate for the OAuth web service server.

    OAuth Client ID

    Specify the OAuth client ID. The OAuth identity service provider (IdP) provides this value.

    OAuth Shared Secret

    Specify the OAuth shared secret. The OAuth identity service provider (IdP) provides this value.

    1. Click Store Value.

    2. In Store Password - OAuth Shared Secret, specify the following details:

      • New Password

      • Confirm Password

    3. Click Store Password

    OAuth User Name/DN Login Attribute

    Specify the attribute to request from the OAuth server SSPR uses as the user name for local authentication. The SSPR resolves this value the same as if the user had typed the password at the local authentication page.

  6. In the toolbar, click Save changes.