Self Service Password Reset can integrate with different systems to provide a single sign-on (SSO) experience for your users. Self Service Password Reset supports basic authentication (basic auth), HTTP SSO, and OAuth.
Self Service Password Reset allows you to use HTTP basic authentication for a single sign-on experience for your users. By default, Self Service Password Reset uses basic authentication.
To configure Basic Authentication:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Single Sign On (SSO) Client > Basic Authentication.
Configure the following Application Security settings:
Field |
Description |
---|---|
Enable Basic Authentication |
Check Enabled to enable basic authentication. |
Force Basic Authentication |
Check Enabled to force basic authentication. If it is disabled, then the system presents the form page for unauthenticated users. However, if a basic authentication header is present, the system always uses it. |
In the toolbar, click Save changes.
Self Service Password Reset allows you to create a single sign-on experience using an HTTP header. Self Service Password Reset uses the HTTP header to log users into an application with a user name automatically.
To configure the HTTP header for single sign-on:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Single Sign On (SSO) Client > HTTP SSO.
Configure the following Application Security settings:
Field |
Description |
---|---|
SSO Authentication Header Name |
Specify the name of the HTTP header that configures SSPR to use an upstream server to allow automatic logins with only a user name, and a password is not required. This setting controls the name of the HTTP header. When used, SSPR prompts users for their passwords to access certain functionality. |
In the toolbar, click Save changes.
Self Service Password Reset allows you to create a single sign-on experience for your users using OAuth. You must have a basic understanding of OAuth to complete the configuration because you must obtain OAuth-specific information from the application to complete the configuration. For more information, see https://oauth.net/2/.
You must gather the following information from the OAuth Identity Server of your application before you can complete the configuration:
URL for the OAuth login
OAuth code resolve service URL
OAuth profile service URL
OAuth web server certificate
OAuth client ID
OAuth shared secret
Attribute you want the OAuth server to use to identify the user names
Use the information you gathered to create an OAuth single sign-on experience for your users:
To configure OAuth SSO:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Single Sign On (SSO) Client > OAuth.
Configure the following Application Security settings:
Field |
Description |
---|---|
OAuth Login URL |
Specify the OAuth server login URL. This is the URL to redirect the user for authentication. For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/grant |
OAuth Scope |
Specify the optional OAuth scope. The OAuth identity service provider (IdP) provides this value. The content provided, if any, must contain the user attribute to be read for authentication. For example, email |
OAuth Token / Code Resolve Service URL |
Specify the OAuth Code Resolve Service URL. The system uses this web service URL to resolve the artifact returned by the OAuth identity server. For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/authcoderesolve |
Skip Authorization header in Oauth Code Resolve request. |
Check Enabled to skip the authorization header in the OAuth Code Resolve request. |
OAuth Profile/UserInfo Service URL |
Specify the URL of the web service provided by the identity server to return attribute data about the user. For example, https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes |
OAuth Server Certificate |
Import the certificate for the OAuth web service server. |
OAuth Client ID |
Specify the OAuth client ID. The OAuth identity service provider (IdP) provides this value. |
OAuth Shared Secret |
Specify the OAuth shared secret. The OAuth identity service provider (IdP) provides this value.
|
OAuth User Name/DN Login Attribute |
Specify the attribute to request from the OAuth server SSPR uses as the user name for local authentication. The SSPR resolves this value the same as if the user had typed the password at the local authentication page. |
In the toolbar, click Save changes.