9.3 Additional Integration Options with Access Manager

Access Manager provides many different access solutions and you can integrate many different aspects of Access Manager with Self Service Password Reset and the reverse is true as well. The following sections contain some common use case configuration options for you to use. All of these use cases are optional.

9.3.1 Integrating the Forgotten Password Module with Access Manager

Self Service Password Reset contains many different modules that provide different functionality. You can integrate the Forgotten Password module with Access Manager so that the Forgotten Password link on the User Portal page.

To add the Forgotten Password link to the User Portal page you must perform configuration steps in Self Service Password Reset and in Access Manager.

Configure Self Service Password Reset Forgotten Password Module to Work with Access Manager

To have the Access Manager users to see the Forgotten Password link on the User Portal page, you must first ensure that you configure the Forgotten Password module. For more information, see Configuring Forgotten Password Module.

You must also add the Access Manager logout URL to the redirected whitelist in Self Service Password Reset.

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Security > Web Security > Redirect Whitelist.

  5. Click Add Value, then specify the Access Gateway logout URL. For example:

    https://intranet.yourcompany.com/AGLogout
  6. Click OK, then in the toolbar, click Save changes.

Configuring Password Expiration Servlet in Access Manager

To allow your Access Manager users to use the Forgotten Password link on the user portal in Access Manager, you must configure the Access Gateway to redirect users to Self Service Password Reset when their password expires.

  1. Log in to the Access Manager administration console.

  2. Click the identity server cluster you want to modify.

  3. Click Local > Contracts > Contract Name > Password Expiration Servlet.

    Select the type of contract you are using in your Access Manager environment.

  4. Set the URL option to the Self Service Password Reset Change Password URL. For example:

    http://password.example.com/sspr/private/changepassword?passwordExpired=true
  5. Click OK twice, then click Close.

This URL specifies that if the authenticated user's password has expired and there are grace logins remaining, then the user must be redirected to the Self Service Password Reset change password portal.

Integrating the Forgotten Password URL

You can configure the Access Manager user portal page to include the Forgotten Password URL for Self Service Password Reset. On the Identity Server, add the following HTML code in the login.jsp file (/opt/novell/nids/lib/webapp/jsp/login.jsp) above the last two </body></html> tags:

<CENTER> <a href="https://intranet.company.com/sspr/public/forgottenpassword? forceAuth=TRUE&logoutURL=https://intranet.company.com/AGLogout" target="_top"> Forgot Password - Self Service Password Reset</a></CENTER>

9.3.2 Deleting User Accounts in Access Manager from the Delete Account Module

Self Service Password Reset allows to you do further integration with Access Manager by deleting user account information from Access Manager when a user deletes their own accounts using the Delete Account module. For more information, see Configuring the Delete Account Module to Delete Accounts from Integrated Products.

9.3.3 Creating Accounts for Social Users in Self Service Password Reset Using the New User Registration Module

Access Manager allows users to use their social networking accounts to login and access resources. The Access Manager configuration for protected resources determines what users have access to use. You must have Access Manager configured to support social logins for this to work. For more information, see Social Authentication in the NetIQ Access Manager 4.4 Administration Guide.

Self Service Password Reset usually does not allow new users to access resources without specifying a password. Self Service Password Reset allows you to by pass the password requirement and redirect the users (behind the scenes) back to Access Manager to access any protected resources define in Access Manager.

To configure the New Registration Module to allow social logins:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Modules > Public > New User Registration > New User Profiles.

  5. Create a new profile for the group of users you want to all to login in with social networking identities.

    1. In New User Form section, change the mail field from email to text to allow Self Service Password Reset to accept hyphens and colons as part of the email address.

      Salesforce accounts contain hyphens and Google uses colons when passing information through OAuth for single sign-on.

    2. Disable the Prompt User for Password. This allows the social users to login using their social identities without creating a new password.

    3. In the After Registration Redirect URL field, specify the Access Manager URL where you want the users redirected to access the protected resources.

      You must specify http:// or https:// in the field or it is appended to the Self Service Password Reset site URL. This fields supports macros. For more information, see Configuring Macros for Messages and Actions.

    4. Define the remaining options using the embedded help.

  6. In the toolbar, click Save changes.

9.3.4 Adding the Device Management Link to the Update Profile Page

Access Manager allows users to manage their own devices if they are ever lost or stole, when the users have MobileAccess installed. Self Service Password Reset allows you to add a link to the Access Manager manage devices page. This gives the users one location to access to perform multiple tasks. It simplifies the user’s experience and adds another point of integration between Self Service Password Reset and Access Manager. For more information about MobileAccess, see Enabling Mobile and Web Access in the NetIQ Access Manager 4.4 Administration Guide.

To add a custom link to the Update Profile page:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Modules > Authenticated > Update Profile > Update Profile Profiles > default or the profile you have created for the Access Manager users.

  5. In the Custom Links field, click Add Item, then use the following information to define the custom link to add to the Update Profile page.

    1. Specify a descriptive name that appears in LDAP for the new custom link. For example, devices.

      NOTE:This field cannot accept any special characters including space, underscores, or hyphens.

    2. Click Options to define the link.

    3. Add a description to the link for your users by:

      1. In the Description field, click the edit icon.

      2. Specify a name for the link that appears on the Update Profile page for the users.

      3. (Optional) Click Add Locale, then select the correct language for your users.

      4. Click OK to save the description.

    4. In the Link URL field, specify the custom link where you want to redirect the users.

    5. (Optional) Select whether you want the link to open in a new window.

    6. Click OK to save the changes.

  6. Click Save changes in the toolbar to have this take effect.

Users can now access the new link on the Update Profile page. You can add as many different links as required for your users.