SSPR provides various options for integration with Access Gateways including configurable redirection URLs, servlet command options, support for HTTP basic authentication, and so forth.
Among these configurations, the following two are the most important settings:
forwardURL: By default, the user is redirected to the forwardURL site.
logoutURL: If the password has been modified and the Logout After Password Change setting is set to True, then the user is redirected to the logoutURL site instead of the forwardURL site.
NOTE:These URLs are configured as part of the SSPR general configuration. However, they can be overridden for any particular session by including the forwardURL or continueURL HTTP parameters on any request during the session.
For more information about other setting options, see Section 3.3, Configuring General Settings.
You must force the user to log out from SSPR and Access Manager after a password change operation is completed. Otherwise, users may experience authentication failures and intruder lockout if they continue to use the same Access Manager session. For more information about how to configure this, see Section 4.1, Configuring Change Password.
There are two instances when a user is not immediately redirected to forwardURL:
When Check Expiration During Authentication is selected and the user’s password is about to expire. The user is redirected to the Change Password page instead of the forwardURL site. After changing the password, the user is redirected to forwardURL or logoutURL.
When Force Setup of Challenge Responses is selected, the user matches Challenge Response Query Match and the user does not have valid SSPR responses configured. In this case, the user is redirected to the Setup Responses module. After completing the response setup, the user is redirected to forwardURL or logoutURL.
Configure the following SSPR settings through Configuration Editor:
|
Configuration |
Value |
|---|---|
|
Settings > User Interface > Password Change Message |
Custom message to notify users about re-login to their portal after password change. |
|
Settings > Application > Forward URL |
After completing any activity except password change, which does not require a logout, users are forwarded to this URL. For example, intranet.company.com. |
|
Settings > Application > Logout URL |
Access Manager logout URL. For example, intranet.company.com/AGLogout |
|
Modules > Change Password > Logout After Password Change |
Select the check box. |
You must configure the Access Gateway to redirect users to SSPR when their password expires. You can configure this in Access Manager here: Identity Server > Edit > Local > Contracts > [Contract Name] > Password Expiration Servlet. The administrator may configure this URL option to SSPR Change Password URL.
For example, http://password.example.com/sspr/private/ChangePassword?passwordExpired=true
This URL specifies that if the authenticated user's password has expired and there are grace logins remaining, then the user must be redirected to the SSPR change password portal.
Administrators can configure the Access Manager Identity Server login page to include the forgotten password URL for SSPR. On the Identity Server, add the following HTML code in the login.jsp file (/opt/novell/nids/lib/webapp/jsp/login.jsp) above the last two </body></html> tags:
<CENTER> <a href="https://intranet.company.com/sspr/public/ForgottenPassword? forceAuth=TRUE&logoutURL=https://intranet.company.com/AGLogout" target="_top"> Forgot Password - Self Service Password Reset</a></CENTER>