Environment
Novell Access Manager 3.1 Linux Access Gateway
Situation
Identity injection configured to inject the users username and password to any request for a back end web server being protected. When the users password is changes, the administrator used the forceAuth=TRUE parameter to make sure that the corresponding identity injection credentials would reflect the change. The ForceAuth parameter is documented at
https://www.novell.com/documentation/novellaccessmanager31/adminguide/index.html?page=/documentation/novellaccessmanager31/adminguide/data/bi0p4aq.html#bi4be0w
After making the changes, a user logged into and accessed a protected resource. WHilst logged in, the user changed password, and then access the IDP with the following URL:
https://idp.example.com:8443/nidp/idff/sso?id=SecNamePwdForm&forceAuth=TRUE
where https://idp.example.com:8443/nidp is the baseURL of the IDP server, and SecNamePwdForm is the logical name of the Authentication card on the contract assigned
Note that the URL above is also the value generated by <RETURN_URL> plus the forceAuth param. When the IDP is accessed with the above URL, the IDP indeed prompts the user for re-authentication, on a screen distinctly different from the normal login page.
However when a protected resource using identity injection is then accessed, the old password continues to be used. Administrator was using "Credential Profile":"LDAPCredentials:LDAP Password". Unlike using "LDAP Attributes", there is no control for how often the values are refreshed.
https://www.novell.com/documentation/novellaccessmanager31/adminguide/index.html?page=/documentation/novellaccessmanager31/adminguide/data/bi0p4aq.html#bi4be0w
After making the changes, a user logged into and accessed a protected resource. WHilst logged in, the user changed password, and then access the IDP with the following URL:
https://idp.example.com:8443/nidp/idff/sso?id=SecNamePwdForm&forceAuth=TRUE
where https://idp.example.com:8443/nidp is the baseURL of the IDP server, and SecNamePwdForm is the logical name of the Authentication card on the contract assigned
Note that the URL above is also the value generated by <RETURN_URL> plus the forceAuth param. When the IDP is accessed with the above URL, the IDP indeed prompts the user for re-authentication, on a screen distinctly different from the normal login page.
However when a protected resource using identity injection is then accessed, the old password continues to be used. Administrator was using "Credential Profile":"LDAPCredentials:LDAP Password". Unlike using "LDAP Attributes", there is no control for how often the values are refreshed.
Resolution
On the Linux Access Gateway, execute the "touch /var/novell/.PasswordMgmt" command, and then restart proxy using "/etc/init.d/novell-vmc restart". At this point, it will start refreshing the credentials for the session if and when the PW Mgmt Servlet is invoked.