Environment
Access Manager 4.4
Access Manager 4.3
Access Manager 4.2
Access Manager 4.1
Access Manager 4.0
Access Manager 3.2
Access Manager 4.3
Access Manager 4.2
Access Manager 4.1
Access Manager 4.0
Access Manager 3.2
Situation
Steps for PasswordFetchClass API to retrieve users password attribute when Universal Password policy is set on an eDirectory User Store
Resolution
In order to allow PasswordFetchClass API to successfully retrieve the password, the following are the pre-requisites
If you configured the Identity Server to use Admin to connect to the User Store, then you can enable the option "Allow Admin to retrieve passwords" as shown below:
In case you created and configured a specific user for the Identity Server connection with the User Store, then you can select "Allow the following to retrieve passwords" and specify your defined user.
1. The Universal Password policy must be defined in the user store.
2. The Universal Password policy must be associated to the user authenticating
3. The username has to be defined on what credentials will be used to retrieve the password attribute.
Once the pre-requisites are met, PasswordFetchClass API will allow the retrieval of the password attribute from the user configured in the Identity Server.
If you configured the Identity Server to use Admin to connect to the User Store, then you can enable the option "Allow Admin to retrieve passwords" as shown below:
In case you created and configured a specific user for the Identity Server connection with the User Store, then you can select "Allow the following to retrieve passwords" and specify your defined user.
Next perform the following steps under the Access Manager Admin web console:
1 Click Devices > Identity Servers > Edit > Local > Classes.
2 Click New, specify a name for the class, and then select PasswordFetchClass in Java class.The Java class path is configured automatically.
3 Click Next, then configure the following general properties:
a. Ignore password retrieval failure: Select this option if you want users to continue with their sessions when Identity Server cannot retrieve their passwords. If this option is not selected,users are denied access when their passwords cannot be retrieved.
b. Retain Previous Principal: Select this option to retain the principal obtained from the previous authentication method. If you do not select this option, then the principal will be used from the method associated with this class.
c. Password to be retrieved: If your users have been configured to use a universal password, select Universal Password. Otherwise, select Simple Password.
Additional Information
PasswordFetchClass API to can retrieve the password attributes for Simple Passwords and Universal Passwords.