This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

About SSPR 4.4 Password Expiration Notification

Hi,

I had 3 instances of SSPR 4.4 Appliances fronted with a load-balancer. SSPR is configured using eDir 9.1 with about 200K user by next year. No Challenge-Response enabled, using Email OTP as verification.

Now I would like to use SSPR 4.4 Password Expiration Notification feature, however I have a few questions at hands

(i) Do I enable on all 3 instances, or select one 1 SSPR instance for this ? I kinda have a feeling if enable on all 3, user will receive 3 password expiration emails.

(ii) Does user need to login to SSPR in order to kickstart Password Expiration Notification, or there is background process checking eDirectory Password Expiration Time to send out notification. Note that users may not even access / login to SSPR at all until Reset Password via Email OTP.

(iii) SSPR maybe integrated with Access Manager 4.5 for SSO via OAuth protocol instead of Identity Injection via Access Gateway, and configured as Password Expiration Servlet. I believe such scenario have no impact with SSPR Password Expiration Notification feature. 

Any thoughts ?

Regards,

Keng

 

 

 

Tags:

  • 0

    All,

    For the benefits of the community, I had run some testings and here are the results of running 2 SSPR instances with Password Expiration Notification

    (i) Only 1 instance is sending the email notification, the others don't

    SSPR-Notify-Send.jpegSSPR-No-Notify.jpeg

    (ii) User do not need to login SSPR at all. It runs in the background

    (iii) Haven't tested this.

     

  • Verified Answer

    0

    Hi Keng,

    Answers in order:

     

    1) All SSPR instances pointing to the same LDAP directory should always have the exact same configuration.  Thus, the password expiration notice will be enabled on all three servers.

     

    2) A user does not need to authenticate to receive a password expiration notification.   There is a background process that runs once a day, by default at 0:00 UTC to send notifications.  The three servers use the node service feature to make sure only a single SSPR server will send notifications.  You can check the status of the node service and password expiration notification service on the Admin -> Dashboard page node and Expiration Service tabs.

     

    3) The method of integration with NAM will not affect the password expiration notification feature.

     

    Cheers,

     

    -Jason