Forcing NetIQ Access Manager logins to be processed by NetIQ SSPR



Integrating NetIQ SSPR with NetIQ Access Manager can provide several authentication related services for Access Manager.

However, one difficulty can be forcing users to the SSPR web pages so they can take care of important activities such as:

  • Updating profile data

  • Enrolling (setting up) challenge/response questions and answers

  • Being warned about upcoming password expirations

NAM provides a feature that will redirect the user to SSPR when the user’s password is expired, but it doesn’t invoke that feature for these other scenarios.

To handle this issue, it is possible to forward every authentication that is processed by NAM to SSPR, allow SSPR to evaluate the user’s profile data, response enrollment status and password expiration. If no action is required by the user, SSPR will forward the user to their originally requested destination URL. If SSPR determines the user needs to take some action, the appropriate screen(s) will be shown to the user, and then the user will be sent to their originally requested destination URL or logged out if the password has been modified.

The potential downside to this integration is that SSPR will have to process every single NAM authentication and the user will have to wait an extra (hopefully small) amount of time for the additional redirects to occur to get to their requested page. As long as your SSPR environment is healthy and designed to be as redundant and scalable as your NAM environment, this should not be an issue.

The remainder of this document assumes your NAM and SSPR environments are already integrated, the steps to do so are well documented elsewhere.

Login Page Customizations

The login page can be customized to include links to public SSPR services such as ForgottenPassword or NewUser modules. To do so, modify the IDP server’s “login.jsp” file to include a link to the forgotten password page. See the NAM documentation to find the location of the login.jsp, or your customized version of it.

<a href=””>Forgotten Password</a>

Login Page SSPR Redirect Script

This technique uses the IDP’s “ctarget” attribute to rewrite the user’s post-login destination to SSPR, and then in turn pass SSPR the user’s original requested URL so after the process checks in SSPR are completed, the user is forwarded on to their original destination.

To implement this process, add the following to the login.jsp page:

// set these parameters as appropriate for your environment
final String ssprURL = "";
final String ssprCommand = "checkAll";
// could be "checkExpire", "checkResponses", "checkProfile" or "checkAll"
// see sspr documentation
final boolean debugMode = true;
String ctarget = null;

// do not modify the below code unless you know what you are doing.
String currentTarget = (String)request.getAttribute("target");
if (debugMode) {
out.write("<p>Current target: " currentTarget "</p>");
out.write("<p>Current ctarget: " request.getAttribute("ctarget") "</p>");
if (currentTarget != null && !currentTarget.contains(ssprURL)) {
final StringBuilder newURL = new StringBuilder();
ctarget = newURL.toString();
if (debugMode) {
out.write("<p>New target set to: " newURL.toString() "</p>");
} else if (debugMode) {
out.write("<p>Target already redirected to SSPR, was not modified.</p>");
<% if (ctarget != null) { %>
<input type="hidden" name="ctarget" value="<%=ctarget%>">
<% } %>

The above text should be inserted somewhere between the existing <form> </form> tags on the login.jsp file.



How To-Best Practice
Comment List