Forcing NetIQ Access Manager logins to be processed by NetIQ SSPR

Forcing NetIQ Access Manager logins to be processed by NetIQ SSPR

Introduction



Integrating NetIQ SSPR with NetIQ Access Manager can provide several authentication related services for Access Manager.

However, one difficulty can be forcing users to the SSPR web pages so they can take care of important activities such as:


  • Updating profile data

  • Enrolling (setting up) challenge/response questions and answers

  • Being warned about upcoming password expirations



NAM provides a feature that will redirect the user to SSPR when the user’s password is expired, but it doesn’t invoke that feature for these other scenarios.

To handle this issue, it is possible to forward every authentication that is processed by NAM to SSPR, allow SSPR to evaluate the user’s profile data, response enrollment status and password expiration. If no action is required by the user, SSPR will forward the user to their originally requested destination URL. If SSPR determines the user needs to take some action, the appropriate screen(s) will be shown to the user, and then the user will be sent to their originally requested destination URL or logged out if the password has been modified.

The potential downside to this integration is that SSPR will have to process every single NAM authentication and the user will have to wait an extra (hopefully small) amount of time for the additional redirects to occur to get to their requested page. As long as your SSPR environment is healthy and designed to be as redundant and scalable as your NAM environment, this should not be an issue.

The remainder of this document assumes your NAM and SSPR environments are already integrated, the steps to do so are well documented elsewhere.

Login Page Customizations



The login page can be customized to include links to public SSPR services such as ForgottenPassword or NewUser modules. To do so, modify the IDP server’s “login.jsp” file to include a link to the forgotten password page. See the NAM documentation to find the location of the login.jsp, or your customized version of it.

<a href=”https://www.example.com/sspr/public/ForgottenPassword”>Forgotten Password</a>


Login Page SSPR Redirect Script



This technique uses the IDP’s “ctarget” attribute to rewrite the user’s post-login destination to SSPR, and then in turn pass SSPR the user’s original requested URL so after the process checks in SSPR are completed, the user is forwarded on to their original destination.

To implement this process, add the following to the login.jsp page:

<%
// set these parameters as appropriate for your environment
final String ssprURL = "http://www.example.com/sspr/";
final String ssprCommand = "checkAll";
// could be "checkExpire", "checkResponses", "checkProfile" or "checkAll"
// see sspr documentation
final boolean debugMode = true;
String ctarget = null;

// do not modify the below code unless you know what you are doing.
String currentTarget = (String)request.getAttribute("target");
if (debugMode) {
out.write("<p>Current target: " + currentTarget + "</p>");
out.write("<p>Current ctarget: " + request.getAttribute("ctarget") + "</p>");
}
if (currentTarget != null && !currentTarget.contains(ssprURL)) {
final StringBuilder newURL = new StringBuilder();
newURL.append(ssprURL);
newURL.append("/private/CommandServlet");
newURL.append("?processAction=");
newURL.append(ssprCommand);
newURL.append("&forwardURL=");
newURL.append(java.net.URLEncoder.encode(currentTarget,"UTF-8"));
//request.setAttribute("target",null);
//session.setAttribute("target",);
ctarget = newURL.toString();
if (debugMode) {
out.write("<p>New target set to: " + newURL.toString() + "</p>");
}
} else if (debugMode) {
out.write("<p>Target already redirected to SSPR, was not modified.</p>");
}
%>
<% if (ctarget != null) { %>
<input type="hidden" name="ctarget" value="<%=ctarget%>">
<% } %>


The above text should be inserted somewhere between the existing <form> </form> tags on the login.jsp file.




Labels (1)
Tags (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
NAM 4.0 SP1 has added a new "Login Redirect URL" feature to perform this function:

See the SP1 ReadMe File: https://www.netiq.com/documentation/netiqaccessmanager4/accessmanager40_sp1_readme/data/accessmanager40_sp1_readme.html

And the NAM docs: http://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/localcontract.html
Hi Paul,

Looking for more detail on this for our friends in KC. Can you send me a reply to ebarragan@novacoast.com please? Cheers!!
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:07
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.