Anonymous_User Absent Member.
Absent Member.
321 views

Landing App and SSPR


I am missing a config option for sspr or osp with the Landing app that
forces them through sspr for different reasons. Currently in 4.0.2 and
earlier when users went to IDMProv and they didn't have their password
recovery answers filled in or a password was expired, it forced them to
do that. I am not seeing any behavior like that with my dev 4.5.2
environment with all of the latest patches including the latest sspr
(SSPRv3.3.0.2 b20 r38620).


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54794

Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Landing App and SSPR

On 12/4/2015 10:45 AM, schwoerb wrote:
>
> I am missing a config option for sspr or osp with the Landing app that
> forces them through sspr for different reasons. Currently in 4.0.2 and
> earlier when users went to IDMProv and they didn't have their password
> recovery answers filled in or a password was expired, it forced them to
> do that. I am not seeing any behavior like that with my dev 4.5.2
> environment with all of the latest patches including the latest sspr
> (SSPRv3.3.0.2 b20 r38620).


I was sitting there staring at this question, since I had the opposite
request. Wanted to force it to NOT force the fill in via UA in 4.02.
It was not SSPR forcing the fill in, it was actually the UA NMAS client
implementation doing it.

Took me a while to remember the answer. (Damn memory is failing me!
Backup!!!)

Anyway, the Password policy object itself has a setting about require
the filling in.

You really want SSPR to control it, since NMAS says, 20 questions
defined, fill in all 20. Then you answer 3 randomly.

SSPR allows a granularity of 20 defined, fill in any 10, and then answer
6 from those randomnly. Much nicer for end users.

So in your case, check the NMAS password policy to see if it has

0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Landing App and SSPR


Hi,

I did few IDM 4.5.1 installation recently and the default behavior is
that your are forced to fill in challenge question each time you login
(until done).

Of course, this comes if you have setup sspr with "challenge" module
that links to NMAS policies (if any).

In my case, I would like to disable the "force setup challenge questions
at login" and until now it did not find the way to do it.

There are few options in sspr setup that says "disable force setup", but
this did not work until now.

About your problem, you should go through your SSPR setup and make sure
you have selected the "challenge/responses" modules and options.

Hope this will help you.

Sylvain


--
sma
------------------------------------------------------------------------
sma's Profile: https://forums.netiq.com/member.php?userid=174
View this thread: https://forums.netiq.com/showthread.php?t=54794

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Landing App and SSPR


In SSPR, I do have the 'Check Expire During Authentication' = 'Enabled'
and also 'Force Response Setup' = 'Enabled'. So when the user goes to
SSPR, it does force them to do both of setting the recovery questions
and setting a new password. I don't see an option for that check to
occur outside of SSPR, for places like OSP or Landing. So if users go
to /landing, those checks are not taking place by OSP or by RBPM. As
soon as they click the change my password, it is forcing those options
properly.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54794

0 Likes
Knowledge Partner
Knowledge Partner

Re: Landing App and SSPR

On 12/4/2015 12:04 PM, schwoerb wrote:
>
> In SSPR, I do have the 'Check Expire During Authentication' = 'Enabled'
> and also 'Force Response Setup' = 'Enabled'. So when the user goes to
> SSPR, it does force them to do both of setting the recovery questions
> and setting a new password. I don't see an option for that check to
> occur outside of SSPR, for places like OSP or Landing. So if users go
> to /landing, those checks are not taking place by OSP or by RBPM. As
> soon as they click the change my password, it is forcing those options
> properly.


What value do you have for the setting on the eDir NMAS password policy
for force answering questions?

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Landing App and SSPR


geoffc;263024 Wrote:
> On 12/4/2015 12:04 PM, schwoerb wrote:
> >
> > In SSPR, I do have the 'Check Expire During Authentication' =

> 'Enabled'
> > and also 'Force Response Setup' = 'Enabled'. So when the user goes

> to
> > SSPR, it does force them to do both of setting the recovery questions
> > and setting a new password. I don't see an option for that check to
> > occur outside of SSPR, for places like OSP or Landing. So if users

> go
> > to /landing, those checks are not taking place by OSP or by RBPM. As
> > soon as they click the change my password, it is forcing those

> options
> > properly.

>
> What value do you have for the setting on the eDir NMAS password policy
> for force answering questions?



Yes, "Force user to configure Challenge Questions and/or Hint upon
authentication" is set to true in the password policy for legacy NMAS.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54794

0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Landing App and SSPR


Are you sure the identity application is setup to use sspr and not the
legacy forgoten password?
you can check this in configupdate.


--
sma
------------------------------------------------------------------------
sma's Profile: https://forums.netiq.com/member.php?userid=174
View this thread: https://forums.netiq.com/showthread.php?t=54794

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Landing App and SSPR


Identity Application was setup to use SSPR.

I think I tracked it down. I had messed with the REST settings in SSPR,
while trying to lock it down so it wasn't as exposed. I will just need
to reconstruct what the settings should be.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54794

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Landing App and SSPR


I was finally able to get it to work.

I needed to configure regular users to be able to execute
rest/webservices. I don't remember seeing that as a
necessary/recommended step in the guide, but I do admit to missing
stuff.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54794

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.