Highlighted
Keng Super Contributor.
Super Contributor.
118 views

About SSPR 4.4 Password Expiration Notification

Jump to solution

Hi,

I had 3 instances of SSPR 4.4 Appliances fronted with a load-balancer. SSPR is configured using eDir 9.1 with about 200K user by next year. No Challenge-Response enabled, using Email OTP as verification.

Now I would like to use SSPR 4.4 Password Expiration Notification feature, however I have a few questions at hands

(i) Do I enable on all 3 instances, or select one 1 SSPR instance for this ? I kinda have a feeling if enable on all 3, user will receive 3 password expiration emails.

(ii) Does user need to login to SSPR in order to kickstart Password Expiration Notification, or there is background process checking eDirectory Password Expiration Time to send out notification. Note that users may not even access / login to SSPR at all until Reset Password via Email OTP.

(iii) SSPR maybe integrated with Access Manager 4.5 for SSO via OAuth protocol instead of Identity Injection via Access Gateway, and configured as Password Expiration Servlet. I believe such scenario have no impact with SSPR Password Expiration Notification feature. 

Any thoughts ?

Regards,

Keng

 

 

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Contributor
Micro Focus Contributor

Re: About SSPR 4.4 Password Expiration Notification

Jump to solution

Hi Keng,

Answers in order:

 

1) All SSPR instances pointing to the same LDAP directory should always have the exact same configuration.  Thus, the password expiration notice will be enabled on all three servers.

 

2) A user does not need to authenticate to receive a password expiration notification.   There is a background process that runs once a day, by default at 0:00 UTC to send notifications.  The three servers use the node service feature to make sure only a single SSPR server will send notifications.  You can check the status of the node service and password expiration notification service on the Admin -> Dashboard page node and Expiration Service tabs.

 

3) The method of integration with NAM will not affect the password expiration notification feature.

 

Cheers,

 

-Jason

0 Likes
2 Replies
Keng Super Contributor.
Super Contributor.

Re: About SSPR 4.4 Password Expiration Notification

Jump to solution

All,

For the benefits of the community, I had run some testings and here are the results of running 2 SSPR instances with Password Expiration Notification

(i) Only 1 instance is sending the email notification, the others don't

SSPR-Notify-Send.jpegSSPR-No-Notify.jpeg

(ii) User do not need to login SSPR at all. It runs in the background

(iii) Haven't tested this.

 

Micro Focus Contributor
Micro Focus Contributor

Re: About SSPR 4.4 Password Expiration Notification

Jump to solution

Hi Keng,

Answers in order:

 

1) All SSPR instances pointing to the same LDAP directory should always have the exact same configuration.  Thus, the password expiration notice will be enabled on all three servers.

 

2) A user does not need to authenticate to receive a password expiration notification.   There is a background process that runs once a day, by default at 0:00 UTC to send notifications.  The three servers use the node service feature to make sure only a single SSPR server will send notifications.  You can check the status of the node service and password expiration notification service on the Admin -> Dashboard page node and Expiration Service tabs.

 

3) The method of integration with NAM will not affect the password expiration notification feature.

 

Cheers,

 

-Jason

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.