ratclma Absent Member.
Absent Member.
1098 views

Need help with enabling SSPR password expiry warning in NAM


Hi,
I'm trying to setup NAM and SSPR so on NAM login SSPR
CommandServlet?proccessAction=checkExpire is called and if the user is
within the threshold they'll get the appropriate warning screen and if
they click Skip they'll be taken to the url they were going to. equally
if the user is not within the password expiry threshold they'll be
redirected to where they were going.
I have created a path-based proxy service for /sspr and protected
resources for:
/sspr/* (public resource)
/sspr/private/* (restricted)
/sspr/private/config/* (restricted with auth policy)
/sspr/private/admin/* (restricted with auth policy)
I have configured Redirect Login URL on the login contract to be as
follows:
https://some.company.biz/sspr/private/CommandServlet?processAction=checkExpire&forwardURL=<RETURN_URL>
Do I set this instead of Password Expiration Servlet option or as well
as?

The NetIQ documentation is a bit sparse on this point. You'd think this
would be something they would have a detailed example for as I would
expect wanting to make use of SSPR's capability to warn the user of
impending password expiry and giving them an option to change the
password would be a big selling point!

Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55295

0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Need help with enabling SSPR password expiry warning in NAM

ratclma wrote:

> I'm trying to setup NAM and SSPR so on NAM login SSPR
> CommandServlet?proccessAction=checkExpire is called and if the user is
> within the threshold they'll get the appropriate warning screen and if
> they click Skip they'll be taken to the url they were going to.
> equally if the user is not within the password expiry threshold
> they'll be redirected to where they were going.
> I have created a path-based proxy service for /sspr and protected
> resources for:
> sspr (public resource)
> /sspr/private/* (restricted)
> /sspr/private/config/* (restricted with auth policy)
> /sspr/private/admin/* (restricted with auth policy)
> I have configured Redirect Login URL on the login contract to be as
> follows:
>

https://some.company.biz/sspr/private/CommandServlet?processAction=checkExpire&forwardURL=<RETURN_URL>
> Do I set this instead of Password Expiration Servlet option or as well
> as?


You set the Redirect Login URL to the above URL.

The password expiration URL should be something like:
https://some.company.biz/sspr/private/ChangePassword?passwordExpired=tru
e

There are some quirks tied into an actual expired password.

You need to have grace logins enabled when using eDirectory as auth
store.
If you use a custom auth class or something that does multi-factor auth
(like Bart Andrie's SMS method) then the expired password bit won't
work properly without some twiddling.
0 Likes
ratclma Absent Member.
Absent Member.

Re: Need help with enabling SSPR password expiry warning in NAM


Alex McHugh;264764 Wrote:
> ratclma wrote:
>
> > I'm trying to setup NAM and SSPR so on NAM login SSPR
> > CommandServlet?proccessAction=checkExpire is called and if the user

> is
> > within the threshold they'll get the appropriate warning screen and

> if
> > they click Skip they'll be taken to the url they were going to.
> > equally if the user is not within the password expiry threshold
> > they'll be redirected to where they were going.
> > I have created a path-based proxy service for /sspr and protected
> > resources for:
> > sspr (public resource)
> > /sspr/private/* (restricted)
> > /sspr/private/config/* (restricted with auth policy)
> > /sspr/private/admin/* (restricted with auth policy)
> > I have configured Redirect Login URL on the login contract to be as
> > follows:
> >

> https://some.company.biz/sspr/private/CommandServlet?processAction=checkExpire&forwardURL=<RETURN_URL>
> > Do I set this instead of Password Expiration Servlet option or as

> well
> > as?

>
> You set the Redirect Login URL to the above URL.
>
> The password expiration URL should be something like:
> http://tinyurl.com/z6olc3y
> e
>
> There are some quirks tied into an actual expired password.
>
> You need to have grace logins enabled when using eDirectory as auth
> store.
> If you use a custom auth class or something that does multi-factor auth
> (like Bart Andrie's SMS method) then the expired password bit won't
> work properly without some twiddling.


Thanks Alex so I'm on the right track. trying to avoid using any custom
classes (unless absolutely necessary) just want to have the NAM login
call checkExpire and display the SSPR warning pages if within the
threshold or simply redirect the user to where they were going if not.
When you say there are some quirks what do you mean?
Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55295

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Need help with enabling SSPR password expiry warning in NAM

ratclma wrote:

> Thanks Alex so I'm on the right track. trying to avoid using any
> custom classes (unless absolutely necessary) just want to have the
> NAM login call checkExpire and display the SSPR warning pages if
> within the threshold or simply redirect the user to where they were
> going if not.


Then just use Redirect Login URL as you have described.

> When you say there are some quirks what do you mean?


The quirks are mostly with the password expiration servlet URL option.
In your scenario it doesn't sound like you need to use this.

0 Likes
ratclma Absent Member.
Absent Member.

Re: Need help with enabling SSPR password expiry warning in NAM


Alex,
Thanks for input. I have it working now but I had to remove
forwardURL=<RETURN_URL> from the command servlet url as SSPR reported a
5075 error and the SSPR log showed similar to below, so maybe that
doesn't work with CommandServlet?
2016-02-05T09:53:40Z, ERROR, filter.SessionFilter, {4r} 5075
ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path
at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
2016-02-05T09:53:40Z, ERROR, http.PwmRequest, {4r} 5075
ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path
at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
If I set the Login Redirect URL setting to just:
http://tinyurl.com/gufh5s6 the it will work and if usere is in warning
period they'll be shown warning screen with Skip option and Skip takes
them to where they were going, if the password is expired or just about
to they get the Expired password page where they're required to set the
new password. If they have plenty of time left they are redirected to
where they were going. So that's all good.

However, we have 3 different domain urls https://some.company.biz,
https://some.other.biz and https://some.third.biz (the apps behind these
urls are located in the same place its just we brand the pages
differently). We've created separate reverse proxies for the 3 company
urls. As SSPR is protected by NAM and the application URL in the config
needs to be a FQDN url whereas before it could be a relative path, how
do I achieve the following:
application URL=https://some.company.biz but user works for one of the
other companys in the group and so accesses https://some.other.biz
I can configure the contract for https://some.other.biz to have a Login
Return
URL=https://some.company.biz.biz/sspr/private/CommandServlet?processAction=checkExpire
but that will mean he will need to login again as SSPR will not be using
the contract for https://some.other.biz
I tried configuring a proxy service and protected resource for SSPR on
the https://some.other.biz reverse proxy and provide Login Return
URL=https://some.other.biz/sspr/private/CommandServlet?processAction=checkExpirebut
that just leads to a 5075 error as below
2016-02-05T07:48:29Z, ERROR, filter.SessionFilter, {4n} 5075
ERROR_REDIRECT_ILLEGAL (https://some.other.biz is not a match for any
configured redirect whitelist, see setting: Settings ? Security ? Web
Security ? Redirect Whitelist) [xx.xxx.xxx.xx]
So do I need to add a whitelist entry or have I done something wrong?
Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55295

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Need help with enabling SSPR password expiry warning in NAM

ratclma wrote:

>
> However, we have 3 different domain urls https://some.company.biz,
> https://some.other.biz and https://some.third.biz (the apps behind
> these urls are located in the same place its just we brand the pages
> differently). We've created separate reverse proxies for the 3
> company urls. As SSPR is protected by NAM and the application URL in
> the config needs to be a FQDN url whereas before it could be a
> relative path, how do I achieve the following:
> application URL=https://some.company.biz but user works for one of the
> other companys in the group and so accesses https://some.other.biz
> I can configure the contract for https://some.other.biz to have a
> Login Return
>

URL=https://some.company.biz.biz/sspr/private/CommandServlet?processAction=checkExpire
> but that will mean he will need to login again as SSPR will not be
> using the contract for https://some.other.biz
> I tried configuring a proxy service and protected resource for SSPR on
> the https://some.other.biz reverse proxy and provide Login Return
>

URL=https://some.other.biz/sspr/private/CommandServlet?processAction=checkExpirebut
> that just leads to a 5075 error as below
> 2016-02-05T07:48:29Z, ERROR, filter.SessionFilter, {4n} 5075
> ERROR_REDIRECT_ILLEGAL (https://some.other.biz is not a match for any
> configured redirect whitelist, see setting: Settings ? Security ? Web
> Security ? Redirect Whitelist) [xx.xxx.xxx.xx]
> So do I need to add a whitelist entry or have I done something wrong?
> Thanks


This sounds like a new issue. Can you create a separate thread for this?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.