Anonymous_User Absent Member.
Absent Member.
519 views

New User with questions abot sspr and forgotten password sce


We are running an IDM User Application that services internal employees
as well as external clients and does a very good job in letting us
partition pages etc affording to base DN.

In implementing the new SSPR is here a way to configure the app to have
one set of users (external clients) not be required to set or answer
challenge responses and receive e-mail tokens for changing a forgotten
password but also in the same application, have internal users be
required to set up and answer challenge responses for resetting a
forgotten password? You can set different base DNs or profiles to apply
to some of the modules but forgotten password doesn't seem to have the
capability to provide a different mechanism for a different set of
users.

If this is not possible to do:

1- can you run multiple instances of sspr under the same tomcat
instance? (IE renaming the war file and deploying)
2- Even if you have multiple instances how do you handle the Forgot
Password link on the login form for the Userapp? How would you send
internal users to one sspr instance and external users to another?

Thanks for any insight that can be given.


--
rreid
------------------------------------------------------------------------
rreid's Profile: https://forums.netiq.com/member.php?userid=396
View this thread: https://forums.netiq.com/showthread.php?t=53338

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: New User with questions abot sspr and forgotten password sce

On 04/16/2015 08:50 PM, rreid wrote:
>
> We are running an IDM User Application that services internal employees
> as well as external clients and does a very good job in letting us
> partition pages etc affording to base DN.
>
> In implementing the new SSPR is here a way to configure the app to have
> one set of users (external clients) not be required to set or answer
> challenge responses and receive e-mail tokens for changing a forgotten
> password but also in the same application, have internal users be
> required to set up and answer challenge responses for resetting a
> forgotten password? You can set different base DNs or profiles to apply
> to some of the modules but forgotten password doesn't seem to have the
> capability to provide a different mechanism for a different set of
> users.
>
> If this is not possible to do:


If your backend is eDirectory you could probably do this pretty easily by
using different password policies for each set of users . Even if the
password policies were identical in their settings (complexity, length,
history, etc.) they could link to different challenge set objects which
control what users do in terms of challenge/response, if anything (on
policy could use that functionality while another dose not). Policies are
applied, potentially, per-user (at their most-granular, though that's not
the norm) so you can be very flexible there.

If you are stuck with something like microsoft active directory (MAD) I'm
not sure what you can do in terms of this since the challenge response
stuff is all part of eDirectory or SSPR.

> 1- can you run multiple instances of sspr under the same tomcat
> instance? (IE renaming the war file and deploying)


Sure.

> 2- Even if you have multiple instances how do you handle the Forgot
> Password link on the login form for the Userapp? How would you send
> internal users to one sspr instance and external users to another?


How do you send all users to SSPR today? Presumably e-mail when they sign
up, or word of mouth, or an organizational handbook for employees, etc.
Same thing, but now you'll need to modify that method per type of user.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
rreid Frequent Contributor.
Frequent Contributor.

Re: New User with questions abot sspr and forgotten password sce


ab;256470 Wrote:
> On 04/16/2015 08:50 PM, rreid wrote:
> >
> > We are running an IDM User Application that services internal

> employees
> > as well as external clients and does a very good job in letting us
> > partition pages etc affording to base DN.
> >
> > In implementing the new SSPR is here a way to configure the app to

> have
> > one set of users (external clients) not be required to set or answer
> > challenge responses and receive e-mail tokens for changing a

> forgotten
> > password but also in the same application, have internal users be
> > required to set up and answer challenge responses for resetting a
> > forgotten password? You can set different base DNs or profiles to

> apply
> > to some of the modules but forgotten password doesn't seem to have

> the
> > capability to provide a different mechanism for a different set of
> > users.
> >
> > If this is not possible to do:

>
> If your backend is eDirectory you could probably do this pretty easily
> by
> using different password policies for each set of users . Even if the
> password policies were identical in their settings (complexity, length,
> history, etc.) they could link to different challenge set objects which
> control what users do in terms of challenge/response, if anything (on
> policy could use that functionality while another dose not). Policies
> are
> applied, potentially, per-user (at their most-granular, though that's
> not
> the norm) so you can be very flexible there.
>
> If you are stuck with something like microsoft active directory (MAD)
> I'm
> not sure what you can do in terms of this since the challenge response
> stuff is all part of eDirectory or SSPR.


Thanks for the reply. We are running with eDirectory on the backed. We
have been using IDM for 12+ years so we are well aware of the password
policies etc within eDirectory and already have applied different
policies to our internal and external users.

The issue is with the forgotten password mechanism. We don't want to
require our external users (clients) to have to set up challenge
responses. We simply want to have them be able to request to have a new
password sent to their email address through sspr. This works great.
At the same time though, we can't use that same process with internal
users because if they forgot their password, they can't get into their
e-mail to get the new one or verify the token. I have not found
anywhere in sspr where I can assign a different method of handling the
forgotten password per group of users whether by ldap search or baseDN.
It's all or nothing. I can indeed assign different password policies
and even different challenge response profiles but I haven't figured out
how to require internal users to go through answering the responses and
external users to have a token e-mailed to them.

>
> > 1- can you run multiple instances of sspr under the same tomcat
> > instance? (IE renaming the war file and deploying)

>
> Sure.
>
> > 2- Even if you have multiple instances how do you handle the Forgot
> > Password link on the login form for the Userapp? How would you send
> > internal users to one sspr instance and external users to another?

>
>
> How do you send all users to SSPR today? Presumably e-mail when they
> sign
> up, or word of mouth, or an organizational handbook for employees, etc.
> Same thing, but now you'll need to modify that method per type of user.


What I meant is how I redirect them to the appropriate instance of 2
sspr applications from the same "Forgot Password" link on the Userapp
Login page? This userapp is used for internal and external users.
Since the users haven't authenticated yet, I have no way to redirect
internal users to one sspr instance and external users/clients to
another. I could create a custom page and have them enter their e-mail
address and then redirect to the appropriate sspr but then they would
have to re-enter their email address to go through the forgotten
password process.

Thoughts?


--
rreid
------------------------------------------------------------------------
rreid's Profile: https://forums.netiq.com/member.php?userid=396
View this thread: https://forums.netiq.com/showthread.php?t=53338

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.