Knowledge Partner
Knowledge Partner
473 views

SSO to SSPR via SAML, Helpdesk module, change password, problemsensue

We set up OSP 4.51 HF2 with SSPR 3.2.03 (Latest patch I could find)
doing SAML via Shibboleth.

Have the Helpdesk set to use the proxy account.

When I go to change a password, it works, but reports a 699 bad
password, and then proceeds to Intruder lock my account.

It looks like the password change failed, but it works.

My theory is that when in proxy mode it is connecting as me first, I
find the user, then go to change its password, it connects as the Proxy
user. Then when complete tries to reconnect to as me again, but however
it is connecting via SSO via SAML, it is trying username/password this
time, probably with a null password. (Though that should really succeed
as a anon bind in hindsight).

Anyone else seen this?

I can work around it by setting the needed permissions on the Helpdesk
group object. I would prefer to use the proxy here.
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: SSO to SSPR via SAML, Helpdesk module, change password, problemsensue

On 07/15/2015 05:30 PM, Geoffrey Carman wrote:
> We set up OSP 4.51 HF2 with SSPR 3.2.03 (Latest patch I could find) doing
> SAML via Shibboleth.
>
> Have the Helpdesk set to use the proxy account.


Does your example below use the Helpdesk change password capability, then,
or is this a user changing their own password?

> When I go to change a password, it works, but reports a 699 bad password,
> and then proceeds to Intruder lock my account.


I'm guessing you mean -669 but having confirmation may be nice.

> It looks like the password change failed, but it works.
>
> My theory is that when in proxy mode it is connecting as me first, I find
> the user, then go to change its password, it connects as the Proxy user.
> Then when complete tries to reconnect to as me again, but however it is
> connecting via SSO via SAML, it is trying username/password this time,
> probably with a null password. (Though that should really succeed as a
> anon bind in hindsight).


What do you see in ndstrace with +LDAP? That may be very enlightening.
If you're stuck with another directory you can enable insane LDAP tracing
in SSPR that may be useful.

> Anyone else seen this?
>
> I can work around it by setting the needed permissions on the Helpdesk
> group object. I would prefer to use the proxy here.


Do you have just one LDAP server setup in SSPR, or are there multiples?
Any load balancers referenced in SSPR for LDAP?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSO to SSPR via SAML, Helpdesk module, change password, problemsensue

On 7/16/2015 12:30 PM, ab wrote:
> On 07/15/2015 05:30 PM, Geoffrey Carman wrote:
>> We set up OSP 4.51 HF2 with SSPR 3.2.03 (Latest patch I could find) doing
>> SAML via Shibboleth.
>>
>> Have the Helpdesk set to use the proxy account.

>
> Does your example below use the Helpdesk change password capability, then,
> or is this a user changing their own password?
>
>> When I go to change a password, it works, but reports a 699 bad password,
>> and then proceeds to Intruder lock my account.

>
> I'm guessing you mean -669 but having confirmation may be nice.


Ya, my lysdexia got the better of me.

>> It looks like the password change failed, but it works.
>>
>> My theory is that when in proxy mode it is connecting as me first, I find
>> the user, then go to change its password, it connects as the Proxy user.
>> Then when complete tries to reconnect to as me again, but however it is
>> connecting via SSO via SAML, it is trying username/password this time,
>> probably with a null password. (Though that should really succeed as a
>> anon bind in hindsight).

>
> What do you see in ndstrace with +LDAP? That may be very enlightening.
> If you're stuck with another directory you can enable insane LDAP tracing
> in SSPR that may be useful.

Very hard to tell. SSPR is very chatty in LDAP> I did not find the
switch of identities that I was looking for.


>> Anyone else seen this?
>>
>> I can work around it by setting the needed permissions on the Helpdesk
>> group object. I would prefer to use the proxy here.

>
> Do you have just one LDAP server setup in SSPR, or are there multiples?
> Any load balancers referenced in SSPR for LDAP?


I do have three LDAP servers listed in the config, but all three were up.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.