Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
771 views

SSPR 4.1 and IDM4.6 , person with two user accounts

Hi,

My customer have IDM 4.6 with eDir 9.2 HF2, Identity Aplications and SSPR 4.1.

Your tree have multiples OU's and one person can have multiple user account in different OU's


For example:

cn=esilva,ou=newyork,ou=users,o=data
cn=esilva,ou=losangeles,ou=users,o=data
cn=esilva,ou=miami,ou=users,o=data

Three users accounts hava a secret response register.

But, when the person wants use SSPR, with option "Can't sign in?" Forgotten Password, the following message appears (after enter the username esilva)
: " The user name is not valid or is not eligible to use this feature"


Is posible configurate SSPR for multiple user accounts?

TIA
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR 4.1 and IDM4.6 , person with two user accounts

Same response as in engine/drivers forum:

I haven't checked the very latest version, but there is an "LDAP Duplicate
Mode' you can set that, by default, fails to allow login when there are
duplicates. You can change this to either try the first profile of many
(meaning you avoid having duplicates in any single profile) or else you
can tell the system to use the first match found anywhere, which is
usually not a great idea.

To make this work best, either setup a profile that only matches one value
of a username at a time, or else use different SSPR instances.

There is also an option to let a user see a context and profile, so maybe
that will let the user choose one of many and then login as that one.
"User Selectable LDAP Context/Profile" is what you are after in that case.
Give it a shot and see if that helps.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSPR 4.1 and IDM4.6 , person with two user accounts

On 3/29/17 2:56 PM, esilva wrote:
>
> Hi,
>
> My customer have IDM 4.6 with eDir 9.2 HF2, Identity Aplications and
> SSPR 4.1.
>
> Your tree have multiples OU's and one person can have multiple user
> account in different OU's
>
>
> For example:
>
> cn=esilva,ou=newyork,ou=users,o=data
> cn=esilva,ou=losangeles,ou=users,o=data
> cn=esilva,ou=miami,ou=users,o=data
>
> Three users accounts hava a secret response register.
>
> But, when the person wants use SSPR, with option "Can't sign in?"
> Forgotten Password, the following message appears (after enter the
> username esilva)
> : " The user name is not valid or is not eligible to use this feature"
>
>
>
> Is posible configurate SSPR for multiple user accounts?
>
> TIA
>
>

Greetings,
As a side note, in the configuration area for OSP in configupdate
one specifies the secondary attribute to use in the above case during
login. By default the attribute is email. Which means, during the
login, if we find more than one (1) esilva during the login the user
will be prompted to provide their secondary login attribute. Which
again by default will be email address. If email is not the attribute
you want OSP to utilize then please adjust this in configupdate.


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR 4.1 and IDM4.6 , person with two user accounts

On 3/30/2017 6:03 AM, Steven Williams wrote:
> On 3/29/17 2:56 PM, esilva wrote:
>>
>> Hi,
>>
>> My customer have IDM 4.6 with eDir 9.2 HF2, Identity Aplications and
>> SSPR 4.1.
>>
>> Your tree have multiples OU's and one person can have multiple user
>> account in different OU's
>>
>>
>> For example:
>>
>> cn=esilva,ou=newyork,ou=users,o=data
>> cn=esilva,ou=losangeles,ou=users,o=data
>> cn=esilva,ou=miami,ou=users,o=data
>>
>> Three users accounts hava a secret response register.
>>
>> But, when the person wants use SSPR, with option "Can't sign in?"
>> Forgotten Password, the following message appears (after enter the
>> username esilva)
>> : " The user name is not valid or is not eligible to use this feature"
>>
>>
>>
>> Is posible configurate SSPR for multiple user accounts?
>>
>> TIA
>>
>>

> Greetings,
> As a side note, in the configuration area for OSP in configupdate one
> specifies the secondary attribute to use in the above case during
> login. By default the attribute is email. Which means, during the
> login, if we find more than one (1) esilva during the login the user
> will be prompted to provide their secondary login attribute. Which
> again by default will be email address. If email is not the attribute
> you want OSP to utilize then please adjust this in configupdate.


This is OSP offering this service, not SSPR right? And then the authed
user's LDAP info is passed by OSP to SSPR properly? Neato!


0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSPR 4.1 and IDM4.6 , person with two user accounts

On 3/30/17 10:07 AM, Geoffrey Carman wrote:
> On 3/30/2017 6:03 AM, Steven Williams wrote:
>> On 3/29/17 2:56 PM, esilva wrote:
>>>
>>> Hi,
>>>
>>> My customer have IDM 4.6 with eDir 9.2 HF2, Identity Aplications and
>>> SSPR 4.1.
>>>
>>> Your tree have multiples OU's and one person can have multiple user
>>> account in different OU's
>>>
>>>
>>> For example:
>>>
>>> cn=esilva,ou=newyork,ou=users,o=data
>>> cn=esilva,ou=losangeles,ou=users,o=data
>>> cn=esilva,ou=miami,ou=users,o=data
>>>
>>> Three users accounts hava a secret response register.
>>>
>>> But, when the person wants use SSPR, with option "Can't sign in?"
>>> Forgotten Password, the following message appears (after enter the
>>> username esilva)
>>> : " The user name is not valid or is not eligible to use this feature"
>>>
>>>
>>>
>>> Is posible configurate SSPR for multiple user accounts?
>>>
>>> TIA
>>>
>>>

>> Greetings,
>> As a side note, in the configuration area for OSP in configupdate one
>> specifies the secondary attribute to use in the above case during
>> login. By default the attribute is email. Which means, during the
>> login, if we find more than one (1) esilva during the login the user
>> will be prompted to provide their secondary login attribute. Which
>> again by default will be email address. If email is not the attribute
>> you want OSP to utilize then please adjust this in configupdate.

>
> This is OSP offering this service, not SSPR right? And then the authed
> user's LDAP info is passed by OSP to SSPR properly? Neato!
>
>

Greetings Geoffrey,
Yes, During a login process and that application "X" is configured
to use OSP.
For the forgot password process, that is entirely up to how SSPR is
configured.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.