Knowledge Partner
Knowledge Partner
530 views

SSPR and Oauth and eDir permissions

Silly question. When you login to SSPR direct, it does the LDAP bind as
you and ops you initiate happen under your security context.

If you have it set with IDM, OSP, and OAuth, then when you login to
SSPR, you get redirected to OSP, which logs you in to eDir to validate
your password, passes back an OAuth ticket, which SSPR accepts as proof
your 'me-hood'.

But say you enable Update Profile or Account Info modules. When you go
to modify an attribute, SSPR wants to use your security context to write
back to eDir.

How does SSPR do th elogin to eDir? It has your ID but not your
password from the OAuth ticket.

Does it use the NMAS SAML method as UA does?
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: SSPR and Oauth and eDir permissions

On 18.07.2017 15:18, Geoffrey Carman wrote:
> Silly question. When you login to SSPR direct, it does the LDAP bind as
> you and ops you initiate happen under your security context.
>
> If you have it set with IDM, OSP, and OAuth, then when you login to
> SSPR, you get redirected to OSP, which logs you in to eDir to validate
> your password, passes back an OAuth ticket, which SSPR accepts as proof
> your 'me-hood'.
>
> But say you enable Update Profile or Account Info modules. When you go
> to modify an attribute, SSPR wants to use your security context to write
> back to eDir.
>
> How does SSPR do th elogin to eDir? It has your ID but not your
> password from the OAuth ticket.
>
> Does it use the NMAS SAML method as UA does?


No, SSPR will retrieve the user's password via NMAS. That's why you need
to assign a Universal Password Policy and set 'Allow the following to
retrieve passwords'.


--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR and Oauth and eDir permissions

On 7/19/2017 6:08 AM, Norbert Klasen wrote:
> On 18.07.2017 15:18, Geoffrey Carman wrote:
>> Silly question. When you login to SSPR direct, it does the LDAP bind as
>> you and ops you initiate happen under your security context.
>>
>> If you have it set with IDM, OSP, and OAuth, then when you login to
>> SSPR, you get redirected to OSP, which logs you in to eDir to validate
>> your password, passes back an OAuth ticket, which SSPR accepts as proof
>> your 'me-hood'.
>>
>> But say you enable Update Profile or Account Info modules. When you go
>> to modify an attribute, SSPR wants to use your security context to write
>> back to eDir.
>>
>> How does SSPR do th elogin to eDir? It has your ID but not your
>> password from the OAuth ticket.
>>
>> Does it use the NMAS SAML method as UA does?

>
> No, SSPR will retrieve the user's password via NMAS. That's why you need
> to assign a Universal Password Policy and set 'Allow the following to
> retrieve passwords'.


Ah yes, the old way UA used to do it. Thank you. Should have thought
of that one, appreciate it.



0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSPR and Oauth and eDir permissions

On 19.07.2017 16:35, Geoffrey Carman wrote:
> On 7/19/2017 6:08 AM, Norbert Klasen wrote:
>> On 18.07.2017 15:18, Geoffrey Carman wrote:
>>> Silly question. When you login to SSPR direct, it does the LDAP bind as
>>> you and ops you initiate happen under your security context.
>>>
>>> If you have it set with IDM, OSP, and OAuth, then when you login to
>>> SSPR, you get redirected to OSP, which logs you in to eDir to validate
>>> your password, passes back an OAuth ticket, which SSPR accepts as proof
>>> your 'me-hood'.
>>>
>>> But say you enable Update Profile or Account Info modules. When you go
>>> to modify an attribute, SSPR wants to use your security context to write
>>> back to eDir.
>>>
>>> How does SSPR do th elogin to eDir? It has your ID but not your
>>> password from the OAuth ticket.
>>>
>>> Does it use the NMAS SAML method as UA does?

>>
>> No, SSPR will retrieve the user's password via NMAS. That's why you need
>> to assign a Universal Password Policy and set 'Allow the following to
>> retrieve passwords'.

>
> Ah yes, the old way UA used to do it. Thank you. Should have thought
> of that one, appreciate it.


Maybe we could lobby for eDirectory supporting

RFC 7628: A Set of Simple Authentication and Security Layer (SASL)
Mechanisms for OAuth

to avoid this.

--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR and Oauth and eDir permissions

On 7/19/2017 6:08 AM, Norbert Klasen wrote:
> On 18.07.2017 15:18, Geoffrey Carman wrote:
>> Silly question. When you login to SSPR direct, it does the LDAP bind as
>> you and ops you initiate happen under your security context.
>>
>> If you have it set with IDM, OSP, and OAuth, then when you login to
>> SSPR, you get redirected to OSP, which logs you in to eDir to validate
>> your password, passes back an OAuth ticket, which SSPR accepts as proof
>> your 'me-hood'.
>>
>> But say you enable Update Profile or Account Info modules. When you go
>> to modify an attribute, SSPR wants to use your security context to write
>> back to eDir.
>>
>> How does SSPR do th elogin to eDir? It has your ID but not your
>> password from the OAuth ticket.
>>
>> Does it use the NMAS SAML method as UA does?

>
> No, SSPR will retrieve the user's password via NMAS. That's why you need
> to assign a Universal Password Policy and set 'Allow the following to
> retrieve passwords'.


If you have SSPR pointed at AD, how does this work then with OAuth?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.