Chapter 6 Service Provider User Interface

The bundled sample end-user pages demonstrate the features of Service Provider by providing examples for registration and self-service typical in extranet service provider environments. Since the samples have been developed with extensibility and customization in mind, typical tasks such as changing the look and feel, modifying navigation rules between pages, or displaying locale-specific messages are straightforward to perform.

In addition to auditing self-service and registration events, notification to the affected user can be sent using e-mail templates. Examples of using account ID and password policies as well as account lockout are also provided. Developers can also implement Identity Manager forms. The modular authentication service implemented as a servlet filter can be extended or replaced if necessary. This allows integration with access management systems like Sun Java System Access Manager.

Initial Configuration for the Sample User Pages

To demonstrate the features of the sample user pages, you need to execute the following configuration steps after the initial setup and configuration of Identity Manager has been completed:

1. Setup the sample Service Provider resource.

2. Setup Service Provider authentication policy.

3. Configure mail notification settings.

4. Review the sample users.

   ---

   Note –

   Perform all initial configuration from the Identity Manager Administrator Interface. Refer to Business Administrator's Guide for detailed information about configuring this product.

   ---

Sample Service Provider Resource

The Identity Manager installation process creates a sample LDAP resource named Service Provider End-User Directory. The schema map defines all the account attributes required for the user pages.

However, you must update the Resource Parameters to specify the host name, user DN, password, and other parameters required to connect to an LDAP directory server. This resource can be used as both configuration and end-user resource for Service Provider.

The resource is defined in the $WSHOME/sample/speEndUserResource.xml file.

Sample Service Provider Policy

The installation process also creates a policy named Service Provider Policy This policy uses the default Identity Manager account and password policies but provides the following customized secondary authentication policy options:

• The policy is valid for the Service Provider End User Interface only.

• The maximum number of failed login attempts is 3.

• The default authentication questions are “What is your favorite color?” and “What is your favorite movie?”

• To be authenticated on the Forgot Username or Forgot Password pages, the user must answer all the questions correctly.

The Service Provider Policy is defined in the $WSHOME/sample/spePolicy.xml file.

Mail Notification Settings

By default, most of the sample pages are configured to send an email upon completion of the task demonstrated on the page. If you want to turn notification off, then edit the notification section of the SPEUserPages configuration object. The configuration allows to enable/disable email notification for every page individually. See Configuring the Filter for more details.

Make sure that you configure the SMTP server. To do this, click Configure, then Servers and navigate to the Email Template tab for the SMTP server.

Sample Users

The SPE Sample Users configuration object provides several sample users. These users are required for the registration pages to function. The sample pages are set up so that a user registering must verify his or her relationship with the provider.

The sample registration pages work out of the box with the provided sample users. The validate page requires the email, firstName and lastName attributes to match before the user can advance to the validation page. Use the debug pages to view the attributes of these sample users.

Sample User Pages Overview

This section describes each sample user page provided with Service Provider. The features, such as page processor class and view handler, are discussed in Chapter 7, Implementing Custom User Pages.

Login Page

The login page is the entry into the Service Provider User Interface. The password is validated against the password in the LDAP directory. An error is displayed if the user cannot be found in the directory or if the password is invalid.

Authentication occurs through the com.sun.idm.idmx.web.AuthFilter servlet filter. To change the filter or its initialization parameters, modify the $WSHOME/WEB-INF/web.xml file. See Configuring the Filter for more details.

If the Service Provider Account Policy has been configured to lock out an account when the user does not login successfully after a specified number of attempts, the user is redirected to another page that states the account is locked. In addition, Service Provider sends the user an email that states the account is locked.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	LoginForm
View Handler	IDMXNoopViewer
Forms	Service Provider End-User Login
Email template	Service Provider End-User Profile Locked
Configuration object attributes	Not applicable
Audit event	Not applicable

Registration Page

The Login page provides a link to a registration page that allows prospective users to enroll for the service. The default registration pages implement the following logic

• The user is prompted to provide application or business-specific information to validate relationship with the service provider. This information does not include enrollment information required by Service Provider. In the sample user pages, the user is prompted for the first name, last name and email address fields to verify this relationship. The SPE Sample Users configuration object lists all the values that are accepted on this page.

  This validation step can be skipped if the enrollment.validation.enabled configuration setting is set to false.

• The user provides the required information and user is validated to have an existing business relationship.

• The user is prompted to provide the required profile enrollment information, including the username, password, and home phone number. Fields shared by the validation page and the enrollment page are automatically filled out. If the Service Provider Account policy is also configured, then the user must also complete the authentication challenge questions. If the enrollment.privacypolicy option is enabled, then the privacy policy is also displayed and must be accepted before completing the registration. (The text of the privacy policy is defined in the IDMXMessages.properties file. )

• The system displays a message indicating that a new profile has been created, and that an email has been sent to the provided notification address.

• The user is then redirected to login page.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	EnrollmentForm
View Handler	IDMXUser
Forms	Service Provider Enrollment Main Form Service Provider Enrollment Validation Form Service Provider Enrollment Form Service Provider End-User Forms Library
Email template	Service Provider End-User Registration Template
Configuration object attributes	enrollment.validation.enabled enrollment.privacypolicy notification.registration
Audit event	Create

Forgot Username Page

A user accesses the Forgot Username page to retrieve his or her login ID. The user must supply the telephone number stored in the telephoneNumber attribute on the directory and a valid email address. The login ID will be sent to the specified email address.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	ForgotUsernameForm
View Handler	IDMXLookupUsernameViewer
Forms	Service Provider End-User Forgot Username
Email template	Service Provider End-User Username Recovery
Configuration object attributes	lookup-attributes.name lookup-attributes.title lookup-attributes.required notification.recovery
Audit event	usernameRecovery

Failure occurs if an account cannot be found with the specified telephone number and email address, or if multiple accounts are found with the given information.

The form can also use the “auditEventType” form property to instruct the viewer about which type of audit event to log.

Forgot Password Page

A user selects the Forgot password? link on the login page to display a page similar to the Forgot Username page. The user must first supply the telephone number stored in the telephoneNumber attribute on the directory and a valid email address. Next, the user is prompted to provide answers to authentication questions.

If the user has not previously answered their authentication questions or if authentication questions are not configured, an error is displayed. If the correct answers are given to the authentication questions, either a password is generated and emailed to the user, or the user is redirected to a page allowing them to reset their password. The password attribute in the SPEUserPages configuration object determines which action the system takes.

If configured in the Service Provider Account Policy, the account can be locked after a specified number of failed attempts to answer challenge questions.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Classes	ForgotPasswordForm UserQuestionForm
View Handlers	IDMXLookupUsernameViewer IDMXUserQuestionViewer
Forms	Service Provider End-User Forgot Password Service Provider End-User Reset Password
Email template	Service Provider End-User Reset Password
Configuration object attributes	lookup-attributes.name lookup-attributes.title lookup-attributes.required notification.passwordreset password.reset-mode
Audit event	challengeResponse (for success and failure)

The form can also use the “auditEventType” form property to instruct the viewer about which type of audit event to log.

Change Password Page

Clicking the My Profile tab in the navigation bar takes the user to a form that allows the user to change his LDAP directory password. The user is prompted to enter his current password, the value of the new password, and a confirmation of the new password.

If the current password is valid, the new password matches its confirmation and also passes the password policy defined for the LDAP resource, then the user’s password is modified to the new value. A notification email message is sent to the user’s notification address, and an audit event indicating that the user has been updated is generated.

If any of the validations fail, error messages are displayed so the user can correct the form entry and resubmit.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	ChangePasswordForm
View Handler	IDMXUser
Forms	Service Provider End-User Change Password
Email template	Service Provider End-User Change Password
Configuration object attributes	notification.passwordchange
Audit event	Update

Change Username Page

This page allows the user to change his or her user name in Service Provider. The provided form makes the following checks on the new user name:

• Checks whether the new user name is already in use.

• If an account ID policy is in use, checks that the user name meets the policy requirements.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	ChangeUserIdForm
View Handler	IDMXUser
Forms	Service Provider End-User Change UserId
Email template	Service Provider End-User Change User Id
Configuration object attributes	notification.useridchange
Audit event	Update

Change Notifications Page

A user’s notifications address is the email address defined in the LDAP directory. The form associated with this action allows the user to change the email address where she receives notifications.

The only way to truly validate an email address is to try to send a message to it and verify that it was correctly received. This is usually impractical in a form, so the best we can do is usually to verify that the suggested address has a valid format. In this case, the address is valid if it contains an “@” character. If the new address is not valid, an error is displayed in the form allowing the user to correct the address and resubmit.

If the new address is valid, the user’s email address is changed and an update user audit event is generated. In addition, an email message is sent to the old address indicating it will no longer be used for notifications and another message is sent to the new address indicating it will be used for future notification messages.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	ChangeUserIdForm
View Handler	IDMXUser
Forms	Service Provider End-User Change Notifications
Email templates	Service Provider End-User Change Notifications Service Provider End-User Change Notifications Old Address
Configuration object attributes	notification.emailchange
Audit event	Update

Change Challenge Question Answers Page

The Change Challenge Question Answers page allows the user to edit the answers to challenge questions that were specified during enrollment.

An error message is returned if the answers do not meet requirements of the Answer Quality policy.

The following table summarizes the structure of this page.

Feature	Name
Page Processor Class	ChangeNotificationsForm
View Handler	IDMXUser
Form	Service Provider End-User Change Notifications
Email template	Service Provider End-User Update Authentication Answers
Configuration object attributes	notification.questionchange
Audit event	updateAuthenticationAnswers

Logout Page

Clicking the Logout button in the masthead sends the user to an action called /spe/user/LogoutSubmit.do. The class associated with this action is com.sun.idm.idmx.web.LogoutAction . This class invalidates the user’s HttpSession. The “success” forward defined for this action takes the user to the login page.