This section describes each sample user page provided with Service Provider. The features, such as page processor class and view handler, are discussed in Chapter 7, Implementing Custom User Pages.
The login page is the entry into the Service Provider User Interface. The password is validated against the password in the LDAP directory. An error is displayed if the user cannot be found in the directory or if the password is invalid.
Authentication occurs through the com.sun.idm.idmx.web.AuthFilter servlet filter. To change the filter or its initialization parameters, modify the $WSHOME/WEB-INF/web.xml file. See Configuring the Filter for more details.
If the Service Provider Account Policy has been configured to lock out an account when the user does not login successfully after a specified number of attempts, the user is redirected to another page that states the account is locked. In addition, Service Provider sends the user an email that states the account is locked.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
LoginForm |
View Handler |
IDMXNoopViewer |
Forms |
Service Provider End-User Login |
Email template |
Service Provider End-User Profile Locked |
Configuration object attributes |
Not applicable |
Audit event |
Not applicable |
The Login page provides a link to a registration page that allows prospective users to enroll for the service. The default registration pages implement the following logic
The user is prompted to provide application or business-specific information to validate relationship with the service provider. This information does not include enrollment information required by Service Provider. In the sample user pages, the user is prompted for the first name, last name and email address fields to verify this relationship. The SPE Sample Users configuration object lists all the values that are accepted on this page.
This validation step can be skipped if the enrollment.validation.enabled configuration setting is set to false.
The user provides the required information and user is validated to have an existing business relationship.
The user is prompted to provide the required profile enrollment information, including the username, password, and home phone number. Fields shared by the validation page and the enrollment page are automatically filled out. If the Service Provider Account policy is also configured, then the user must also complete the authentication challenge questions. If the enrollment.privacypolicy option is enabled, then the privacy policy is also displayed and must be accepted before completing the registration. (The text of the privacy policy is defined in the IDMXMessages.properties file. )
The system displays a message indicating that a new profile has been created, and that an email has been sent to the provided notification address.
The user is then redirected to login page.
The following table summarizes the structure of this page.
A user accesses the Forgot Username page to retrieve his or her login ID. The user must supply the telephone number stored in the telephoneNumber attribute on the directory and a valid email address. The login ID will be sent to the specified email address.
The following table summarizes the structure of this page.
Failure occurs if an account cannot be found with the specified telephone number and email address, or if multiple accounts are found with the given information.
The form can also use the auditEventType form property to instruct the viewer about which type of audit event to log.
A user selects the Forgot password? link on the login page to display a page similar to the Forgot Username page. The user must first supply the telephone number stored in the telephoneNumber attribute on the directory and a valid email address. Next, the user is prompted to provide answers to authentication questions.
If the user has not previously answered their authentication questions or if authentication questions are not configured, an error is displayed. If the correct answers are given to the authentication questions, either a password is generated and emailed to the user, or the user is redirected to a page allowing them to reset their password. The password attribute in the SPEUserPages configuration object determines which action the system takes.
If configured in the Service Provider Account Policy, the account can be locked after a specified number of failed attempts to answer challenge questions.
The following table summarizes the structure of this page.
The form can also use the “auditEventType” form property to instruct the viewer about which type of audit event to log.
Clicking the My Profile tab in the navigation bar takes the user to a form that allows the user to change his LDAP directory password. The user is prompted to enter his current password, the value of the new password, and a confirmation of the new password.
If the current password is valid, the new password matches its confirmation and also passes the password policy defined for the LDAP resource, then the user’s password is modified to the new value. A notification email message is sent to the user’s notification address, and an audit event indicating that the user has been updated is generated.
If any of the validations fail, error messages are displayed so the user can correct the form entry and resubmit.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
ChangePasswordForm |
View Handler |
IDMXUser |
Forms |
Service Provider End-User Change Password |
Email template |
Service Provider End-User Change Password |
Configuration object attributes |
notification.passwordchange |
Audit event |
Update |
This page allows the user to change his or her user name in Service Provider. The provided form makes the following checks on the new user name:
Checks whether the new user name is already in use.
If an account ID policy is in use, checks that the user name meets the policy requirements.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
ChangeUserIdForm |
View Handler |
IDMXUser |
Forms |
Service Provider End-User Change UserId |
Email template |
Service Provider End-User Change User Id |
Configuration object attributes |
notification.useridchange |
Audit event |
Update |
A user’s notifications address is the email address defined in the LDAP directory. The form associated with this action allows the user to change the email address where she receives notifications.
The only way to truly validate an email address is to try to send a message to it and verify that it was correctly received. This is usually impractical in a form, so the best we can do is usually to verify that the suggested address has a valid format. In this case, the address is valid if it contains an “@” character. If the new address is not valid, an error is displayed in the form allowing the user to correct the address and resubmit.
If the new address is valid, the user’s email address is changed and an update user audit event is generated. In addition, an email message is sent to the old address indicating it will no longer be used for notifications and another message is sent to the new address indicating it will be used for future notification messages.
The following table summarizes the structure of this page.
The Change Challenge Question Answers page allows the user to edit the answers to challenge questions that were specified during enrollment.
An error message is returned if the answers do not meet requirements of the Answer Quality policy.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
ChangeNotificationsForm |
View Handler |
IDMXUser |
Form |
Service Provider End-User Change Notifications |
Email template |
Service Provider End-User Update Authentication Answers |
Configuration object attributes |
notification.questionchange |
Audit event |
updateAuthenticationAnswers |
Clicking the Logout button in the masthead sends the user to an action called /spe/user/LogoutSubmit.do. The class associated with this action is com.sun.idm.idmx.web.LogoutAction . This class invalidates the user’s HttpSession. The “success” forward defined for this action takes the user to the login page.