When Identity Manager and OpenSSO Enterprise are fully integrated, you can extend the end-user password reset, or forgotten password feature, to include Identity Manager. Configure challenge questions for each user account for identification purposes when a user needs to change or reset a configured password. If these questions are not answered correctly, password reset is not allowed. The following configurations will work if the user has already configured challenge questions and answers, or if the user needs to configure challenge questions and answers now.
To configure end-user password reset, complete the following steps:
The following figures illustrate the process flow for end-user password reset.
Log in to the OpenSSO Enterprise console as an administrator.
Click the Access Control tab.
Click the appropriate realm name and navigate to the Agents profile for the policy agent that protects Identity Manager.
Under the Policy Agent Profile, click the Application tab.
Add the following URIs to the Not Enforced URIs property.
/idm/authutil/
/idm/authutil/*
/idm/authutil/*?*
Click Save.
Log out of OpenSSO Enterprise.
Configure a “Register User” button on the OpenSSO login page. You can manually change the deployed Login.jsp file, or you can use the sample Login.jsp included with the opensso.zip download. Choose only one of the following procedures:
Use a text editor to open the file web-container-deploy-base/opensso/config/auth/default/Login.jsp
Add the sections highlighted in bold in this example:
... <% String ServiceURI = (String) viewBean.getDisplayFieldValue(viewBean.SERVICE_URI); String encoded = "false"; String gotoURL = (String) viewBean.getValidatedInputURL( request.getParameter("goto"), request.getParameter("encoded"), request); String encodedQueryParams = (String) viewBean.getEncodedQueryParams(request); if ((gotoURL != null) && (gotoURL.length() != 0)) { encoded = "true"; } String replaygotoURL = ""; String goToURL = request.getParameter("goto"); if(gotoURL != null && !gotoURL.equals("null") && (gotoURL.length() > 0)){ replaygotoURL = "&goto=" + goToURL; } System.out.println("replaygotoURL: " + replaygotoURL); %> <link rel="stylesheet" href="<%= ServiceURI %>/css/styles.css" type="text/css" /> <script language="JavaScript" src="<%= ServiceURI %>/js/browserVersion.js"></script> <script language="JavaScript" src="<%= ServiceURI %>/js/auth.js"></script> ... function LoginSubmit(value) { aggSubmit(); var hiddenFrm = document.forms['Login']; if (hiddenFrm != null) { hiddenFrm.elements['IDButton'].value = value; if (this.submitted) { alert("The request is currently being processed"); } else { this.submitted = true; hiddenFrm.submit(); } } } function ForgotPassword() { //alert("Inside ForgotPassword"); aggSubmit(); var hiddenFrm = document.forms['Login']; if (hiddenFrm != null) { if(hiddenFrm.elements[1].value == ""){ alert("Please enter User Name!"); placeCursorOnFirstElm(); }else{ window.location = "http://HostName.DomainName.com:6480/idm/authutil/ questionLogin.jsp?accountId= " + hiddenFrm.elements[1].value + "<%=replaygotoURL%>"; } } } ... <jato:content name="hasNoButton"> <tr> <td><img src="<%= ServiceURI %>/images/dot.gif" width="1" height="15" alt="" /></td> <td> <table border=0 cellpadding=0 cellspacing=0> <script language="javascript"> markupButton( '<jato:text name="lblSubmit" />', "javascript:LoginSubmit('<jato:text name="lblSubmit" />')"); </script> <script language="javascript"> markupButton( 'Forgot Password', "javascript:ForgotPassword()"); </script> </table> </td> </tr> <!-- end of hasNoButton --> </jato:content> ... <input type="hidden" name="goto" value="<%= gotoURL %>"> <input type="hidden" name="SunQueryParamsString" value="<%= encodedQueryParams %>"> <input type="hidden" name="encoded" value="<%= encoded %>"> <input type="hidden" name="plaingoto" value="<%= request.getParameter("goto") %>"> </auth:form> </jato:content> ... |
Replace the beginning of the URL http://HostName.DomainName.com:6480/idm/authutil/questionLogin.jsp?accountId= with the specifics of your deployment.
The URL in the section of this page that ends .../idm/authutil/questionLogin.jsp?accountId= links to the Identity Manager JSP that will be displayed if the user does not have challenge questions configured.
Remove the web container's temporary, compiled JSP to ensure that the changes made are picked up.
For example, if using GlassFish, the temporary, compiled classes can be found under glassfish-home/domains/your-domain/generated/.
Restart the OpenSSO Enterprise web container after making the changes.
Use a text editor to open the file opensso/integrations/idm/jsps/Login.jsp in the decompressed opensso.zip archive.
Replace the deployed /web-container-deploy-base/opensso/config/auth/default/Login.jsp with the modifiedLogin.jsp.
Choose one of the following options:
You can replace your existing Login.jsp with the sample Login.jsp. If you choose this option, the following will occur:
You will lose any custom changes made to the existing Login.jsp.
You will inherit changes that might have been previously made to the sample Login.jsp to incorporate requirements for other use cases related to the OpenSSO integration with Identity Manager.
You must change the Identity Manager URL embedded in the sample to reflect the Identity Manager system URL of your architecture.
You can search for the string /idm to locate the URLs.
Alternatively, you can manually make changes to the file. If you choose this option, run the diff command to view the differences between the two files.
Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up.
For example, if using GlassFish, the temporary, compiled classes can be found under glassfish-home/domains/your-domain/generated/.
Restart the OpenSSO Enterprise web container after making the changes.
When the Identity Manager password controls are configured for user-initiated password reset, the following occur:
The Identity Manager Open SSO Resource Adaptor requires the old password.
Identity Manager uses the basic change password form.
Identity Manager self-change is enabled.
Log in to Identity Manager as an administrator.
Navigate to the Configure tab.
Click on the link "Form and Process Mappings.”
Search for the entry "endUserChangePassword. "
In the text field, replace "End User Change Password Form" with "Basic Change Password Form.”
Save the changes.
Log in to Identity Manager as a regular user .
Under the "Profile" tab, go to the "Change password" page.
You should see that SunAccessManagerRealm requires the old password.
Enter the user's the old password, the new password, and confirmation of the new password,
The user's password should be set in the Directory Server user data store as a "self-change” instead of am "admin-change.” This is especially important if the pwdMustChange or passwordMustChange attributes had been earlier set on the user's profile on the Directory Server. If the self-change configuration is not implemented, when the user logs back into OpenSSO Enterprise, the user will be asked to change his password again
Access an Identity Manager URL.
You are redirected to the OpenSSO Enterprise login page.
Enter a username and click the Forgot Password button.
You are redirected to the Identity Manager questionLogin.jsp.
Enter answers to the challenge questions and click the Login button.
You are redirected to a second page.
Enter your new password on this second page.
This is a temporary password you have received from contacting the HelpDesk.
Select the option to update all resource accounts.
Ensure that both the Identity Manager and OpenSSO resources are selected.
Select the option in the column "Forgot Old Password?" for the OpenSSO Resource.
Click the "Change Password" button.
The password is now changed. Use the new password next time you log in.