The bundled sample end-user pages demonstrate the features of Service Provider by providing examples for registration and self-service typical in extranet service provider environments. Since the samples have been developed with extensibility and customization in mind, typical tasks such as changing the look and feel, modifying navigation rules between pages, or displaying locale-specific messages are straightforward to perform.
In addition to auditing self-service and registration events, notification to the affected user can be sent using e-mail templates. Examples of using account ID and password policies as well as account lockout are also provided. Developers can also implement Identity Manager forms. The modular authentication service implemented as a servlet filter can be extended or replaced if necessary. This allows integration with access management systems like Sun Java System Access Manager.
To demonstrate the features of the sample user pages, you need to execute the following configuration steps after the initial setup and configuration of Identity Manager has been completed:
Setup the sample Service Provider resource.
Setup Service Provider authentication policy.
Configure mail notification settings.
Review the sample users.
Perform all initial configuration from the Identity Manager Administrator Interface. Refer to Business Administrator's Guide for detailed information about configuring this product.
The Identity Manager installation process creates a sample LDAP resource named Service Provider End-User Directory. The schema map defines all the account attributes required for the user pages.
However, you must update the Resource Parameters to specify the host name, user DN, password, and other parameters required to connect to an LDAP directory server. This resource can be used as both configuration and end-user resource for Service Provider.
The resource is defined in the $WSHOME/sample/speEndUserResource.xml file.
The installation process also creates a policy named Service Provider Policy This policy uses the default Identity Manager account and password policies but provides the following customized secondary authentication policy options:
The policy is valid for the Service Provider End User Interface only.
The maximum number of failed login attempts is 3.
The default authentication questions are “What is your favorite color?” and “What is your favorite movie?”
To be authenticated on the Forgot Username or Forgot Password pages, the user must answer all the questions correctly.
The Service Provider Policy is defined in the $WSHOME/sample/spePolicy.xml file.
By default, most of the sample pages are configured to send an email upon completion of the task demonstrated on the page. If you want to turn notification off, then edit the notification section of the SPEUserPages configuration object. The configuration allows to enable/disable email notification for every page individually. See Configuring the Filter for more details.
Make sure that you configure the SMTP server. To do this, click Configure, then Servers and navigate to the Email Template tab for the SMTP server.
The SPE Sample Users configuration object provides several sample users. These users are required for the registration pages to function. The sample pages are set up so that a user registering must verify his or her relationship with the provider.
The sample registration pages work out of the box with the provided sample users. The validate page requires the email, firstName and lastName attributes to match before the user can advance to the validation page. Use the debug pages to view the attributes of these sample users.
This section describes each sample user page provided with Service Provider. The features, such as page processor class and view handler, are discussed in Chapter 7, Implementing Custom User Pages.
The login page is the entry into the Service Provider User Interface. The password is validated against the password in the LDAP directory. An error is displayed if the user cannot be found in the directory or if the password is invalid.
Authentication occurs through the com.sun.idm.idmx.web.AuthFilter servlet filter. To change the filter or its initialization parameters, modify the $WSHOME/WEB-INF/web.xml file. See Configuring the Filter for more details.
If the Service Provider Account Policy has been configured to lock out an account when the user does not login successfully after a specified number of attempts, the user is redirected to another page that states the account is locked. In addition, Service Provider sends the user an email that states the account is locked.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
LoginForm |
View Handler |
IDMXNoopViewer |
Forms |
Service Provider End-User Login |
Email template |
Service Provider End-User Profile Locked |
Configuration object attributes |
Not applicable |
Audit event |
Not applicable |
The Login page provides a link to a registration page that allows prospective users to enroll for the service. The default registration pages implement the following logic
The user is prompted to provide application or business-specific information to validate relationship with the service provider. This information does not include enrollment information required by Service Provider. In the sample user pages, the user is prompted for the first name, last name and email address fields to verify this relationship. The SPE Sample Users configuration object lists all the values that are accepted on this page.
This validation step can be skipped if the enrollment.validation.enabled configuration setting is set to false.
The user provides the required information and user is validated to have an existing business relationship.
The user is prompted to provide the required profile enrollment information, including the username, password, and home phone number. Fields shared by the validation page and the enrollment page are automatically filled out. If the Service Provider Account policy is also configured, then the user must also complete the authentication challenge questions. If the enrollment.privacypolicy option is enabled, then the privacy policy is also displayed and must be accepted before completing the registration. (The text of the privacy policy is defined in the IDMXMessages.properties file. )
The system displays a message indicating that a new profile has been created, and that an email has been sent to the provided notification address.
The user is then redirected to login page.
The following table summarizes the structure of this page.
A user accesses the Forgot Username page to retrieve his or her login ID. The user must supply the telephone number stored in the telephoneNumber attribute on the directory and a valid email address. The login ID will be sent to the specified email address.
The following table summarizes the structure of this page.
Failure occurs if an account cannot be found with the specified telephone number and email address, or if multiple accounts are found with the given information.
The form can also use the “auditEventType” form property to instruct the viewer about which type of audit event to log.
A user selects the Forgot password? link on the login page to display a page similar to the Forgot Username page. The user must first supply the telephone number stored in the telephoneNumber attribute on the directory and a valid email address. Next, the user is prompted to provide answers to authentication questions.
If the user has not previously answered their authentication questions or if authentication questions are not configured, an error is displayed. If the correct answers are given to the authentication questions, either a password is generated and emailed to the user, or the user is redirected to a page allowing them to reset their password. The password attribute in the SPEUserPages configuration object determines which action the system takes.
If configured in the Service Provider Account Policy, the account can be locked after a specified number of failed attempts to answer challenge questions.
The following table summarizes the structure of this page.
The form can also use the “auditEventType” form property to instruct the viewer about which type of audit event to log.
Clicking the My Profile tab in the navigation bar takes the user to a form that allows the user to change his LDAP directory password. The user is prompted to enter his current password, the value of the new password, and a confirmation of the new password.
If the current password is valid, the new password matches its confirmation and also passes the password policy defined for the LDAP resource, then the user’s password is modified to the new value. A notification email message is sent to the user’s notification address, and an audit event indicating that the user has been updated is generated.
If any of the validations fail, error messages are displayed so the user can correct the form entry and resubmit.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
ChangePasswordForm |
View Handler |
IDMXUser |
Forms |
Service Provider End-User Change Password |
Email template |
Service Provider End-User Change Password |
Configuration object attributes |
notification.passwordchange |
Audit event |
Update |
This page allows the user to change his or her user name in Service Provider. The provided form makes the following checks on the new user name:
Checks whether the new user name is already in use.
If an account ID policy is in use, checks that the user name meets the policy requirements.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
ChangeUserIdForm |
View Handler |
IDMXUser |
Forms |
Service Provider End-User Change UserId |
Email template |
Service Provider End-User Change User Id |
Configuration object attributes |
notification.useridchange |
Audit event |
Update |
A user’s notifications address is the email address defined in the LDAP directory. The form associated with this action allows the user to change the email address where she receives notifications.
The only way to truly validate an email address is to try to send a message to it and verify that it was correctly received. This is usually impractical in a form, so the best we can do is usually to verify that the suggested address has a valid format. In this case, the address is valid if it contains an “@” character. If the new address is not valid, an error is displayed in the form allowing the user to correct the address and resubmit.
If the new address is valid, the user’s email address is changed and an update user audit event is generated. In addition, an email message is sent to the old address indicating it will no longer be used for notifications and another message is sent to the new address indicating it will be used for future notification messages.
The following table summarizes the structure of this page.
The Change Challenge Question Answers page allows the user to edit the answers to challenge questions that were specified during enrollment.
An error message is returned if the answers do not meet requirements of the Answer Quality policy.
The following table summarizes the structure of this page.
Feature |
Name |
---|---|
Page Processor Class |
ChangeNotificationsForm |
View Handler |
IDMXUser |
Form |
Service Provider End-User Change Notifications |
Email template |
Service Provider End-User Update Authentication Answers |
Configuration object attributes |
notification.questionchange |
Audit event |
updateAuthenticationAnswers |
Clicking the Logout button in the masthead sends the user to an action called /spe/user/LogoutSubmit.do. The class associated with this action is com.sun.idm.idmx.web.LogoutAction . This class invalidates the user’s HttpSession. The “success” forward defined for this action takes the user to the login page.