Sun OpenSSO Enterprise 8.0 Integration Guide

Configuring User-Initiated Password Reset

When Identity Manager and OpenSSO Enterprise are fully integrated, you can extend the end-user password reset, or forgotten password feature, to include Identity Manager. Configure challenge questions for each user account for identification purposes when a user needs to change or reset a configured password. If these questions are not answered correctly, password reset is not allowed. The following configurations will work if the user has already configured challenge questions and answers, or if the user needs to configure challenge questions and answers now.

To configure end-user password reset, complete the following steps:

  1. Define Identity Manager URLs as Not Enforced.

  2. Modify the OpenSSO Enterprise login page.

  3. Configure the Identity Manager password controls.

  4. Test the User-Initiated Password Reset configuration.

The following figures illustrate the process flow for end-user password reset.

Figure 1–8 Process flow for User-Initiated Password Reset

Text-based. No further explanation necessary.

Figure 1–9 Process Flow for User-Initiated Password Reset (continued)

Text-based. No further explanation necessary.

ProcedureTo Define Identity Manager URLs as Not Enforced

  1. Log in to the OpenSSO Enterprise console as an administrator.

  2. Click the Access Control tab.

  3. Click the appropriate realm name and navigate to the Agents profile for the policy agent that protects Identity Manager.

  4. Under the Policy Agent Profile, click the Application tab.

  5. Add the following URIs to the Not Enforced URIs property.

    • /idm/authutil/

    • /idm/authutil/*

    • /idm/authutil/*?*

  6. Click Save.

  7. Log out of OpenSSO Enterprise.

Modifying the OpenSSO Enterprise Login Page

Configure a “Register User” button on the OpenSSO login page. You can manually change the deployed Login.jsp file, or you can use the sample Login.jsp included with the opensso.zip download. Choose only one of the following procedures:

ProcedureTo Manually Modify a Deployed Login.jsp

  1. Use a text editor to open the file web-container-deploy-base/opensso/config/auth/default/Login.jsp

  2. Add the sections highlighted in bold in this example:


    ...
    <%
    
    String ServiceURI = (String) viewBean.getDisplayFieldValue(viewBean.SERVICE_URI);
    String encoded = "false";
    String gotoURL = (String) viewBean.getValidatedInputURL(
    request.getParameter("goto"), request.getParameter("encoded"), request);
    String encodedQueryParams = (String) viewBean.getEncodedQueryParams(request);
    
    if ((gotoURL != null) && (gotoURL.length() != 0)) {
    encoded = "true";
    
    }
    
    String replaygotoURL = "";
    String goToURL = request.getParameter("goto");
    if(gotoURL != null && !gotoURL.equals("null") && (gotoURL.length() > 0)){
    replaygotoURL = "&goto=" + goToURL;
    
    }
    
    System.out.println("replaygotoURL: " + replaygotoURL);
    %>
    
    
    <link rel="stylesheet" href="<%= ServiceURI %>/css/styles.css" type="text/css" />
    <script language="JavaScript" src="<%= ServiceURI %>/js/browserVersion.js"></script>
    <script language="JavaScript" src="<%= ServiceURI %>/js/auth.js"></script>
    
    
    ...
    
    
    function LoginSubmit(value) {
    aggSubmit();
    var hiddenFrm = document.forms['Login'];
    
    
    if (hiddenFrm != null) {
    hiddenFrm.elements['IDButton'].value = value;
    if (this.submitted) {
    alert("The request is currently being processed");
    
    }
    
    else {
    this.submitted = true;
    hiddenFrm.submit();
    
    }
    
    }
    
    }
    
    
    function ForgotPassword() {
    //alert("Inside ForgotPassword");
    aggSubmit();
    var hiddenFrm = document.forms['Login'];
    if (hiddenFrm != null) {
    if(hiddenFrm.elements[1].value == ""){
    alert("Please enter User Name!");
    placeCursorOnFirstElm();
    }else{
    window.location = "http://HostName.DomainName.com:6480/idm/authutil/
         questionLogin.jsp?accountId=
        " + hiddenFrm.elements[1].value + "<%=replaygotoURL%>";
    }
    
    }
    
    }
    
    
    ...
    
    
    <jato:content name="hasNoButton">
    <tr>
    <td><img src="<%= ServiceURI %>/images/dot.gif"
    width="1" height="15" alt="" /></td>
    
    <td>
    <table border=0 cellpadding=0 cellspacing=0>
    <script language="javascript">
    markupButton(
    '<jato:text name="lblSubmit" />',
    "javascript:LoginSubmit('<jato:text name="lblSubmit" />')");
    </script>
    
    <script language="javascript">
    markupButton(
    'Forgot Password',
    "javascript:ForgotPassword()");
    </script>
    
    </table>
    
    </td>
    </tr>
    
    <!-- end of hasNoButton -->
    
    </jato:content>
    
    
    ...
    
    
    <input type="hidden" name="goto" value="<%= gotoURL %>">
    <input type="hidden" name="SunQueryParamsString" value="<%= encodedQueryParams %>">
    <input type="hidden" name="encoded" value="<%= encoded %>">
    
    <input type="hidden" name="plaingoto" value="<%= 
                             request.getParameter("goto") %>">
    </auth:form>
    
    </jato:content>
    
    
    ...
  3. Replace the beginning of the URL http://HostName.DomainName.com:6480/idm/authutil/questionLogin.jsp?accountId= with the specifics of your deployment.

    The URL in the section of this page that ends .../idm/authutil/questionLogin.jsp?accountId= links to the Identity Manager JSP that will be displayed if the user does not have challenge questions configured.

  4. Remove the web container's temporary, compiled JSP to ensure that the changes made are picked up.

    For example, if using GlassFish, the temporary, compiled classes can be found under glassfish-home/domains/your-domain/generated/.

  5. Restart the OpenSSO Enterprise web container after making the changes.

ProcedureTo Use the Sample Login.jsp

  1. Use a text editor to open the file opensso/integrations/idm/jsps/Login.jsp in the decompressed opensso.zip archive.

  2. Replace the deployed /web-container-deploy-base/opensso/config/auth/default/Login.jsp with the modifiedLogin.jsp.

    Choose one of the following options:

    You can replace your existing Login.jsp with the sample Login.jsp. If you choose this option, the following will occur:

    • You will lose any custom changes made to the existing Login.jsp.

    • You will inherit changes that might have been previously made to the sample Login.jsp to incorporate requirements for other use cases related to the OpenSSO integration with Identity Manager.

    • You must change the Identity Manager URL embedded in the sample to reflect the Identity Manager system URL of your architecture.

      You can search for the string /idm to locate the URLs.

    Alternatively, you can manually make changes to the file. If you choose this option, run the diff command to view the differences between the two files.

  3. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up.

    For example, if using GlassFish, the temporary, compiled classes can be found under glassfish-home/domains/your-domain/generated/.

  4. Restart the OpenSSO Enterprise web container after making the changes.

Configuring the Identity Manager Password Controls

When the Identity Manager password controls are configured for user-initiated password reset, the following occur:

ProcedureTo Configure the Identity Manager Password Controls

  1. Log in to Identity Manager as an administrator.

  2. Navigate to the Configure tab.

  3. Click on the link "Form and Process Mappings.”

  4. Search for the entry "endUserChangePassword. "

    In the text field, replace "End User Change Password Form" with "Basic Change Password Form.”

  5. Save the changes.

ProcedureTo Test the Identity Manager Password Control Configuration

  1. Log in to Identity Manager as a regular user .

  2. Under the "Profile" tab, go to the "Change password" page.

    You should see that SunAccessManagerRealm requires the old password.

  3. Enter the user's the old password, the new password, and confirmation of the new password,

    The user's password should be set in the Directory Server user data store as a "self-change” instead of am "admin-change.” This is especially important if the pwdMustChange or passwordMustChange attributes had been earlier set on the user's profile on the Directory Server. If the self-change configuration is not implemented, when the user logs back into OpenSSO Enterprise, the user will be asked to change his password again

ProcedureTo Test the User-Initiated Password Reset Configuration

  1. Access an Identity Manager URL.

    You are redirected to the OpenSSO Enterprise login page.

  2. Enter a username and click the Forgot Password button.

    You are redirected to the Identity Manager questionLogin.jsp.

  3. Enter answers to the challenge questions and click the Login button.

    You are redirected to a second page.

  4. Enter your new password on this second page.

    This is a temporary password you have received from contacting the HelpDesk.

  5. Select the option to update all resource accounts.

    Ensure that both the Identity Manager and OpenSSO resources are selected.

  6. Select the option in the column "Forgot Old Password?" for the OpenSSO Resource.

  7. Click the "Change Password" button.

    The password is now changed. Use the new password next time you log in.