Configuring OpenSSO Enterprise for Administrator-Initiated Password Reset (Sun OpenSSO Enterprise 8.0 Integration Guide)

Sun OpenSSO Enterprise 8.0 Integration Guide

Configuring OpenSSO Enterprise for Administrator-Initiated Password Reset

Only the OpenSSO Enterprise LDAP authentication module supports the password change controls enforced by most directory servers.

To configure OpenSSO Enterprise for administrator-initiated password reset, complete the following steps:

To Enable LDAP Authentication

Click the Access Control tab.

Navigate to Top Level Realm > Authentication > Authentication Chaining.

In the Authentication Chaining section, click New.

Enter a name for the chain and click OK.

For this example: idmauth.

On the new chain's Properties page, add the LDAP module as REQUIRED, and click Save.

Click Back to Authentication.

For the Organization Authentication Configuration property value, choose the service you just created.

In the Module Instances section, choose LDAP.

Provide the following information to about the LDAP user data store:

Primary LDAP Server:

Use the form server.domain:port

DN to Start User Search:

Branch of the LDAP tree from which the user-search begins

DN for Root User Bind:

DN to use when binding to the LDAP user data store

Password for Root User Bind:

Password for the user binding to the LDAP user data store

Password for Root User Bind (confirm):

Type the password again

Save the changes.

Log out of the OpenSSO Enterprise console.

Next Steps

After completing this configuration:

Use /opensso/console to log in to the OpenSSO Enterprise console; do not /opensso/UI/Login. This ensures that the authentication module configured for the OpenSSO Enterprise administrator is used when logging into the administration console, and that the LDAP module just configured for realm users is not used.
Make sure this configuration hasn't affected how you can view the objects inside the OpenSSO Enterprise resource inside Identity Manager.

Log in to the Identity Manager console and expand the OpenSSO Enterprise resource listing to view the OpenSSO Enterprise roles and groups inside it. If you receive an error, you may need to reconfigure the OpenSSO Enterprise adaptor to use a delegated administrator instead of amadmin to connect to OpenSSO Enterprise. The Identity Manager adaptor for OpenSSO Enterprise authenticates to OpenSSO Enterprise using the authentication configuration for the realm which is now different from the configuration for the OpenSSO Enterprise console. The amadmin will no longer work.

To create the delegated administrator:
1. Create a user.
2. Assign this user to a group.
3. Assign administrator privileges to this group.
See Delegating Administrator Privileges in Sun OpenSSO Enterprise 8.0 Administration Guide for detailed information on delegating administrative privileges to a group.

To Define Identity Manager URLs as Not Enforced

Click the Access Control tab.

Click the appropriate realm name and navigate to the Policy Agent Profile for the policy agent that protects Identity Manager.

Under the Policy Agent Profile, click the Application tab.

Add the following URIs to the Not Enforced URIs property:
- /idm/authutil/
- /idm/authutil/*
- /idm/authutil/*?*

Click Save.

Log out of OpenSSO Enterprise.

Creating a Custom `ChangePassword.jsp` File

By default, the user is directed to the OpenSSO Enterprise password change page. Create a custom JSP file, ChangePassword.jsp, that redirects a user to Identity Manager for password change events. The new ChangePassword.jsp forwards the following information to Identity Manager:

The original URL requested by the user and defined as the value of the goto parameter
The user identifier defined as the value of the accountId parameter

This customized ChangePassword.jsp file is referenced in the section Modifying the LDAP Authentication Module XML Service File.

To create a custom ChangePassword.jsp file, choose only one of the following procedures:

To Create a New `ChangePassword.jsp` File

Create the file config/auth/default/ChangePassword.jsp in the OpenSSO Enterprise web-app directory.

Example:

<html>

<%@page info="Login" language="java"%>
<%@taglib uri="/WEB-INF/jato.tld" prefix="jato"%>
<%@taglib uri="/WEB-INF/auth.tld" prefix="auth"%>
<jato:useViewBean className="com.sun.identity.authentication.UI.LoginViewBean">


<%@ page contentType="text/html" %>

<head>
<title><jato:text name="htmlTitle_Login" /></title>

<%
String ServiceURI = (String) viewBean.getDisplayFieldValue(viewBean.SERVICE_URI);
%>

<link rel="stylesheet" href="<%= ServiceURI %>/css/styles.css" type="text/css" />
<script language="JavaScript" src="<%= ServiceURI %>/js/browserVersion.js"></script>
<script language="JavaScript" src="<%= ServiceURI %>/js/auth.js"></script>
</head>

<%
    System.out.println("AccountId: " + request.getParameter("IDToken1"));
    System.out.println("goto: " + request.getParameter("goto"));
        System.out.println("plaingoto: " + request.getParameter("plaingoto"));

    String accountId = request.getParameter("IDToken1");
    String gotoURL = request.getParameter("plaingoto");

    String redirectURL = 
        "http://HostName.DomainName:6480/idm/authutil/anonResetPassword.jsp";
if(accountId != null){
        redirectURL = redirectURL + "?accountId=" + accountId;
        }        
if(gotoURL != null && !gotoURL.equals("null") && (gotoURL.length() > 0)){
        if(accountId == null){
            redirectURL = redirectURL + "?goto=" + gotoURL;
                }else{
            redirectURL = redirectURL + "&goto=" + gotoURL;
                }
        }
    System.out.println("Redirect URL is:" + redirectURL);
        response.sendRedirect(redirectURL);
%>

</jato:useViewBean>

</html>

Customize the URL to the Identity Manager page that performs the password-reset functions.

The URL is highlighted in bold above. Determine this URL with help from your Identity Manager administrator, and customize the URL for your deployment.

To Use the Sample Source Code

Copy the sample file opensso/integrations/idm/jsps/ChangePassword.jsp in the opensso.zip distribution to the directory web-container-deploy-base/opensso/config/auth/default.

Customize the URL to the Identity Manager page that performs the password-reset functions.

Determine this URL with help from your Identity Manager administrator, and customize the URL for your deployment. See step 2 of Creating a Custom ChangePassword.jsp File .

Modifying the LDAP Authentication Module XML Service File

By default, upon receiving a directory-server request for the user to change his password, OpenSSO Enterprise directs the user to its own password-change page. Configure OpenSSO Enterprise to use a custom JSP for password-change events. Modify the LDAP.xmlfile to use ChangePassword.jsp that you created in Creating a Custom ChangePassword.jsp File .

You can manually change the deployed LDAP.xml file, or you can use the sample LDAP.xml included with the opensso.zip download. Choose only one of the following procedures:

To Manually Modify a Deployed `LDAP.xml` File

Use a text editor to open the /web-container-deploy-base/opensso/config/auth/default/LDAP.xml file, and add the section of code highlighted in bold in the following example:

PasswordCallback echoPassword="false" >
<Prompt> Password: </Prompt>
</PasswordCallback>

</Callbacks>
<Callbacks length="4" order="2" timeout="120" template="ChangePassword.jsp" 
header="Change Password&lt;BR&gt;&lt;/BR&gt;#REPLACE#&lt;BR&gt;&lt;/BR&gt;" >

<PasswordCallback echoPassword="false" >
<Prompt>Old Password </Prompt>
</PasswordCallback>

Use a text editor to open the /web-container-deploy-base/opensso/config/auth/default_en/LDAP.xml file, and make the same change as in step 1.

To Use the Sample `LDAP.xml`

Change to the opensso/integrations/idm/xml/ directory in the decompressed opensso.zip to access the sample LDAP.xml.

Replace your deployed /web-container-deploy-base/opensso/config/auth/default/LDAP.xml with the a customLDAP.xml.

Choose only one of the following options:
- Replace your existing LDAP.xml file with the sample LDAP.xml file. If you choose this option, you will lose any custom changes you may have made to this file earlier.
- Run the diff command to compare the files, then manually make the necessary changes.

Modifying the OpenSSO Login Page

Embed code into the OpenSSO Enterprise Login.jsp file that will save the URL in the HTTP request parameter goto. This URL is required by the ChangePassword.jsp that you created in the section To Create a New ChangePassword.jsp File. Once saved, the URL can be passed onto Identity Manager. Identity Manager later redirects the user to that URL.

The URL in the HTTP request parameter goto is the original URL requested by the user, before he was redirected to OpenSSO Enterprise for login.

You can manually change the deployed Login.jsp file, or you can use the sample Login.jsp included with the opensso.zip download. Choose only one of the following procedures:

To Modify a Deployed `Login.jsp` File

Use a text editor to open the file web-container-deploy-base/opensso/config/auth/default/Login.jsp and add the sections of code displayed in bold the following example:

...

<%

String ServiceURI = (String) viewBean.getDisplayFieldValue(viewBean.SERVICE_URI);
String encoded = "false";
String gotoURL = (String) viewBean.getValidatedInputURL(
request.getParameter("goto"), request.getParameter("encoded"), request);
String encodedQueryParams = (String) viewBean.getEncodedQueryParams(request);
if ((gotoURL != null) && (gotoURL.length() != 0)) {
encoded = "true";

}

String replaygotoURL = "";
String goToURL = request.getParameter("goto");
if(gotoURL != null && !gotoURL.equals("null") && (gotoURL.length() > 0)){
replaygotoURL = "&goto=" + goToURL;

}

System.out.println("replaygotoURL: " + replaygotoURL);
%>


<link rel="stylesheet" href="<%= ServiceURI %>/css/styles.css" type="text/css" />
<script language="JavaScript" src="<%= ServiceURI %>/js/browserVersion.js"></script>
<script language="JavaScript" src="<%= ServiceURI %>/js/auth.js"></script>

...


<input type="hidden" name="goto" value="<%= gotoURL %>">
<input type="hidden" name="SunQueryParamsString" value="<%= encodedQueryParams %>">
<input type="hidden" name="encoded" value="<%= encoded %>">

<input type="hidden" name="plaingoto" value="<%= request.getParameter("goto") %>">
</auth:form>

</jato:content>


...

Remove the web container's temporary, compiled JSP to ensure that the changes made are picked up.

For example, if you are using GlassFish, the temporary, compiled classes are in the glassfish-home/domains/your-domain/generated/ directory.

Restart the OpenSSO Enterprise web container after making the changes.

To Use the Sample `Login.jsp`

Locate the file opensso/integrations/idm/jsps/Login.jsp in the decompressed opensso.zip distribution.

Replace the deployed web-container-deploy-base/opensso/config/auth/default/Login.jsp file.

Choose only one of the following two options:

You can replace your existing Login.jsp with the sample Login.jsp. If you choose this option, the following will occur:
- You will lose any custom changes made to the existing Login.jsp.
- You will inherit changes that might have been previously made to the sample Login.jsp to incorporate requirements for other use cases related to the OpenSSO integration with Identity Manager.
- You must change the Identity Manager URL embedded in the sample Login.jsp to reflect the Identity Manager system URL of your architecture.
  
  You can search for the string /idm to locate the URLs.
Alternatively, you can make the changes manually. If you choose this option, first run the diff command to view the differences between the deployed Login.jsp and the sample Login.jsp, and then make the changes manually.

Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up.

For example, if you are using GlassFish, the temporary, compiled classes is in the glassfish-home/domains/your-domain/generated/ directory.

Restart the OpenSSO web container after making the changes.