don't be tardy configure password expiration with open sso and identity manager (docteger)

Oracle

Blogs HomeProducts & ServicesDownloadsSupportPartnersCommunitiesAboutLogin

Oracle Blog

DocTeger

OpenSSO Technical Information

And a Spoonful of Music

To Make the Medicine Go Down

« Configuring Self... | Main | A 2001 Holiday Party... »

Don't Be Tardy: Configure Password Expiration with OpenSSO and Identity Manager

By docteger on Sep 29, 2009

In a deployment architecture that includes OpenSSO Enterprise 8.0 and Identity Manager 8.1.0.5 (to bereleased sometime in October) it is possible to configure user password reset based on the password'sexpiration date, or a help desk administrator's action. In the former use case, when a password is close toexpiration, the user data store (which must be an LDAP directory server) can send a warning to the userbased on the time configured in the assigned password policy. Upon accessing a resource protected byOpenSSO, the user would be redirected to Identity Manager to change the password. The URL of theprotected resource is saved as a value of the goto parameter and the user will be redirected to this locationafter changing the password.

For the latter use case, if the user allows the password to expire, a help desk administrator can initiate thereset of the expired password by flagging the account and adding a temporary password to the user's profile.The administrator will then communicate the temporary password to the user (by email, for example). Uponlogging into OpenSSO with this temporary password, the user will be directed to Identity Manager where thepassword is reset and the flag is removed.

The procedures documented will enable these use cases. Note that they only support the LDAP authenticationmodule. The following sections contain the configuration procedures.

Configuring the LDAP Directory ServerConfiguring OpenSSOTesting the Configurations

Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o...

1 of 10 3/30/2013 9:06 AM

Configuring the LDAP Directory Server

For this procedure to work it is assumed that a password policy has been configured and assigned to the testuser's LDAP profile in the directory server. The password policy should have the following controls related topassword expiration set:

Set Password Expiration (LDAP attribute: passwordexp, passwordmaxage)Set Expiration Warning (LDAP attribute: passwordwarning)Warning Duration (LDAP attribute: passwordExpireWithoutWarning)

It should also have the following controls set to allow for administrator-driven password reset:

Require Password Change at First Login and After Reset (LDAP attribute: passwordchange,passwordmustchange)Allow Users to Change Their Passwords (LDAP attribute: pwdallowuserchange)

The passwordPolicySubentry attribute in the test user's LDAP profile should also be defined with the DNof the password policy to denote that the password policy has been assigned. See the documentation for yourspecific directory server for instructions on how to do these configurations.

Configuring OpenSSO

Only the OpenSSO LDAP authentication module supports the password change controls enforced by mostdirectory servers. The following sections contain OpenSSO configurations.

To Enable LDAP AuthenticationTo Define Identity Manager URLs as Not EnforcedCreating ChangePasswod.jspModifying the LDAP Authentication Module XML Service FileModifying the OpenSSO Login Page

To Enable LDAP Authentication

Login to the OpenSSO console as administrator.1.Click the Access Control tab.2.Click the appropriate realm name.3.Click the Authentication tab.4.Click New in the Authentication Chaining section to create a new authentication chain.5.Enter a name for the chain and click OK.For this example use idmauth.

6.

On the new chain's Properties page, add the LDAP module as REQUIRED and click Save.7.Click Back to Authentication.8.Select the service just created as the value for Organization Authentication Configuration.9.Click LDAP in the Module Instances section.10.Customize the LDAP properties to reflect your directory - at minimum:

Primary LDAP ServerDN to Start User SearchDN for Root User Bind

11.


2 of 10 3/30/2013 9:06 AM

Password for Root User BindPassword for Root User Bind (confirm)

Save the changes.12.Logout from the OpenSSO console.13.

Note: Following this configuration:

Use /opensso/console to log in to the OpenSSO console (not /opensso/UI/Login) to ensure that theauthentication module configured for the OpenSSO administrator is used and not the LDAP modulejust configured.

Login to the Identity Manager console and expand the OpenSSO resource listing to view the OpenSSOobjects. If you receive an error, you may need to reconfigure the OpenSSO adaptor to use a delegatedadministrator rather than amadmin to connect to OpenSSO. The Identity Manager adaptor forOpenSSO authenticates to OpenSSO using the authentication configuration for the realm which is nowdifferent from the configuration for the OpenSSO console. Thus, amadmin will no longer work. SeeDelegating Administrator Privileges for information on delegating administrative privileges to agroup.

To Define Identity Manager URLs as Not Enforced

Login to the OpenSSO console as administrator.1.Click the Access Control tab.2.Click the appropriate realm name and navigate to the Agents profile for the policy agent that protectsIdentity Manager.

3.

Under the agent profile, click the Application tab.4.Add the following URIs to the Not Enforced URIs property.

/idm/authutil/

/idm/authutil/\*

/idm/authutil/\*?\*

5.

Click Save.6.Logout of OpenSSO.7.

To Create ChangePassword.jsp

This procedure documents how to create ChangePassword.jsp, a custom JSP for redirecting a user toIdentity Manager for password change events. (By default, the user would be directed to the OpenSSOpassword change page.) ChangePassword.jsp will forward the following information to Identity Manager:

The original URL requested by the user and defined as the value of the goto parameter.The user identifier defined as the value of the accountId parameter

Change to the opensso/integrations/idm/jsps/ directory in the decompressed opensso.zip toaccess the sample ChangePassword.jsp.

1.

Modify the Identity Manager URL in the JSP based on your deployment.2.Copy ChangePassword.jsp to /web-container-deploy-base/opensso/config/auth/default/ andto /web-container-deploy-base/opensso/config/auth/default_en/.

3.

Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up.4.


3 of 10 3/30/2013 9:06 AM

For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-

home/domains/your-domain/generated/.Restart the OpenSSO web container after making the changes.5.

Modifying the LDAP Authentication Module XML Service File

This procedure documents how to modify LDAP.xml to use ChangePassword.jsp. There are two options toconsider when deciding how to modify LDAP.xml. You can manually change the deployed LDAP.xml file, oryou can use the sample LDAP.xml included with the opensso.zip download. They are mutually exclusive sochoose only one of these procedures.

To Manually Modify a Deployed LDAP.xmlTo Use the Sample LDAP.xml

To Manually Modify a Deployed LDAP.xml

Change to the /web-container-deploy-base/opensso/config/auth/default/ directory to accessthe deployed LDAP.xml page.

1.

Open LDAP.xml in an editor and add the section of code displayed in yellow inadmin_pwd_reset_ldap.html on the OpenSSO web site.

2.

Change to the /web-container-deploy-base/opensso/config/auth/default_en/ directory toaccess the second copy of LDAP.xml and make the same change.

3.

Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up.For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-

home/domains/your-domain/generated/.

4.

Restart the OpenSSO web container after making the changes.5.

To Use the Sample LDAP.xml

Change to the opensso/integrations/idm/xml/ directory in the decompressed opensso.zip toaccess the sample LDAP.xml.

1.

Replace your deployed /web-container-deploy-base/opensso/config/auth/default/LDAP.xml

with the sample LDAP.xml in two directories:/web-container-deploy-base/opensso/config/auth/default/

/web-container-deploy-base/opensso/config/auth/default_en/

If you replace your existing LDAP.xml with the sample LDAP.xml you will lose any custom changesmade to the existing LDAP.xml.

2.



3.


Optionally, you can run diff between both files and make the necessary changes manually.

Modifying the OpenSSO Login Page

This procedure documents how to modify Login.jsp with the necessary code to save the URL value of thegoto parameter in the HTTP request. This saved URL is required by the ChangePassword.jsp. The saved


4 of 10 3/30/2013 9:06 AM

URL (which is the original location desired by the user) will be passed to Identity Manager and used toredirect the user after unlocking has been completed.

There are two options to consider when deciding how to embed code into the OpenSSO Login.jsp. You canmanually change the deployed Login.jsp file, or you can use the sample Login.jsp included with theopensso.zip download. They are mutually exclusive so choose only one of these procedures.

To Manually Modify a Deployed Login.jspTo Use the Sample Login.jsp

To Manually Modify a Deployed Login.jsp

Change to the /web-container-deploy-base/opensso/config/auth/default/ directory to accessthe deployed Login.jsp page.

1.

Open Login.jsp in an editor and add the two (2) sections of code displayed in yellow inadmin_pwd_reset_login.html on the OpenSSO web site.

2.



3.


To Use the Sample Login.jsp

Change to the opensso/integrations/idm/jsps/ directory in the decompressed opensso.zip toaccess the sample Login.jsp.

1.

Change the Identity Manager URL embedded in the sample Login.jsp to reflect the Identity Managersystem URL of your architecture.You can search for the string /idm to locate the URLs.

2.

Replace your deployed /web-container-deploy-base/opensso/config/auth/default/Login.jsp

with the sample Login.jsp.If you replace your existing Login.jsp with the sample Login.jsp the following will occur.

You will lose any custom changes made to the existing Login.jsp.You will inherit changes that might have been previously made to the sample Login.jsp toincorporate requirements for other use cases related to the OpenSSO integration with IdentityManager.

3.



4.


Optionally, you can run diff between both files and make the necessary changes manually.

Testing The Configurations

Perform the tests in the order in which they are described to understand and verify the behavior for each stageof this use case.

A. Testing Password Warning Expiration


5 of 10 3/30/2013 9:06 AM

Perform the following actions after the time the password expiration warning, as defined in the passwordpolicy, would take effect.

Access a URL protected by OpenSSO.The OpenSSO login page is displayed.

1.

Enter the test user name and password.You will be redirected to Identity Manager to change your password. Note the following about theIdentity Manager URL:

The URL is the one configured in ChangePassword.jsp.The user will be forwarded to the value of the goto parameter after the password has beensuccessfully changed.The value of the accountId parameter determines the account for which the password needs tobe changed. Identity Manager will make the changes to the password on both Identity Managerand OpenSSO.

2.

B. Testing Password Expiration

Perform the following actions after the time the password should have expired, as defined in the passwordpolicy.

Access a URL protected by OpenSSO.The OpenSSO login page is displayed.

1.

Enter the test user name and password.An error page is displayed informing the test user that the password has expired. The user will beinstructed to have the administrator reset the password.

2.

C. Testing Administrator Password Reset

Refer to your directory server documentation to enable audit and logging.Monitor the directory server audit log as you finish the test.

1.

Login as the directory administrator and change the password for a test user.This simulates the password reset by a help desk administrator.

2.

Verify that the user's userPassword attribute was modified and the pwdreset was set to TRUE usingthe audit log.The pwdreset attribute will force the user to change the password at the next login. The audit logmight resemble this sample.

time: 20090713074720dn: uid=idmuser1,dc=sun,dc=comchangetype: modifyreplace: userPassworduserPassword: {SSHA}4Bgy/HF9SGN9nnS4Ii6/KJj9ktFdAxQUIDvwVQ==-replace: modifiersnamemodifiersname: cn=admin,cn=administrators,cn=dscc-replace: modifytimestampmodifytimestamp: 20090713144720Z-replace: passwordexpirationtimepasswordexpirationtime: 19700101000000Z

3.


6 of 10 3/30/2013 9:06 AM

-replace: pwdresetpwdreset: TRUE

Access the Identity Manager user URL.You will be redirected to OpenSSO for login.

4.

Enter the test user name and password.You will be redirected to Identity Manager to change your password. Note the following about theIdentity Manager URL:

The URL is the one configured in ChangePassword.jsp.The user will be forwarded to the value of the goto parameter after the password has beensuccessfully changed.The value of the accountId parameter determines the account for which the password needs tobe changed. Identity Manager will make the changes to the password on both Identity Managerand OpenSSO.

5.

For those fans of The Real Housewives of Atlanta, here's a fan-made video of Kim Zolciak's (Don't Be)Tardy for the Party. (I added the parentheticals to make it seem official.) Kandi Burress produced a dancefloor smash for the woman who can not sing! Who knew?

Category: Sun

Tags: identitymanagement identitymanager music opensso

Permanent link to this entry

« Configuring Self... | Main | A 2001 Holiday Party... »Comments:

Post a Comment:Comments are closed for this entry.


7 of 10 3/30/2013 9:06 AM

About

docteger

Search

Enter search term:

Search only this blog

Recent Posts

Eyes Only: OpenSSO Express 9 DocumentationSun & Oracle: EU Has No More TearsUsing OpenSSO with Microsoft Geneva ServerManaging OpenSSO Entitlements Using REST: The EndEvaluating OpenSSO Entitlements Using RESTListening for the OpenSSO Entitlements Service Using RESTAuthenticating for the OpenSSO Entitlements Service REST InterfacesBorn To Change a Configured OpenSSO Host NameHappy New Year Authenticating to OpenSSO Monitoring ServiceImporting the Root CA Certificate for Secure OpenSSO Rainbow Connections

Top Tags

.netabbaaccessaccessmanagementaccessmanageradministrationagentsalisonmoyetamadminapiauthenticationauthorizationconsoledeveloperdocumentationentitlementsexpress9federatedaccessmanagerfederationfedletglassfishidentity


8 of 10 3/30/2013 9:06 AM

identitymanagementidentitymanageridentityproviderjavajavaoneloadbalancermiddlewaremusicobamaopendsopensourceopenssopolicypolicyagentsrealmsrestsamlsaml2samlv2securitysessionsoftwaressossoadmsunsunmicrosystemswebserviceswebservicessecurity

Categories

PersonalSun

Archives

« March 2013SunMonTueWedThuFriSat 1 23 4 5 6 7 8 910 11 12 13 14 15 1617 18 19 20 21 22 2324 25 26 27 28 29 3031

Today

Bookmarks


9 of 10 3/30/2013 9:06 AM

OpenSSO Web SiteIdentity Management (SDN)A Man and a Mouse

Menu

Blogs HomeWeblogLogin

Feeds

RSS

All/Personal/SunComments

Atom

All/Personal/SunComments

The views expressed on this blog are those of the author and do not necessarily reflect the views of Oracle.Terms of Use | Your Privacy Rights | Cookie Preferences


10 of 10 3/30/2013 9:06 AM

don't be tardy configure password expiration with open sso and identity manager (docteger)

Documents