5.3 Password Management Configuration
This section describes how to configure password self-service and user authentication features to your Identity Manager User Application. Topics include:
5.3.1 About Password Management Features
The password management features supported by an Identity Manager User Application encompass user authentication and password self-service. When you put these features into use, they enable your application to:
-
Prompt for login information (username and password) to authenticate against Novell eDirectory
-
Provide users with password change self-service
-
Provide users with forgotten password self-service (including prompting for challenge responses, displaying a password hint, or allowing a password change, as needed). You can configure forgotten password self-service to run inside the firewall (the default), or you can configure it to run outside the firewall.
-
Provide users with challenge question self-service
-
Provide users with password hint self-service
Required Setup in eDirectory
Before you can use most of the password self-service and user authentication features, you need to do the following in eDirectory:
-
Enable
-
Create one or more password policies
-
Assign the appropriate password policies to users
A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing user passwords. Novell Identity Manager takes advantage of NMAS (Novell Modular Authentication Service) to enforce password policies that you assign to users in eDirectory.
You can use Novell iManager to perform the required setup steps. For example, here’s how someone defined the DocumentationPassword Policy in iManager.
Figure 5-3 Sample Password Policy
This password policy specifies:
-
Universal Password settings
Figure 5-4 Sample Universal Password Settings
-
Settings to deal with forgotten-password situations
Figure 5-5 Sample Password Policy
-
Assignments that apply the policy to specific users
Figure 5-6 Sample Policy Assignments
Case-Sensitive Passwords
By default passwords are not case-sensitive. You can create a password policy that allows case-sensitive passwords. You can specify the in the . If you enable case-sensitive password, you must also enable the setting. It is enabled by default, but you can verify it through the iManager tab.
Password Policy Compliance
If you enable Universal Password, it is recommended that you also configure the system to verify that existing passwords comply with the password policy. You can configure this through iManager. In iManager, go to . Make sure the following option is selected: . This ensures that users created through the User Application are forwarded to the Change Password page to enter a password that complies with the Identity Manager password policy.
5.3.2 Configuring Challenge Response
The Challenge Response self-service page lets users:
-
Set up the valid responses to administrator-defined challenge questions, and set up user-defined challenge questions and responses
-
Change the valid responses to administrator-defined challenge questions, and change user-defined challenge questions and responses
NOTE:The password management facility makes passwords case-sensitive, by default, and also allows you to configure case sensitivity for passords. This is not the case with the Challenge Response facility. Challenge Response answers are not case sensitive, and cannot be configured to support case sensitivity.
HINT:If you have localized the Challenge Response questions in iManager set the Configuration setting Enable Locale Check to True.
Figure 5-7 Challenge Response Example
Requirements
The Challenge Response requirements are described Table 5-6.
Table 5-6 Challenge Response Requirements
|
Topic |
Requirements |
|---|---|
|
Password policy |
A password policy with forgotten password enabled and a challenge set. |
|
Universal Password |
Does not require Universal Password to be enabled. |
|
eDirectory configuration |
Requires that you grant supervisor rights to the LDAP Administrator for the container in which the logged-in user resides. Granting these privileges allows the user to write a challenge response to the secret store. For example, suppose the LDAP realm administrator is cn=admin, ou=sample, n=novell and you log in as cn=user1, ou=testou, o=novell. You need to assign cn=admin, ou=sample, n=novell as a trustee of , and grant supervisor rights on . |
Using the Challenge Response Feature
To use the Challenge Response feature, you need to know about the following:
How Challenge Response Is Used During Login
During the login process, the Login page automatically redirects to Challenge Response whenever the user needs to set up challenge questions and responses (for example, the first time a user attempts to log in to the application after an administrator assigns the user to a password policy in iManager. The password policy must have forgotten password enabled and include a challenge set).
How Challenge Response Is Used in the User Application
By default, the User Application provides users with self-service for changing challenge questions and responses.
Configuring Challenge Response
The Challenge Response Configuration settings (on the tab) are described in the following table.
Table 5-7 Challenge Response Configuration Settings
|
Setting |
Description |
|---|---|
|
|
Choosing Yes means that user-entered response text is masked with asterisk (*) characters. |
5.3.3 Configuring Forgotten Password
This feature uses challenge/response authentication to let users get information about their passwords. The result, which depends on the assigned password policy, can include:
-
Displaying the user’s password hint on the screen
-
E-mailing the hint to the user
-
E-mailing the password to the user
-
Prompting the user to reset (change) the password
Forgotten password self-service is typically available to users inside your corporate firewall through the deployed User Application WAR, but you can also configure your system so that the forgotten password management features are stored in a separate password management WAR. You can then deploy the password management WAR on a separate system that can be located inside or outside your corporate firewall. To learn how to setup Forgot Password outside the core User Application WAR, see Section 2.5, Configuring Forgotten Password Self-Service.
Requirements
The Forgot Password feature requirements are listed in Table 5-8.
Table 5-8 Forgotten Password Requirements
|
Topic |
Requirements |
|---|---|
|
Password policy |
Requires a password policy with forgotten password enabled and with a challenge set. When using password policies, you also need to configure the following settings on the Password Policy page in iManager to ensure that the User Application prompts the user to change the password on first login.
|
|
Universal Password |
Does not require Universal Password to be enabled, unless you want to support resetting the password or e-mailing the password to the user. |
Using the Forgot Password Feature
To use the Forgot Password feature, you need to know about the following:
How the Forgot Password feature Is Used During Login
During the login process, the Login page redirects to the Forgot Password page if the user clicks the Forgot Password link. When Forgot Password displays, it does the following:
-
Prompts for username.
-
Redirects to the Challenge/Response page to perform challenge/response authentication for that user.
-
Performs the action specified in the authenticated user’s assigned password policy. It does one of the following:
-
Redirects to the Change password page so the user can reset their password
-
E-mails the password or hint to the user
-
Displays the hint
-
Configuring Your Environment for E-mail Actions
If you want to support the Forgot Password e-mail actions, you need to make sure your e-mail notification server is set up properly:
-
Use a Web browser to access iManager on your eDirectory server and log in as an administrator.
-
Go to and select .
-
Specify the appropriate settings, then click .
Forgot Password uses two e-mail templates. In iManager, you find them in . They are named:
You can change the content of these templates as needed for your application, but don’t change the structure. The Forgot Password page determines, based on the user’s preferred locale, whether to display a localized e-mail template.
Forgot Password Configuration Settings
You set the Forgot Password page configuration settings in the tab. They are described in Table 5-9.
Table 5-9 Forgot Password Configuration Settings
|
Configuration Setting |
Description |
|---|---|
|
|
The NMAS login sequence to use. In this version, only Challenge Response is supported. |
|
|
The secure LDAP port to use. The default is 636. |
|
|
Select True if you want users to be able to type the first few characters of a username. (The default is false). Display DN Information must also be true. When True, the user is able to type a few characters of a username and the Forgot Password page returns a list of DNs that match the user-entered string. Do not enter |
|
|
Select True when you want the Forgot Password page to display the full user name. This can be used in conjunction with Allow Wild Cards in Login. If set to False, no name is displayed. |
|
|
Specify the DN of an existing Identity Vault user established to prevent unauthorized users from accessing your system by guessing valid usernames. By default, if the user enters an invalid name, the User Application displays the message . Under some circumstances an unauthorized user might be able to guess a valid name and answer the challenge questions correctly. One way to prevent this is to specify this value. See Setting Up a Generic Password Policy User DN for additional required configuration steps. |
|
|
The character encoding to use. The default is utf-8. |
|
|
Select (the default) to display the user’s password hint on the Password Reset screen. Select to avoid displaying the user’s password hint on the Password Reset screen. |
|
|
Allows administrator to show or hide Return to Calling Page Link after a forgot password action is performed. If the Novell Client Login Extension (CLE) Restricted Browser is used, the link should be disabled because pressing on the link when using the Restricted Browser does not work.
|
|
|
This value defines the name and path to the Forgot Password page. This initial value is established during installation. If you do not use an external password management WAR, you can leave the default value. For more information, see Section 2.5, Configuring Forgotten Password Self-Service. |
|
|
Like the Forgot Password Link, this value is set during installation and you do not need to make any changes if you do not use an external password management WAR. If you do use an external password WAR, use this setting to specify the URL that the Forgot Password page can use to return to the User Application when the user clicks . The return link should take the form of: protocol://servername:port/userappcontext For example, https://idmhost:8080/IDMProv For more information, see Section 2.5, Configuring Forgotten Password Self-Service. |
|
|
This setting allows the External Forgot Password WAR to call the Forgot Password Web Service defined in the User Application. The format of this field is: https://host:port/idm_ctx/pwdmgt/service |
Setting Up a Generic Password Policy User DN
To support the Generic Password Policy User DN, you need to set up a user in the users container for this purpose. This user should:
-
Have a password that is difficult to guess.
-
Have his or her e-mail address assigned to a User Application Administrator.
You must set up:
-
A Challenge Set for this user and establish only Admin defined questions.
-
A Password Policy that uses this Challenge Set. The Password Policy should have ForgotPassword enabled
You must log in to the User Application as this user at least once to supply the answers to the Admin-defined questions.
Finally, log in to the User Application as the User Application administrator and go to the configuration page of the tab. Specify false for Allow Wild Cards in Login and Display Full User Name. Specify this newly established user as the Generic Password Policy User DN.
5.3.4 Configuring Login
The Login page performs a very robust user authentication supported by Identity Manager (through Universal Password, password policies, and NMAS). The Login page redirects to the other password pages as needed during the login process.
Requirements
The Login page requirements are listed in Table 5-10 below.
Table 5-10 Login Requirements
|
Topic |
Requirements |
|---|---|
|
Password policy |
This page does not require a password policy, unless you want to use advanced password rules or let users click the link. |
|
Universal Password |
This page does not require Universal Password to be enabled, unless you want to use a password policy with advanced password rules. |
|
SSL |
This page uses SSL, so make sure that your application server is properly configured to support SSL connections to your LDAP realm. |
Use the to configure the following settings:
Table 5-11 Login Configuration Settings
|
Configuration Setting |
Description |
|---|---|
|
|
If True, users can specify the first few characters of a username and a list of usernames that include those characters is displayed so the use can select the user to login as. |
|
|
If True, the User Application Login page displays the link. |
|
|
If True, the Username and password are stored in the session and can be accessed by other properly configured portlets. The username is stored in the SSO User ID Key and the password in the SSO Password Key |
|
|
If Enable SSO is True the username is stored in the session using this key. |
|
|
if Enable SSO is True the password is stored in the session using this key. |
|
|
If True, any existing hints are moved from the nsimHint to the nsimPasswordReminder. |
|
|
If True, and the user has not set their locale preferences, the User Application displays a page that allows them to set their preferred locale. |
|
|
If True and supported by the browser, the user’s browser opens a window asking if the user wants to save the login credentials. If False (the default), the user does not receive a browser prompt to save the login credentials. |
|
|
Allows you to specify a custom guest container page. For example, you might specify any of the following values to direct the user to the MyOrgChart page : /IDMProv/portal/cn/DefaultContainerPage/MyOrgChart /portal/cn/DefaultContainerPage/MyOrgChart http://localhost:9000/IDMProv/portal/cn/DefaultContainerPage/MyOrgChart The default value is: GuestContainerPage |
|
|
This value specifies the URL that a user is redirected to after the user presses the Logout button in the User Application. |
|
|
This value specifies the URL that a user is redirected to after a password change. If you specify an URL for this setting, the User Application displays a link to the redirect page, along with a success message when the password has been changed. This setting only works when accessing the User Application via Novell Access Manager. If you access the User Application without going through Access Manager, the Password Change Return Page link will not display. Furthermore, this setting only works within the context of the User Application and not when you access the ChangePassword.jsp directly. If you access the ChangePassword.jsp directly, you will not see a link displayed that redirects to the Password Change Return Page. When accessing ChangePassword.jsp directly, if you want users to receive a success message, you need to add the following URL parameter: ?changePasswordForcedLogout=true For example: http://myserver/IDMProv/jsps/pwdmgt/ChangePassword.jsp?changePasswordForcedLogout=true Otherwise, the user will not receive a success message after changing their password. |
|
|
This setting gives you the ability to enable or disable the expired password warning. This feature is useful in configurations where another product has detected an expired password and already warned the user prior to redirecting to the Identity Manager portlets. |
|
|
This setting gives you the ability to configure the Login to redirect to https. If you set to true, then when user goes to the login.jsp (either directly or through a redirect from NONE SSL page), the login.jsp page will be presented with https with the SSL port configured (Server SSL Port). After user logs in, he see the https (SSL) landing page. |
|
|
Specifies the SSL port that the User Application is running on. |
Using the Login Page
To use the Login page, you need to know about the following:
How Login Redirects to Other Pages
At runtime, the Login page redirects to other password pages, depending on what’s needed to complete the login process. Table 5-12 directs you to descriptions.
Table 5-12 Login Directions to Other Pages
|
If the user |
Login redirects to |
|---|---|
|
|
Forgot Password page |
|
|
Challenge response page |
|
|
Hint Definition page |
|
|
Change password page |
Using Grace Logins
If you use a grace login, the Login page displays a warning message that asks you to change your password and indicates the number of grace logins that remain. If you are on your last login, the Login page redirects you to the Change Password page.
5.3.5 Configuring Password Sync Status
Password Sync Status lets users check the progress of the password change process on connected systems. You can specify a different image to represent each connected system. To set up password sync status checking:
-
Define the connected applications whose status the user should be able to view during the synchronization process. You define the connected applications in the Password Sync Status Application Settings described in Table 5-14.
-
Define the settings for the password sync status page displayed to users. These settings are described in Table 5-13, Password Sync Status Client Settings.
By default, the User Application Administrator can view the password sync status of other users when the User Application Administrator accesses the Password Sync Status page, shown in Figure 5-8. The administrator can access the sync status for another user by specifying the other user’s DN, then clicking .
Figure 5-8 Password Sync Status
In addition to the User Application Administrator, you can define a set of users to perform the Check Sync Status for other users (for troubleshooting or other purposes). The members of a group called PasswordManagement are also automatically allowed to view the password synchronization status of other users. This group does not exist by default. If you choose to create this group, it must be:
-
Named PasswordManagement.
-
Given privileges to the Identity Vault. The group must have rights to read the user’s eDirectory object attribute for users whose password synchronization status they need to view. The system accesses the DirXML-passwordSyncstatus, the pwdChangedTime, and the DirXML-Associations attributes.
Table 5-13 Password Sync Status Client Settings
|
Configuration Setting |
Description |
|---|---|
|
|
The password sync status checking compares time stamps across different Identity Vaults and connected systems. This buffer time is intended to account for differences between the system times on these different machines. This time is added to the time stamp on the user object’s password change attribute to determine if a change has occurred. It is used like this: The Password Sync Status process uses the buffer time as follows:
|
|
|
The number of application images to display per row in the Identity Self-Service Password Sync Status page. |
|
|
The amount of time that the Password Sync Status process waits for a response for each connected application’s status before checking for the next one. |
|
|
This value indicates the amount of time allowed for the entire password sync status process (of all connected systems) to complete. Before this timeout is reached, the password sync process continues to poll until all status values are updated or this timeout is reached. When the timeout status is reached, the system displays an error message to the user that indicates that a timeout condition has been reached. |
|
|
The number of times each connected system is checked for the password sync status. |
|
|
If the DirXML-PasswordSyncStatus contains a password hash, then the value entered in this field is compared to that value. If they are not equal, the User Application displays an invalid hash message. |
|
|
Lets you set the maximum size (in bytes) of the application image that can be uploaded. You specify this image in the Application Image setting described in Table 5-14. |
|
|
If this field is set to true, after the user changes a password, the interface presents the Password Sync Status screen. If this field is set to false, the Password Sync Status screen is not displayed after a password change. |
The password Sync Status Application Settings are described in Table 5-14.
Table 5-14 Password Sync Status Application Settings
|
Configuration Setting |
Description |
|---|---|
|
|
The name used to describe the connected application. You can enter the application name in multiple locales. To add a language (locale):
If you do not specify localized application names, the value specified in the is used. |
|
|
You can get the driver GUID by browsing the attributes on the driver object in one of two ways:
|
|
|
The name of the connected application Image to upload. The Application Image size can be configured from the Application Image Size Limit field in the Password Sync Status Client Settings section. Supported file types are .bmp, .jpeg, .jpg, .gif, and .png. |
|
|
Optional. Specify an LDAP filter that allows or prohibits users’ viewing the application name on their Check Password Synchronization pages. You can use any standard LDAP filter. |
|
|
Optional. Specify any additional driver this application depends on. If any driver in the dependent driver chain is not visible to the user, the driver specified by Application DirXML-PasswordSyncStatus GUID is also not visible to the user. If any driver in the dependent driver chain fails to check password sync status, the driver specified by Application DirXML-PasswordSyncStatus GUID also fails to check password sync status. You can get the driver GUID by browsing the attributes on the driver object in one of two ways:
|
5.3.6 Configuring Password Hint Change
This self-service page lets users set up or change their password hints, which can be displayed or e-mailed as a clue in forgotten password situations.
Figure 5-9 Define Password Hint Sample
Requirements
The Password Hint Change requirements are listed in Table 5-15.
Table 5-15 Password Hint Change Requirements
|
Topic |
Requirements |
|---|---|
|
Universal Password |
Does not require Universal Password to be enabled. |
Using the Password Hint Change Page
To use the Password Hint Change page, you need to know about the following:
How Password Hint Change Is Used During Login
During the login process, the Login page automatically redirects to the Password Hint Change page whenever users need to set up their password hints. For example, the first time a user attempts to log in to the application after an administrator assigns the user to a password policy in iManager, the password policy has forgotten password enabled and has the action set to or .
Using Password Hint Change in the User Application
By default, the User Application provides users with self-service for changing a password hint.
5.3.7 Configuring Change Password
This self-service page lets users change (reset) their Universal Passwords, according to the assigned password policy. It uses that policy to display the rules that the new password must conform to.
If Universal Password is not enabled, this page changes the user’s eDirectory (simple) password, as permitted in the user's Password Restrictions.
Figure 5-10 Change Password
There are no Password Change configuration settings.
Requirements
The Change Password page requirements are listed in Table 5-16.
Table 5-16 Change Password Requirements
|
Topic |
Requirements |
|---|---|
|
Directory Abstraction Layer configuration |
No directory abstraction layer configuration is required for this page. |
|
Password policy |
This page does not require a password policy, unless you want to use advanced password rules (with Universal Password enabled). |
|
Universal Password |
To use this page for a Universal Password, the setting must be enabled in the Advanced Password Rules of the user's assigned password policy. To use this page for an eDirectory (simple) password, the setting must be enabled in the user’s Password Restrictions. |
Using the Change Password Page
To use the Change Password page, you need to know about the following:
How Change Password Is Used During Login
During the login process, the Login page automatically redirects to the Change Password page whenever the user needs to reset an invalid password. For example, the first time a user attempts to log in to an application after an administrator implements a password policy that requires users to reset their passwords.
The Forgot Password page also redirects to Change Password automatically if the user’s assigned password policy specifies reset password as the action for forgotten password situations.
Using Change Password in the User Application
By default, the User Application provides users with the password change self-service using the Change Password page.
NOTE:On Firefox, if you allow the browser to save passwords, you may see a confusing pop-up message that asks the following question when you confirm a password change: Would you like to have password manager change the stored password for <user>?
. The user specified in the message may not be the same as the user who logged into the User Application. This message is generated by the Firefox password manager. To turn off this message, you need to disable the password manager in Firefox by deselecting the checkbox under on the page.