3.3 Configuring the SecureLogin Passphrase

This solution assumes that SecureLogin is used in eDirectory™ mode with or without Novell® SecretStore®.

The following sections provide examples of two methods you can use to configure the SecureLogin Passphrase question so that it is the same as the Identity Manager Challenge Response question. The first method requires manual configuration of the question through iManager. The second method uses Identity Manager policies to automatically provision the Passphrase question.

3.3.1 Configuring the Passphrase Question in iManager

Complete the following tasks to configure the Passphrase question in iManager:

  • Create a Passphrase question that is the same as the Identity Manager Challenge Response question. For instructions, see Creating a Passphrase Question in the SecureLogin 6.1 Administration Guide.

    Keep in mind the following as you create the Passphrase question:

    • Passphrase questions can be modified on individual users or on containers. You need to modify the question on whatever combination of objects is required to match the users covered by the Identity Manager Password policies associated with the Challenge Response question.

    • You can use multiple questions, but they must be the same questions that were used in the Identity Manager Challenge Response.

    • Do not allow users to set their own challenge questions. Set the User-defined passphrase question option to No.

  • Make sure that the Passphrase question and the Identity Manager Password policy are assigned to the same users.

3.3.2 Provisioning the Passphrase Question through Identity Manager

You can use Identity Manager policy to automatically populate the Passphrase question and response. This method not only has the advantage of automation but ensures consistency between Identity Manager Challenge Response and the SecureLogin Passphrase.

The one limitation of this method is that you can only provision one Passphrase question and response. This means that your Identity Manager Challenge Response can include multiple questions, but your SecureLogin Passphrase can include only one question.

Complete the following tasks to provision the Passphrase question:

  • Select a driver whose policies you want to modify to initiate provisioning of the Passphrase question.

    For example, if you use a specific driver to add user objects to the Identity Vault, you can modify that driver’s policies so that when a new user is added the SecureLogin Passphrase is provisioned.

  • Create the Passphrase provisioning policy. For instructions, see Creating Credential Provisioning Policies in the Novell Credential Provisioning for Identity Manager 3.6 guide.

    Keep in mind the following as you create the policy:

    • The policy must be able to identify the user DN. Make sure the policy is located in a place on the Publisher channel where that information is available.

    • Use the set SSO passphrase action to set the Passphrase question and response. Make sure that the question is non-subjective and that the response comes from data that is available on the User object. Using User object data enables you to ensure that the response in both Identity Manager and SecureLogin is the same.