Access Manager works with any password management service that works with your user store. For an implementation example, see Configuring Access Manager for UserApp and SAML.
As you configure the service, be aware of the following configuration options:
When you are defining the URL for the password service on the Contracts page, the following optional tags can be used in the parameter definitions of the URL. You need to use parameter names that are understood by the service you have selected to use. The Identity Server does not need to understand these parameters, but the password expiration service needs to understand them.
The table below lists a few common ones. Your service might or might not use these, and might require others.
For example:
https://someservice.com/path/password?user=<USERID>&store=<STOREID> &returl=<RETURN_URL>&action=expire
NOTE:If you copy and paste this text, make sure you remove the white space between <STOREID> and &returl.
The Identity Server fills in these values, which results in the following URL: https://someservice.com/path/password?user=joe.novell&store=userstore1&returl=https://myidp.com/nidp/idff/sso&action=expire
The password service can also include parameters on the return URL sent to the Identity Server. The Identity Server understands the following parameter:
The following example sends this parameter with https://testnidp.novell.com:8443 as the base URL of the Identity Server.
<form id="externalForm" action='https://testnidp.novell.com:8443/nidp/idff/sso?sid=0&id=117&forceAuth=TRUE' method="post">
When the user is redirected to the password management service URL because of an expired password, the POST data in that redirect contains the sid=<> and id=<> values as part of the value used for the Identity Server return URL.
If you specify a password service and do not specify a value for the number of grace logins in eDirectory, the contract redirects to the password management service only when the grace login count has reached 0 and the password has expired.
The Identity Server needs to read the value of the grace login attribute in order to properly redirect to the password management servlet. If restricting grace logins is not important to your security model, enable grace logins and set the maximum to 9999 (the equivalent of infinite in most environments). For more information, see TID 3465171.
A user’s password does not expire and grace logins are not decremented when you have the following setup:
The Identity Server is configured to act as a service provider
User identification is configured to allow federation
Federation is set up with SAML 2.0, Liberty, WS Federation, or CardSpace protocols
The password expiration service is not called because the user is not using a password for authentication. The service can only be called when the user’s account is defederated. After the user has defederated the account, the next time the user logs in, a password is required and the service is called.