Novell Doc: Novell Password Management Administration Guide - Adding Password Self-Service to Your Company Portal

4.8 Adding Password Self-Service to Your Company Portal

Most of the procedures in the Password Self-Service section assume that you are using the Password Self-Service features on an iManager 2.02 server.

Refer to the following table for instructions on how Password Self-Service features can be used with portal products, including products other than iManager.

Product	Support for Password Self-Service	Procedure
iManager 2.0.2	You can integrate the features. This product supports Password Self-Service features if you install the password management plug-ins. These plug-ins are included with the Identity Manager 3 and are also available separately from download.novell.com.	Follow the steps in Section 3.3, Prerequisite Tasks for Using Password Policies. All procedures in Section 4.0, Password Self-Service (except for Section 4.8, Adding Password Self-Service to Your Company Portal, which is not necessary for iManager 2.02.)
Identity Manager User Application	User application allows users to perform password self-service tasks.	See Chapter 7, “Application Configuration” in the User Application Administration Guide .
Virtual Office, provided with NetWare 6.5 Support Pack 2, running on an iManager server	You can integrate the features. You can use the Password Self-Service features on the same NetWare server used for Virtual Office and iManager by installing the plug-ins and completing some additional steps.	Section 4.8.1, Integrating Password Self-Service with Virtual Office
Novell Portal Services (NPS) versions earlier than 4.1	You must link to the features. Although these legacy NPS products run Novell portal modules (NPMs), they don't have some of the enhancements that are required for the Password Self-Service features of the ForgottenPassword.npm. To use this product with Password Self-Service, create links from your company portal to the end-user password features on an iManager server.	Section 4.8.2, Linking to Password Self-Service from a Company Portal
Third-party products	You must link to the features. Because third-party products don't run Novell portal modules, you can't use the Password Self-Service features directly in another product. To use third-party products with Password Self-Service, create links from your company portal to the end user password features on an iManager server.	Section 4.8.2, Linking to Password Self-Service from a Company Portal

4.8.1 Integrating Password Self-Service with Virtual Office

Virtual Office supports all the features of Password Self-Service in NetWare 6.5 Support Pack 2 or later, OES for Linux, and OES for NetWare.

For instructions, see the Virtual Office Configuration Guide .

4.8.2 Linking to Password Self-Service from a Company Portal

For products that can't provide the Password Self-Service features by running the ForgottenPassword.npm (as noted in the table in Section 4.8, Adding Password Self-Service to Your Company Portal), you can use the Password Self-Service features by creating another iManager server with the password management plug-ins installed and then linking from your portal home page to the iManager portal on the other server, such as https:// iManager_server_IP_address/nps.

The password management plug-ins are included with the DirXML 2 plug-ins and are available separately by downloading the 2.0 Password Management Plug-in for iManager 2.0. x from http:\\download.novell.com.

The one feature that is not easy to incorporate is post-authentication services, which prompts users to update their passwords to comply with password policies and prompts them to set up Forgotten Password Self-Service according to the password policy, such as creating a password hint. To make sure that users have compliant passwords and are set up to use Forgotten Password Self-Service, you need to make sure that users log in to the iManager portal at least once to create compliant passwords and complete the password management setup, and then again whenever you make changes to Password Policies.

Complete the tasks in these sections:

Prerequisites

Prerequisites

The iManager server and the tree you are using must be prepared as follows:

Meet the prerequisites described in Section 3.3, Prerequisite Tasks for Using Password Policies
Make sure you have set up Password Policies for your eDirectory users

Linking to Forgotten Password Self-Service

To give users access to Forgotten Password Self-Service from your company portal, you can link to that service on a separate iManager Web server.

Create a link such as “Forgot your password?” on the login page for your company portal and point it to the following URL on your iManager Web server:

http:// iManager_server_IP_address/nps/servlet/fullpageservice?NPService=ForgotPassword&nextState=getUserID

This URL takes users to the following page, where they begin the Forgotten Password process.
Complete the steps in Returning Self-Service Users to the Company Portal.

Linking to User Password Management Tasks

Make sure all the eDirectory users in the portal users container have rights to self for the Hint attribute, named nsimHint.

When you install the DirXML plug-ins on an iManager Web server, this step is automatically completed for the tree that iManager is configured for.

If you are pointing to a different tree, you must complete this step manually.

A utility is provided to help you do this, which you can download and run by doing the following:
1. Go to http:\\download.novell.com.
2. Fill in the following fields:
  - Search By: Product
  - Choose a Product: Novell Identity Manager
3. Download the item named 2.0 Password Management Plug-in for iManager 2.0. x.
4. Follow the instructions in the nsimhintreadme.txt file.
  
  If users do not have rights to self for the nsimHint attribute, they get an error like the following when they try to create a hint:
```
“Could not write user hint” (Task could not be completed).
```
Provide users with a link from your company portal to the password management tasks.

You can create a Manage Passwords link from the company portal and link to https:// other_iManager_server/nps. This link would provide access to the Password Management end user tasks:
- Hint Setup
- Answer Challenge Questions
- Change Password (Universal)
A user who clicks on the link would first need to log in and then would see a page like the following example:
Complete the steps in Returning Self-Service Users to the Company Portal.

Returning Self-Service Users to the Company Portal

The Password Self-Service features include scenarios in which users are provided with a link that lets them return to the login page. For example, when a user changes a password using the Forgotten Password Self-Service, a page is displayed with the message Your password has been successfully changed. Click here to return to login page.

If you point from your company portal to Password Self-Service on a separate iManager server, you might want to customize the default return page so that users are returned to the login page for your company portal when they complete password tasks. By default, clicking the button returns the user to a page on the iManager Web server.

A link to return to the login page is provided in these three places:

The page where a user can set a new password
The page displayed after a user successfully changes a password
The page where a user views a hint

To customize the return page to go to the login page for your company portal:

On the iManager Web server you are using for Forgotten Password Self-Service, locate the following directory:

\tomcat\webapps\nps\portal\modules\ForgottenPassword\skins\default\devices\default
Locate the following file in that directory:

forgottenpassword.xsl
Edit the forgottenpassword.xsl file to customize the default return page.

Replace the code
```
href="{LoginURL}"
```
with a hard-coded URL such as
```
href="(http:\\www.your_company_portal_home_page.com)"
```
You need to make this change in three places in the file.
Stop and restart Tomcat on the iManager server.

The Return to Login Page links now redirect users to your company's portal login page.

4.8.3 Making Sure Users Have Configured Password Features

When users log in to the iManager portal at https:// iManager_server_IP_address/nps, they are prompted to take action through a series of post-authentication pages if conditions such as the following are true:

The user password doesn't comply with Advanced Password Rules in the password policy
The password policy requires Challenge Questions when using Forgotten Password Self-Service and the user has not configured these questions
The password policy is using Forgotten Password with Display Password Hint as the action and the user has not created a hint

For example, these prompts are necessary to make sure that the user can use Forgotten Password Self-Service. If the password policy requires users to answer Challenge Questions and the user has never configured them initially, the user can't access Forgotten Password Self-Service. If the user has not created a password hint, the user can't retrieve it to help in remembering the password.

Because other portal products won't automatically provide the post-authentication features, you need to make sure that users log in to the iManager portal at least once to create compliant passwords and complete password management setup, and then again whenever you make changes to Password Policies.

This can be done by making sure that users go to a Manage Passwords link you provide as described in Linking to User Password Management Tasks, which requires users to log in to the iManager portal.