CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 31st May 2015
Basic Forgotten Password Services Configurations for IIS:
1. Extend User Directory schema to include APS attributes (<siteminder>\APS_Docs directory):
- Run the APSExpire utility [APSExpire JOBONE –v –A] against the user directory after schema is updated. APSExpire will update all of the users in your directory, initializing the smapsBaseDate and smapsNextAction attributes
- Ensure that every new user is created with the objectclass that allows access to the new attributes
2. Create FPS virtual directory
- IIS – enable CGI-exe module from Handler Mappings, add and allow Forgot.exe (<webagent>\win32\bin\Web\FPS\Forgot.exe) to the ISAPI and CGI Restrictions
3. Rename smaps.rename4aps.dll to smaps.dll (<siteminder>\bin)
4. Edit APS.cfg:
- The Directory setting specifies the directory that FPS will search for users. Only a single directory is supported for FPS.
- Enable/ disable audit logging for FPS activity.
- You can opt to define different query to be used specifically for APS. It overrides the query by the same name defined in Siteminder.
5. Edit SmPortal.cfg:
- Define the Policy Server IP address (MyServer.ip)
- Note the Agents defined in this file and create the same name 4.x agents in Policy Server
6. To test forgotten password services, access http://<webserver hostname>/fps/identify.asp
NOTE: Before running APSExpire utility, please update APS.cfg JOBONE parameter:
- LDAP – IP address, network name or SiteMinder User Directory name of an LDAP directory defined to SiteMinder through the Policy Interface
- ODBC -- DSN name or the SiteMinder User Directory name of an ODBC user directory defined to SiteMinder through the Policy Interface