Symantec Access Management

Hi All,

We have integrated SM + IM in following way:

>Installed all extensions and schema updates to SM.

> Recreated env with respective agent info.

> Environment and directories are created in SM automatically (so good with integration).

> Not installed Redirector, instead using SPS to protect and forward user to JBOSS/IDM.

Requirement***

1. When a new user logs in >> I need to force the user to change password (through IDM screen I designed for this).

2. Same IDM screen should force user to reset after forgotten password task.

But now - If I create a Password Policy in Siteminder >> It will give its own passwordservices.fcc pages to force user and not IDM.

How can I tell SM to redirect the user ChangePassword Task of IDM instead??

Thank you for any ideas around the same.

Regards,

Sai

valsa02_sai Sai

Not sure if this could be as simple as changing the Password Services URL in CA SSO Password Policy to the IDM Password Change URL. Have you tried changing the URL in CA SSO Password Policy and testing it.

Secondly, CA SSO functions based off PASSWORDDATA and SMDISABLED_FLAG which is defined within the UserDirectory Object (identify 2 attributes in UserStore). As long as the IDM Password logic is tied up correctly to set correct values to SMDISABLED FLAG and PASSWORD DATA, CA SSO should be able to identify the status of the User and issue a redirect to the URL (IDM Change Password URL) defined in CA SSO Password Policy.

Regards

Hubert

Hi HubertDennis,

Thank you for reviewing the thread.

1. Is PasswordServices Task Public in your case ?

2. I am not using Agent + Apache/IIS Redirector Method. How is the SM integrated in your case? (I am guessing You have Apache/IIS agent and then using some redirector)

In My case I am using SPS Proxy rule to forward request to IDM.

Thanks,

Sai

You can simply change the redirect url in SM Password Policy to IDM Password Services page. It works!

You can either give relative URI or absolute URL. 

Here are some examples:

Relative URI:

/iam/im/alias/ui7/index.jsp?task.tag=PasswordServices

Absolute URL:

Http://abc.com/iam/im/alias/ui7/index.jsp?task.tag=PasswordServices

Hi Praveen,

Please see the way we have our setup and let me know how it is done in your env?

Thanks,

Sai

Yes I have looked at your setup. Please try the way I suggested and it should work as long as your SSO is working fine.

Just provide the IDM password services url (relative or absolute) in SM Password Policy in redirect url.

We see that SM does not accept valid credentials after replacing default pwservices.fcc file in the redirection URL with Password Services link of IDM.

Any Suggestions?

Thanks,

Sai

What exactly did you replace? Please paste the screenshots of your changes here.

Changing redirect url in Password Policy should not break your authentication.

I can access the Password Services Public URL Directly :

Password Policy in IDM which is auto created in SM (added same above Public IDM URL)

What I see when I login:

JBOSS log Says:

07:14:46,820 WARN  [ims.ui] (http-/0.0.0.0:8080-7) Unable to determine user from

SiteMinder token: No items found

07:14:46,820 ERROR [ims.ui.ConsolePageFilter] (http-/0.0.0.0:8080-7) Unexpected

exception: java.lang.IllegalStateException: JBWEB000212: Session already invalid

ated

07:14:46,836 ERROR [ims.ui] (http-/0.0.0.0:8080-7) Page cannot be found.  Please

check the URL. (/iam/im/ext/imcss/index.jsp)

Let me know for any details.

Thank you so much for your time on this Praveen.

Regards,

Sai

Which version of IM are you using? It looks like SM is behaving correctly. This may be a bug with Identity Manager.

I too faced this issue with IM 12.6 SP4 and CA Support provided us a fix for it.

Please open a ticket with CA Support. They will check if this is really a bug with the product or not.

This redirection will only work if you are fully integrating IM and SM.

The IM password services URL is a public URL. When SiteMinder redirects to this URL, it sends an encrypted SMTOKEN value in the request header. IM then takes the SMTOKEN value and identifies the the authenticated user associated with that SMTOKEN. IM can only get the user value if IM/SM integration is enabled in the policyserver-rar/META-INF/ra.xml file.

Hi Praveen,

What was the fix provided to you? can you please help.

Hi Sai,

Is this issue have been resolved for you ?

We are facing the same issue after upgrading our web agent to 12.52 SP1 CR02.. we are unable to post password services url to IDM task and getting same HTTP 404 error.

Hi Sai,

Can you please help me out how to configure Setup Forgottten Password SelfService with clear document or screenshots wise

Regards,

Navin