Symantec Access Management

I am working with a customer who wants to utilize SSO's Advanced Password Services for users to change their passwords. I have the APS documentation, but it is unclear if I am able to achieve the following flow...

1. User clicks forgot password - (configured)

2. User verifies account using Q&A (configured)

3. Random password is generated and emailed to user (IN QUESTION)

4. User logs in with new password 

5. User is forced to change password after login with new password (IN QUESTION)

Does anyone have a clear answer on whether this flow can be achieved out of the box or not? If so, does anyone have any detailed configuration docs for APS (outside of the APSAdmin and FPS techguides on communities?)

Any help is appreciated.

Thanks,

Jawaan W.

Hi Jawaan,

Confirm Pages

There are several different strategies to finishing the FPS process, all configured using the Confirm section of the APS configuration file.

       Give static information to tell the user how to proceed (sending the information via email).
        Give the user the information on a custom page, email, or a combination of the two.
        Let FPS display a message box displaying the information or part of the information (the rest being transmitted via               email)
        Log the user in automatically.

One way to do confirmation at the end of the FPS process is to send the information to the user via email. If this is to be done, the confirm page should say something like "The information that you requested has been sent to the email addressuser@somesite.com".

Another option is to display HalfPassword1 on the custom page and send HalfPassword2 via email. These macros return, in clear text, either the first half or the second half of the user's password. Of course, either the mail or the custom page will have to instruct the user that the two halves must be put together before using.

Instead of using the "real" password, use the OneShotPassword instead. FPS creats a single-use password when the macro "OneShotPassword" is referenced in a mail file or in an initial setting for the confirmation page. The OneShotPassword requires special set up to use (See Authentication Scheme.) but it is more secure than using a multiple use password, even if you allow the user to select their own password (since you will never show the selected password).

Refer :

Change Pages - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Tech Tip : CA Single Sign-On :Policy Server::How to configure APS Forgot Password (FPS) Interface 

Regards,
Leo Joseph.

Mail

Value: mail file(s)

Default: none

Recommended: yes, if required

Complexity Level: Advanced

At the completion of the FPS process, one or more files can be sent, via email, using this setting.

If the user will be redirected to the No Data URL above, the file(s) specified by this setting can also be sent via email.

If both a password and user id are to be recovered, only one should be sent via mail (the other should be displayed on a page), since both together opens a larger security hole.

There are several special macros available to this mail.

https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/configuring/advanced-password-services-configuration/aps-configuration-file/fps-confirm-process

Only generated if the macro is requested, this is a random, 32-character password that can be used within 5 minutes (not-configurable) of generation to log this user in ONCE. Useful to automatically log in the user. Requires the APS Authentication Scheme to be installed.

Consider the use case. It is very specific. It is not meant to generate a password that the end user has to enter, it is for automatic logins.     So you never actually interact with the oneshot password, it is all under the covers.