SlideShare a Scribd company logo

Don't be tardy configure password expiration with open sso and identity manager (docteger)

J
Jose R
1 of 10
Download to read offline
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Oracle Blogs Home Products & Services Downloads Support Partners Communities About Login Oracle Blog DocTeger OpenSSO Technical Information And a Spoonful of Music To Make the Medicine Go Down « Configuring Self... | Main | A 2001 Holiday Party... » Don't Be Tardy: Configure Password Expiration with OpenSSO and Identity Manager By docteger on Sep 29, 2009 In a deployment architecture that includes OpenSSO Enterprise 8.0 and Identity Manager 8.1.0.5 (to be released sometime in October) it is possible to configure user password reset based on the password's expiration date, or a help desk administrator's action. In the former use case, when a password is close to expiration, the user data store (which must be an LDAP directory server) can send a warning to the user based on the time configured in the assigned password policy. Upon accessing a resource protected by OpenSSO, the user would be redirected to Identity Manager to change the password. The URL of the protected resource is saved as a value of the goto parameter and the user will be redirected to this location after changing the password. For the latter use case, if the user allows the password to expire, a help desk administrator can initiate the reset of the expired password by flagging the account and adding a temporary password to the user's profile. The administrator will then communicate the temporary password to the user (by email, for example). Upon logging into OpenSSO with this temporary password, the user will be directed to Identity Manager where the password is reset and the flag is removed. The procedures documented will enable these use cases. Note that they only support the LDAP authentication module. The following sections contain the configuration procedures. Configuring the LDAP Directory Server Configuring OpenSSO Testing the Configurations 1 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Configuring the LDAP Directory Server For this procedure to work it is assumed that a password policy has been configured and assigned to the test user's LDAP profile in the directory server. The password policy should have the following controls related to password expiration set: Set Password Expiration (LDAP attribute: passwordexp, passwordmaxage) Set Expiration Warning (LDAP attribute: passwordwarning) Warning Duration (LDAP attribute: passwordExpireWithoutWarning) It should also have the following controls set to allow for administrator-driven password reset: Require Password Change at First Login and After Reset (LDAP attribute: passwordchange, passwordmustchange) Allow Users to Change Their Passwords (LDAP attribute: pwdallowuserchange) The passwordPolicySubentry attribute in the test user's LDAP profile should also be defined with the DN of the password policy to denote that the password policy has been assigned. See the documentation for your specific directory server for instructions on how to do these configurations. Configuring OpenSSO Only the OpenSSO LDAP authentication module supports the password change controls enforced by most directory servers. The following sections contain OpenSSO configurations. To Enable LDAP Authentication To Define Identity Manager URLs as Not Enforced Creating ChangePasswod.jsp Modifying the LDAP Authentication Module XML Service File Modifying the OpenSSO Login Page To Enable LDAP Authentication 1. Login to the OpenSSO console as administrator. 2. Click the Access Control tab. 3. Click the appropriate realm name. 4. Click the Authentication tab. 5. Click New in the Authentication Chaining section to create a new authentication chain. 6. Enter a name for the chain and click OK. For this example use idmauth. 7. On the new chain's Properties page, add the LDAP module as REQUIRED and click Save. 8. Click Back to Authentication. 9. Select the service just created as the value for Organization Authentication Configuration. 10. Click LDAP in the Module Instances section. Customize the LDAP properties to reflect your directory - at minimum: Primary LDAP Server DN to Start User Search DN for Root User Bind 11. 2 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Password for Root User Bind Password for Root User Bind (confirm) 12. Save the changes. 13. Logout from the OpenSSO console. Note: Following this configuration: Use /opensso/console to log in to the OpenSSO console (not /opensso/UI/Login) to ensure that the authentication module configured for the OpenSSO administrator is used and not the LDAP module just configured. Login to the Identity Manager console and expand the OpenSSO resource listing to view the OpenSSO objects. If you receive an error, you may need to reconfigure the OpenSSO adaptor to use a delegated administrator rather than amadmin to connect to OpenSSO. The Identity Manager adaptor for OpenSSO authenticates to OpenSSO using the authentication configuration for the realm which is now different from the configuration for the OpenSSO console. Thus, amadmin will no longer work. See Delegating Administrator Privileges for information on delegating administrative privileges to a group. To Define Identity Manager URLs as Not Enforced 1. Login to the OpenSSO console as administrator. 2. Click the Access Control tab. 3. 4. Under the agent profile, click the Application tab. Add the following URIs to the Not Enforced URIs property. Click the appropriate realm name and navigate to the Agents profile for the policy agent that protects Identity Manager. /idm/authutil/ /idm/authutil/* /idm/authutil/*?* 5. 6. Click Save. 7. Logout of OpenSSO. To Create ChangePassword.jsp This procedure documents how to create ChangePassword.jsp, a custom JSP for redirecting a user to Identity Manager for password change events. (By default, the user would be directed to the OpenSSO password change page.) ChangePassword.jsp will forward the following information to Identity Manager: The original URL requested by the user and defined as the value of the goto parameter. The user identifier defined as the value of the accountId parameter Change to the opensso/integrations/idm/jsps/ directory in the decompressed opensso.zip to access the sample ChangePassword.jsp. 1. 2. Modify the Identity Manager URL in the JSP based on your deployment. Copy ChangePassword.jsp to /web-container-deploy-base/opensso/config/auth/default/ and to /web-container-deploy-base/opensso/config/auth/default_en/. 3. 4. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. 3 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 5. Restart the OpenSSO web container after making the changes. Modifying the LDAP Authentication Module XML Service File This procedure documents how to modify LDAP.xml to use ChangePassword.jsp. There are two options to consider when deciding how to modify LDAP.xml. You can manually change the deployed LDAP.xml file, or you can use the sample LDAP.xml included with the opensso.zip download. They are mutually exclusive so choose only one of these procedures. To Manually Modify a Deployed LDAP.xml To Use the Sample LDAP.xml To Manually Modify a Deployed LDAP.xml 1. Open LDAP.xml in an editor and add the section of code displayed in yellow in admin_pwd_reset_ldap.html on the OpenSSO web site. Change to the /web-container-deploy-base/opensso/config/auth/default/ directory to access the deployed LDAP.xml page. 2. Change to the /web-container-deploy-base/opensso/config/auth/default_en/ directory to access the second copy of LDAP.xml and make the same change. 3. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 4. 5. Restart the OpenSSO web container after making the changes. To Use the Sample LDAP.xml 1. Change to the opensso/integrations/idm/xml/ directory in the decompressed opensso.zip to access the sample LDAP.xml. Replace your deployed /web-container-deploy-base/opensso/config/auth/default/LDAP.xml with the sample LDAP.xml in two directories: /web-container-deploy-base/opensso/config/auth/default/ /web-container-deploy-base/opensso/config/auth/default_en/ If you replace your existing LDAP.xml with the sample LDAP.xml you will lose any custom changes made to the existing LDAP.xml. 2. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 3. 4. Restart the OpenSSO web container after making the changes. Optionally, you can run diff between both files and make the necessary changes manually. Modifying the OpenSSO Login Page This procedure documents how to modify Login.jsp with the necessary code to save the URL value of the goto parameter in the HTTP request. This saved URL is required by the ChangePassword.jsp. The saved 4 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... URL (which is the original location desired by the user) will be passed to Identity Manager and used to redirect the user after unlocking has been completed. There are two options to consider when deciding how to embed code into the OpenSSO Login.jsp. You can manually change the deployed Login.jsp file, or you can use the sample Login.jsp included with the opensso.zip download. They are mutually exclusive so choose only one of these procedures. To Manually Modify a Deployed Login.jsp To Use the Sample Login.jsp To Manually Modify a Deployed Login.jsp 1. Open Login.jsp in an editor and add the two (2) sections of code displayed in yellow in admin_pwd_reset_login.html on the OpenSSO web site. Change to the /web-container-deploy-base/opensso/config/auth/default/ directory to access the deployed Login.jsp page. 2. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 3. 4. Restart the OpenSSO web container after making the changes. To Use the Sample Login.jsp 1. Change to the opensso/integrations/idm/jsps/ directory in the decompressed opensso.zip to access the sample Login.jsp. 2. Change the Identity Manager URL embedded in the sample Login.jsp to reflect the Identity Manager system URL of your architecture. You can search for the string /idm to locate the URLs. Replace your deployed /web-container-deploy-base/opensso/config/auth/default/Login.jsp with the sample Login.jsp. If you replace your existing Login.jsp with the sample Login.jsp the following will occur. You will lose any custom changes made to the existing Login.jsp. You will inherit changes that might have been previously made to the sample Login.jsp to incorporate requirements for other use cases related to the OpenSSO integration with Identity Manager. 3. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 4. 5. Restart the OpenSSO web container after making the changes. Optionally, you can run diff between both files and make the necessary changes manually. Testing The Configurations Perform the tests in the order in which they are described to understand and verify the behavior for each stage of this use case. A. Testing Password Warning Expiration 5 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Perform the following actions after the time the password expiration warning, as defined in the password policy, would take effect. 1. Access a URL protected by OpenSSO. The OpenSSO login page is displayed. Enter the test user name and password. You will be redirected to Identity Manager to change your password. Note the following about the Identity Manager URL: The URL is the one configured in ChangePassword.jsp. The user will be forwarded to the value of the goto parameter after the password has been successfully changed. The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO. 2. B. Testing Password Expiration Perform the following actions after the time the password should have expired, as defined in the password policy. 1. Access a URL protected by OpenSSO. The OpenSSO login page is displayed. 2. Enter the test user name and password. An error page is displayed informing the test user that the password has expired. The user will be instructed to have the administrator reset the password. C. Testing Administrator Password Reset 1. Refer to your directory server documentation to enable audit and logging. Monitor the directory server audit log as you finish the test. Login as the directory administrator and change the password for a test user. This simulates the password reset by a help desk administrator. 2. Verify that the user's userPassword attribute was modified and the pwdreset was set to TRUE using the audit log. The pwdreset attribute will force the user to change the password at the next login. The audit log might resemble this sample. time: 20090713074720 dn: uid=idmuser1,dc=sun,dc=com changetype: modify replace: userPassword userPassword: {SSHA}4Bgy/HF9SGN9nnS4Ii6/KJj9ktFdAxQUIDvwVQ== - replace: modifiersname modifiersname: cn=admin,cn=administrators,cn=dscc - replace: modifytimestamp modifytimestamp: 20090713144720Z - replace: passwordexpirationtime passwordexpirationtime: 19700101000000Z 3. 6 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... - replace: pwdreset pwdreset: TRUE Access the Identity Manager user URL. You will be redirected to OpenSSO for login. 4. Enter the test user name and password. You will be redirected to Identity Manager to change your password. Note the following about the Identity Manager URL: The URL is the one configured in ChangePassword.jsp. The user will be forwarded to the value of the goto parameter after the password has been successfully changed. The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO. 5. For those fans of The Real Housewives of Atlanta, here's a fan-made video of Kim Zolciak's (Don't Be) Tardy for the Party. (I added the parentheticals to make it seem official.) Kandi Burress produced a dance floor smash for the woman who can not sing! Who knew? Category: Sun Tags: identitymanagement identitymanager music opensso Permanent link to this entry « Configuring Self... | Main | A 2001 Holiday Party... » Comments: Post a Comment: Comments are closed for this entry. 7 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... About docteger Search Enter search term: Search only this blog Recent Posts Eyes Only: OpenSSO Express 9 Documentation Sun & Oracle: EU Has No More Tears Using OpenSSO with Microsoft Geneva Server Managing OpenSSO Entitlements Using REST: The End Evaluating OpenSSO Entitlements Using REST Listening for the OpenSSO Entitlements Service Using REST Authenticating for the OpenSSO Entitlements Service REST Interfaces Born To Change a Configured OpenSSO Host Name Happy New Year Authenticating to OpenSSO Monitoring Service Importing the Root CA Certificate for Secure OpenSSO Rainbow Connections Top Tags .net abba access accessmanagement accessmanager administration agents alisonmoyet amadmin api authentication authorization console developer documentation entitlements express9 federatedaccessmanager federation fedlet glassfish identity 8 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... identitymanagement identitymanager identityprovider java javaone loadbalancer middleware music obama opends opensource opensso policy policyagents realms rest saml saml2 samlv2 security session software sso ssoadm sun sunmicrosystems webservices webservicessecurity Categories Personal Sun Archives « March 2013 SunMonTueWedThuFriSat 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Today Bookmarks 9 of 10 3/30/2013 9:06 AM
Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... OpenSSO Web Site Identity Management (SDN) A Man and a Mouse Menu Blogs Home Weblog Login Feeds RSS All /Personal /Sun Comments Atom All /Personal /Sun Comments The views expressed on this blog are those of the author and do not necessarily reflect the views of Oracle. Terms of Use | Your Privacy Rights | Cookie Preferences 10 of 10 3/30/2013 9:06 AM

Recommended

How to remove disable an oa framework personalization (doc id 304670
How to remove disable an oa framework personalization (doc id 304670How to remove disable an oa framework personalization (doc id 304670
How to remove disable an oa framework personalization (doc id 304670Ahmad Mkade
 
Workbench en
Workbench enWorkbench en
Workbench enMeenakshi Chandrasekaran
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-databaseMohsen B
 
Oracle backup
Oracle backupOracle backup
Oracle backupRavi Kumar Lanke
 
Windows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsWindows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsTũi Wichets
 
Java EE Services
Java EE ServicesJava EE Services
Java EE ServicesAbdalla Mahmoud
 
Manage users & tables in Oracle Database
Manage users & tables in Oracle DatabaseManage users & tables in Oracle Database
Manage users & tables in Oracle DatabaseNR Computer Learning Center
 
Create user database management security
Create user database management securityCreate user database management security
Create user database management securityGirija Muscut
 

Recommended

How to remove disable an oa framework personalization (doc id 304670
How to remove disable an oa framework personalization (doc id 304670How to remove disable an oa framework personalization (doc id 304670
How to remove disable an oa framework personalization (doc id 304670Ahmad Mkade
 
Workbench en
Workbench enWorkbench en
Workbench enMeenakshi Chandrasekaran
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-databaseMohsen B
 
Oracle backup
Oracle backupOracle backup
Oracle backupRavi Kumar Lanke
 
Windows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsWindows Server 2008 Active Directory Components
Windows Server 2008 Active Directory ComponentsTũi Wichets
 
Java EE Services
Java EE ServicesJava EE Services
Java EE ServicesAbdalla Mahmoud
 
Manage users & tables in Oracle Database
Manage users & tables in Oracle DatabaseManage users & tables in Oracle Database
Manage users & tables in Oracle DatabaseNR Computer Learning Center
 
Create user database management security
Create user database management securityCreate user database management security
Create user database management securityGirija Muscut
 
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksSoutheast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksDave Stokes
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanUsman Zafar Malik
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanUsman Zafar Malik
 
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Sangeetha Rangarajan
 
2 Configuring Windows Server 2003.pptx
2 Configuring Windows Server 2003.pptx2 Configuring Windows Server 2003.pptx
2 Configuring Windows Server 2003.pptxMitikuAbebe2
 
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...MIDAS
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID VaultLuis Guirigay
 
Exchange Server 2010
Exchange Server 2010Exchange Server 2010
Exchange Server 2010Leonardo Elias
 
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensionsenhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensionsRajiv reddy
 
Pandora FMS: Exchange Enterprise plugin
Pandora FMS: Exchange Enterprise pluginPandora FMS: Exchange Enterprise plugin
Pandora FMS: Exchange Enterprise pluginPandora FMS
 
An introduction to weblogic console
An introduction to weblogic consoleAn introduction to weblogic console
An introduction to weblogic consolebispsolutions
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfsHeo Gòm
 
10135 a 10
10135 a 1010135 a 10
10135 a 10Bố Su
 
Dekho security overview
Dekho security overviewDekho security overview
Dekho security overviewjpradeep1982
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_dontshuynhvanphuc
 
 Exchange migration of legacy public folders to 2013
 Exchange migration of legacy public folders to 2013 Exchange migration of legacy public folders to 2013
 Exchange migration of legacy public folders to 2013Gary Jackson
 
Web Site Optimization
Web Site OptimizationWeb Site Optimization
Web Site OptimizationSunil Patil
 
Web site optimization
Web site optimizationWeb site optimization
Web site optimizationSunil Patil
 
Lesson 9: Managing Files
Lesson 9: Managing FilesLesson 9: Managing Files
Lesson 9: Managing FilesMahmmoud Mahdi
 
Developing with oracle enterprise scheduler service for fusion applications
Developing with oracle enterprise scheduler service for fusion applicationsDeveloping with oracle enterprise scheduler service for fusion applications
Developing with oracle enterprise scheduler service for fusion applicationsChandrakant Wanare ☁
 

More Related Content

Similar to Don't be tardy configure password expiration with open sso and identity manager (docteger)

Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksSoutheast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksDave Stokes
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanUsman Zafar Malik
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanUsman Zafar Malik
 
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Sangeetha Rangarajan
 
2 Configuring Windows Server 2003.pptx
2 Configuring Windows Server 2003.pptx2 Configuring Windows Server 2003.pptx
2 Configuring Windows Server 2003.pptxMitikuAbebe2
 
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...MIDAS
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID VaultLuis Guirigay
 
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensionsenhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensionsRajiv reddy
 
Pandora FMS: Exchange Enterprise plugin
Pandora FMS: Exchange Enterprise pluginPandora FMS: Exchange Enterprise plugin
Pandora FMS: Exchange Enterprise pluginPandora FMS
 
An introduction to weblogic console
An introduction to weblogic consoleAn introduction to weblogic console
An introduction to weblogic consolebispsolutions
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfsHeo Gòm
 
10135 a 10
10135 a 1010135 a 10
10135 a 10Bố Su
 
Dekho security overview
Dekho security overviewDekho security overview
Dekho security overviewjpradeep1982
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_dontshuynhvanphuc
 
 Exchange migration of legacy public folders to 2013
 Exchange migration of legacy public folders to 2013 Exchange migration of legacy public folders to 2013
 Exchange migration of legacy public folders to 2013Gary Jackson
 
Web Site Optimization
Web Site OptimizationWeb Site Optimization
Web Site OptimizationSunil Patil
 
Web site optimization
Web site optimizationWeb site optimization
Web site optimizationSunil Patil
 
Lesson 9: Managing Files
Lesson 9: Managing FilesLesson 9: Managing Files
Lesson 9: Managing FilesMahmmoud Mahdi
 
Developing with oracle enterprise scheduler service for fusion applications
Developing with oracle enterprise scheduler service for fusion applicationsDeveloping with oracle enterprise scheduler service for fusion applications
Developing with oracle enterprise scheduler service for fusion applicationsChandrakant Wanare ☁
 

Similar to Don't be tardy configure password expiration with open sso and identity manager (docteger) (20)

Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksSoutheast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 Usman
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 Usman
 
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008
 
2 Configuring Windows Server 2003.pptx
2 Configuring Windows Server 2003.pptx2 Configuring Windows Server 2003.pptx
2 Configuring Windows Server 2003.pptx
 
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
MIDAS - Web Based Room & Resource Scheduling Software - LDAP (Active Director...
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
 
Exchange Server 2010
Exchange Server 2010Exchange Server 2010
Exchange Server 2010
 
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensionsenhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
enhance-oracle-sshr-with-advanced-personalizations-and-oa-fwk-extensions
 
Pandora FMS: Exchange Enterprise plugin
Pandora FMS: Exchange Enterprise pluginPandora FMS: Exchange Enterprise plugin
Pandora FMS: Exchange Enterprise plugin
 
An introduction to weblogic console
An introduction to weblogic consoleAn introduction to weblogic console
An introduction to weblogic console
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfs
 
10135 a 10
10135 a 1010135 a 10
10135 a 10
 
Dekho security overview
Dekho security overviewDekho security overview
Dekho security overview
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_donts
 
 Exchange migration of legacy public folders to 2013
 Exchange migration of legacy public folders to 2013 Exchange migration of legacy public folders to 2013
 Exchange migration of legacy public folders to 2013
 
Web Site Optimization
Web Site OptimizationWeb Site Optimization
Web Site Optimization
 
Web site optimization
Web site optimizationWeb site optimization
Web site optimization
 
Lesson 9: Managing Files
Lesson 9: Managing FilesLesson 9: Managing Files
Lesson 9: Managing Files
 
Developing with oracle enterprise scheduler service for fusion applications
Developing with oracle enterprise scheduler service for fusion applicationsDeveloping with oracle enterprise scheduler service for fusion applications
Developing with oracle enterprise scheduler service for fusion applications
 

Don't be tardy configure password expiration with open sso and identity manager (docteger)

  • 1. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Oracle Blogs Home Products & Services Downloads Support Partners Communities About Login Oracle Blog DocTeger OpenSSO Technical Information And a Spoonful of Music To Make the Medicine Go Down « Configuring Self... | Main | A 2001 Holiday Party... » Don't Be Tardy: Configure Password Expiration with OpenSSO and Identity Manager By docteger on Sep 29, 2009 In a deployment architecture that includes OpenSSO Enterprise 8.0 and Identity Manager 8.1.0.5 (to be released sometime in October) it is possible to configure user password reset based on the password's expiration date, or a help desk administrator's action. In the former use case, when a password is close to expiration, the user data store (which must be an LDAP directory server) can send a warning to the user based on the time configured in the assigned password policy. Upon accessing a resource protected by OpenSSO, the user would be redirected to Identity Manager to change the password. The URL of the protected resource is saved as a value of the goto parameter and the user will be redirected to this location after changing the password. For the latter use case, if the user allows the password to expire, a help desk administrator can initiate the reset of the expired password by flagging the account and adding a temporary password to the user's profile. The administrator will then communicate the temporary password to the user (by email, for example). Upon logging into OpenSSO with this temporary password, the user will be directed to Identity Manager where the password is reset and the flag is removed. The procedures documented will enable these use cases. Note that they only support the LDAP authentication module. The following sections contain the configuration procedures. Configuring the LDAP Directory Server Configuring OpenSSO Testing the Configurations 1 of 10 3/30/2013 9:06 AM
  • 2. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Configuring the LDAP Directory Server For this procedure to work it is assumed that a password policy has been configured and assigned to the test user's LDAP profile in the directory server. The password policy should have the following controls related to password expiration set: Set Password Expiration (LDAP attribute: passwordexp, passwordmaxage) Set Expiration Warning (LDAP attribute: passwordwarning) Warning Duration (LDAP attribute: passwordExpireWithoutWarning) It should also have the following controls set to allow for administrator-driven password reset: Require Password Change at First Login and After Reset (LDAP attribute: passwordchange, passwordmustchange) Allow Users to Change Their Passwords (LDAP attribute: pwdallowuserchange) The passwordPolicySubentry attribute in the test user's LDAP profile should also be defined with the DN of the password policy to denote that the password policy has been assigned. See the documentation for your specific directory server for instructions on how to do these configurations. Configuring OpenSSO Only the OpenSSO LDAP authentication module supports the password change controls enforced by most directory servers. The following sections contain OpenSSO configurations. To Enable LDAP Authentication To Define Identity Manager URLs as Not Enforced Creating ChangePasswod.jsp Modifying the LDAP Authentication Module XML Service File Modifying the OpenSSO Login Page To Enable LDAP Authentication 1. Login to the OpenSSO console as administrator. 2. Click the Access Control tab. 3. Click the appropriate realm name. 4. Click the Authentication tab. 5. Click New in the Authentication Chaining section to create a new authentication chain. 6. Enter a name for the chain and click OK. For this example use idmauth. 7. On the new chain's Properties page, add the LDAP module as REQUIRED and click Save. 8. Click Back to Authentication. 9. Select the service just created as the value for Organization Authentication Configuration. 10. Click LDAP in the Module Instances section. Customize the LDAP properties to reflect your directory - at minimum: Primary LDAP Server DN to Start User Search DN for Root User Bind 11. 2 of 10 3/30/2013 9:06 AM
  • 3. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Password for Root User Bind Password for Root User Bind (confirm) 12. Save the changes. 13. Logout from the OpenSSO console. Note: Following this configuration: Use /opensso/console to log in to the OpenSSO console (not /opensso/UI/Login) to ensure that the authentication module configured for the OpenSSO administrator is used and not the LDAP module just configured. Login to the Identity Manager console and expand the OpenSSO resource listing to view the OpenSSO objects. If you receive an error, you may need to reconfigure the OpenSSO adaptor to use a delegated administrator rather than amadmin to connect to OpenSSO. The Identity Manager adaptor for OpenSSO authenticates to OpenSSO using the authentication configuration for the realm which is now different from the configuration for the OpenSSO console. Thus, amadmin will no longer work. See Delegating Administrator Privileges for information on delegating administrative privileges to a group. To Define Identity Manager URLs as Not Enforced 1. Login to the OpenSSO console as administrator. 2. Click the Access Control tab. 3. 4. Under the agent profile, click the Application tab. Add the following URIs to the Not Enforced URIs property. Click the appropriate realm name and navigate to the Agents profile for the policy agent that protects Identity Manager. /idm/authutil/ /idm/authutil/* /idm/authutil/*?* 5. 6. Click Save. 7. Logout of OpenSSO. To Create ChangePassword.jsp This procedure documents how to create ChangePassword.jsp, a custom JSP for redirecting a user to Identity Manager for password change events. (By default, the user would be directed to the OpenSSO password change page.) ChangePassword.jsp will forward the following information to Identity Manager: The original URL requested by the user and defined as the value of the goto parameter. The user identifier defined as the value of the accountId parameter Change to the opensso/integrations/idm/jsps/ directory in the decompressed opensso.zip to access the sample ChangePassword.jsp. 1. 2. Modify the Identity Manager URL in the JSP based on your deployment. Copy ChangePassword.jsp to /web-container-deploy-base/opensso/config/auth/default/ and to /web-container-deploy-base/opensso/config/auth/default_en/. 3. 4. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. 3 of 10 3/30/2013 9:06 AM
  • 4. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 5. Restart the OpenSSO web container after making the changes. Modifying the LDAP Authentication Module XML Service File This procedure documents how to modify LDAP.xml to use ChangePassword.jsp. There are two options to consider when deciding how to modify LDAP.xml. You can manually change the deployed LDAP.xml file, or you can use the sample LDAP.xml included with the opensso.zip download. They are mutually exclusive so choose only one of these procedures. To Manually Modify a Deployed LDAP.xml To Use the Sample LDAP.xml To Manually Modify a Deployed LDAP.xml 1. Open LDAP.xml in an editor and add the section of code displayed in yellow in admin_pwd_reset_ldap.html on the OpenSSO web site. Change to the /web-container-deploy-base/opensso/config/auth/default/ directory to access the deployed LDAP.xml page. 2. Change to the /web-container-deploy-base/opensso/config/auth/default_en/ directory to access the second copy of LDAP.xml and make the same change. 3. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 4. 5. Restart the OpenSSO web container after making the changes. To Use the Sample LDAP.xml 1. Change to the opensso/integrations/idm/xml/ directory in the decompressed opensso.zip to access the sample LDAP.xml. Replace your deployed /web-container-deploy-base/opensso/config/auth/default/LDAP.xml with the sample LDAP.xml in two directories: /web-container-deploy-base/opensso/config/auth/default/ /web-container-deploy-base/opensso/config/auth/default_en/ If you replace your existing LDAP.xml with the sample LDAP.xml you will lose any custom changes made to the existing LDAP.xml. 2. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 3. 4. Restart the OpenSSO web container after making the changes. Optionally, you can run diff between both files and make the necessary changes manually. Modifying the OpenSSO Login Page This procedure documents how to modify Login.jsp with the necessary code to save the URL value of the goto parameter in the HTTP request. This saved URL is required by the ChangePassword.jsp. The saved 4 of 10 3/30/2013 9:06 AM
  • 5. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... URL (which is the original location desired by the user) will be passed to Identity Manager and used to redirect the user after unlocking has been completed. There are two options to consider when deciding how to embed code into the OpenSSO Login.jsp. You can manually change the deployed Login.jsp file, or you can use the sample Login.jsp included with the opensso.zip download. They are mutually exclusive so choose only one of these procedures. To Manually Modify a Deployed Login.jsp To Use the Sample Login.jsp To Manually Modify a Deployed Login.jsp 1. Open Login.jsp in an editor and add the two (2) sections of code displayed in yellow in admin_pwd_reset_login.html on the OpenSSO web site. Change to the /web-container-deploy-base/opensso/config/auth/default/ directory to access the deployed Login.jsp page. 2. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 3. 4. Restart the OpenSSO web container after making the changes. To Use the Sample Login.jsp 1. Change to the opensso/integrations/idm/jsps/ directory in the decompressed opensso.zip to access the sample Login.jsp. 2. Change the Identity Manager URL embedded in the sample Login.jsp to reflect the Identity Manager system URL of your architecture. You can search for the string /idm to locate the URLs. Replace your deployed /web-container-deploy-base/opensso/config/auth/default/Login.jsp with the sample Login.jsp. If you replace your existing Login.jsp with the sample Login.jsp the following will occur. You will lose any custom changes made to the existing Login.jsp. You will inherit changes that might have been previously made to the sample Login.jsp to incorporate requirements for other use cases related to the OpenSSO integration with Identity Manager. 3. Remove the web containers temporary, compiled JSP to ensure that the changes made are picked up. For example, if using Glassfish, the temporary, compiled classes can be found under glassfish-home/ domains/your-domain/generated/. 4. 5. Restart the OpenSSO web container after making the changes. Optionally, you can run diff between both files and make the necessary changes manually. Testing The Configurations Perform the tests in the order in which they are described to understand and verify the behavior for each stage of this use case. A. Testing Password Warning Expiration 5 of 10 3/30/2013 9:06 AM
  • 6. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... Perform the following actions after the time the password expiration warning, as defined in the password policy, would take effect. 1. Access a URL protected by OpenSSO. The OpenSSO login page is displayed. Enter the test user name and password. You will be redirected to Identity Manager to change your password. Note the following about the Identity Manager URL: The URL is the one configured in ChangePassword.jsp. The user will be forwarded to the value of the goto parameter after the password has been successfully changed. The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO. 2. B. Testing Password Expiration Perform the following actions after the time the password should have expired, as defined in the password policy. 1. Access a URL protected by OpenSSO. The OpenSSO login page is displayed. 2. Enter the test user name and password. An error page is displayed informing the test user that the password has expired. The user will be instructed to have the administrator reset the password. C. Testing Administrator Password Reset 1. Refer to your directory server documentation to enable audit and logging. Monitor the directory server audit log as you finish the test. Login as the directory administrator and change the password for a test user. This simulates the password reset by a help desk administrator. 2. Verify that the user's userPassword attribute was modified and the pwdreset was set to TRUE using the audit log. The pwdreset attribute will force the user to change the password at the next login. The audit log might resemble this sample. time: 20090713074720 dn: uid=idmuser1,dc=sun,dc=com changetype: modify replace: userPassword userPassword: {SSHA}4Bgy/HF9SGN9nnS4Ii6/KJj9ktFdAxQUIDvwVQ== - replace: modifiersname modifiersname: cn=admin,cn=administrators,cn=dscc - replace: modifytimestamp modifytimestamp: 20090713144720Z - replace: passwordexpirationtime passwordexpirationtime: 19700101000000Z 3. 6 of 10 3/30/2013 9:06 AM
  • 7. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... - replace: pwdreset pwdreset: TRUE Access the Identity Manager user URL. You will be redirected to OpenSSO for login. 4. Enter the test user name and password. You will be redirected to Identity Manager to change your password. Note the following about the Identity Manager URL: The URL is the one configured in ChangePassword.jsp. The user will be forwarded to the value of the goto parameter after the password has been successfully changed. The value of the accountId parameter determines the account for which the password needs to be changed. Identity Manager will make the changes to the password on both Identity Manager and OpenSSO. 5. For those fans of The Real Housewives of Atlanta, here's a fan-made video of Kim Zolciak's (Don't Be) Tardy for the Party. (I added the parentheticals to make it seem official.) Kandi Burress produced a dance floor smash for the woman who can not sing! Who knew? Category: Sun Tags: identitymanagement identitymanager music opensso Permanent link to this entry « Configuring Self... | Main | A 2001 Holiday Party... » Comments: Post a Comment: Comments are closed for this entry. 7 of 10 3/30/2013 9:06 AM
  • 8. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... About docteger Search Enter search term: Search only this blog Recent Posts Eyes Only: OpenSSO Express 9 Documentation Sun & Oracle: EU Has No More Tears Using OpenSSO with Microsoft Geneva Server Managing OpenSSO Entitlements Using REST: The End Evaluating OpenSSO Entitlements Using REST Listening for the OpenSSO Entitlements Service Using REST Authenticating for the OpenSSO Entitlements Service REST Interfaces Born To Change a Configured OpenSSO Host Name Happy New Year Authenticating to OpenSSO Monitoring Service Importing the Root CA Certificate for Secure OpenSSO Rainbow Connections Top Tags .net abba access accessmanagement accessmanager administration agents alisonmoyet amadmin api authentication authorization console developer documentation entitlements express9 federatedaccessmanager federation fedlet glassfish identity 8 of 10 3/30/2013 9:06 AM
  • 9. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... identitymanagement identitymanager identityprovider java javaone loadbalancer middleware music obama opends opensource opensso policy policyagents realms rest saml saml2 samlv2 security session software sso ssoadm sun sunmicrosystems webservices webservicessecurity Categories Personal Sun Archives « March 2013 SunMonTueWedThuFriSat 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Today Bookmarks 9 of 10 3/30/2013 9:06 AM
  • 10. Don't Be Tardy: Configure Password Expiration with OpenSSO and Ident... https://blogs.oracle.com/docteger/entry/configuring_password_expiry_o... OpenSSO Web Site Identity Management (SDN) A Man and a Mouse Menu Blogs Home Weblog Login Feeds RSS All /Personal /Sun Comments Atom All /Personal /Sun Comments The views expressed on this blog are those of the author and do not necessarily reflect the views of Oracle. Terms of Use | Your Privacy Rights | Cookie Preferences 10 of 10 3/30/2013 9:06 AM