Symantec Access Management

  • 1.  Mandate user to set security questions when they login for first time.

    Posted Aug 31, 2016 11:58 AM

    We are having Siteminder and Identity Manager in mix. 

    We mandate users to set their security questions on their first login using Siteminder redirection.

    Once the user done with authentication we have a attribute that will check whether the user had set his security questions or not. If user did not set them user will be redirected to  the URL that is configured in the Siteminder response. So can we append the application URL dynamically to this Redirected Identity manager task URL.  

    Appending trgt URI manually end up in creating many domains or responses at Siteminder. 

     

    What are the other ways of implementing this using Identity Manager and Siteminder.



  • 2.  Re: Mandate user to set security questions when they login for first time.

    Posted Sep 05, 2016 10:46 PM

    Hi,

    Your question:

    @@

     So can we append the application URL dynamically to this Redirected Identity manager task URL.  

    @@

    Did the IM task URL store somewhere? I'm not familiar with IM and not sure how that being generate. My idea is if the task URL stored in some place and you can replicate the entry to one of the user attribute, then we can retrieve via the response.

     

    Regards,

    Kar Meng



  • 3.  Re: Mandate user to set security questions when they login for first time.

    Broadcom Employee
    Posted Sep 07, 2016 01:12 PM

    I'm unsure if this can be done by Identity Manager redirection capability when integrated with Site Minder.

     

    In fact, I think your design is a good one and I have seen it done before at a number of customers. What they would do is they would use a SiteMinder active response object to find out if that attribute is 'true' or 'false' and then redirect to the IDM task to set Q/A as needed. Since SiteMinder is the product that's controlling the login process then it makes it more 'guaranteed' that you can capture that event and use that response to achieve this scenario.

     

    In my opinion you are doing things right.

     

    Why are you asking to change it?

     

    Sagi



  • 4.  Re: Mandate user to set security questions when they login for first time.

    Posted Sep 08, 2016 11:23 AM

    Hi Karmeng,

     We are doing the same way. We have a user attribute to check whether the condition is true or not. If user  doesn't met the condition we exclude and redirect him to IDM task URL which is configured by a response and this is a static response. Can we configure a active response here for the redirection to IDM task URL and will this active response also carry the target URL so that user will come back to the application after completing his task on the redirected page. 

     

    Regards,

    Krishna.



  • 5.  Re: Mandate user to set security questions when they login for first time.

    Posted Sep 07, 2016 03:32 PM

    Hi Sagi, Thanks for your time on this.

    So In siteminder we have few exceptions of using this procedure. Unlike regular application it is fine to go this way and helpful for an enterprise to track this event. When coming to federation applications (SP Initiated) where we have only one authentication URL (realm) which is shared by hand full of partnerships and it is difficult to set the target uri manually for each partnership appended to securityquestion task URL. So if we can pass the trgturi dynamically instead of passing it manually will help here. 

     

    Regards,

    Krishna.



  • 6.  Re: Mandate user to set security questions when they login for first time.
    Best Answer

    Posted Sep 08, 2016 08:22 PM

    Hi Krishna,

     

    I don't think you can pass IM URI dynamically to the Fed authentication URL with an OOTB Siteminder and IM configuration. You might need some customization to achieve that, such as a jsp page with code that captures some necessary user/partnership details, does a redirect to the IM security Q&A page, and populate the Q&A page with the user ID. The jsp page can be set in a SM response to fire when a condition is met.

     

    Cheers

    Lien