Symantec Access Management

Expand all | Collapse all

Configure APS to generate and email passwords to users

Jump to Best Answer
  • 1.  Configure APS to generate and email passwords to users

     
    Posted 06-13-2018 05:28 PM

    I am working with a customer who wants to utilize SSO's Advanced Password Services for users to change their passwords. I have the APS documentation, but it is unclear if I am able to achieve the following flow...

     

    1. User clicks forgot password - (configured)

    2. User verifies account using Q&A (configured)

    3. Random password is generated and emailed to user (IN QUESTION)

    4. User logs in with new password 

    5. User is forced to change password after login with new password (IN QUESTION)

     

    Does anyone have a clear answer on whether this flow can be achieved out of the box or not? If so, does anyone have any detailed configuration docs for APS (outside of the APSAdmin and FPS techguides on communities?)

     

    Any help is appreciated.

     

    Thanks,

    Jawaan W.



  • 2.  Re: Configure APS to generate and email passwords to users

    Posted 06-14-2018 01:26 AM

    Hi Jawaan,

     

    Confirm Pages

    There are several different strategies to finishing the FPS process, all configured using the Confirm section of the APS configuration file.

           Give static information to tell the user how to proceed (sending the information via email).
            Give the user the information on a custom page, email, or a combination of the two.
            Let FPS display a message box displaying the information or part of the information (the rest being transmitted via               email)
            Log the user in automatically.

     

    One way to do confirmation at the end of the FPS process is to send the information to the user via email. If this is to be done, the confirm page should say something like "The information that you requested has been sent to the email addressuser@somesite.com".


    Another option is to display HalfPassword1 on the custom page and send HalfPassword2 via email. These macros return, in clear text, either the first half or the second half of the user's password. Of course, either the mail or the custom page will have to instruct the user that the two halves must be put together before using.

     

    Instead of using the "real" password, use the OneShotPassword instead. FPS creats a single-use password when the macro "OneShotPassword" is referenced in a mail file or in an initial setting for the confirmation page. The OneShotPassword requires special set up to use (See Authentication Scheme.) but it is more secure than using a multiple use password, even if you allow the user to select their own password (since you will never show the selected password).

     

    Refer :

    Change Pages - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Tech Tip : CA Single Sign-On :Policy Server::How to configure APS Forgot Password (FPS) Interface 

     

    Regards,
    Leo Joseph.



  • 3.  Re: Configure APS to generate and email passwords to users

    Posted 06-21-2018 01:39 PM

    Mail

    Value: mail file(s)

    Default: none

    Recommended: yes, if required

    Complexity Level: Advanced

    At the completion of the FPS process, one or more files can be sent, via email, using this setting.

    If the user will be redirected to the No Data URL above, the file(s) specified by this setting can also be sent via email.

    If both a password and user id are to be recovered, only one should be sent via mail (the other should be displayed on a page), since both together opens a larger security hole.

    There are several special macros available to this mail.

    Macro Name

    Purpose

    Password

    Clear text password that was randomly generated or that the user selected.

    HalfPassword1

    The first half of the new password, in clear text. Useful for mailing half and displaying half.

    HalfPassword2

    The second half of the new password, in clear text. Useful for mailing half and displaying half.

    OneShotPassword

    Only generated if the macro is requested, this is a random, 32-character password that can be used within 5 minutes (not-configurable) of generation to log this user in ONCE. Useful to automatically log in the user. Requires the APS Authentication Scheme to be installed.

     

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/configuring/advanced-password-services-configuration/aps-configuration-file/fps-confirm-process

     

    Only generated if the macro is requested, this is a random, 32-character password that can be used within 5 minutes (not-configurable) of generation to log this user in ONCE. Useful to automatically log in the user. Requires the APS Authentication Scheme to be installed.



  • 4.  Re: Configure APS to generate and email passwords to users
    Best Answer

    Posted 06-21-2018 01:41 PM

    Consider the use case. It is very specific. It is not meant to generate a password that the end user has to enter, it is for automatic logins.     So you never actually interact with the oneshot password, it is all under the covers.