I've been doing research on SSO - Basic Password Service (BPS) integration with Active Directory. Essentially looking to trigger an action based on BPS configuration policy ex: lock user after 5 failed attempts, force user to change password....
* Has anyone successfully used BPS with AD?
Any documentation or articles would be appreciated.
Thanks in advance for sharing your knowledge!
CA SSO BPS + AD is one of the most commonly used combination and has worked very well.
The way BPS works is by mapping user attributes used for enforcing password policy :
and , defining the actual password policy :
The “Password Data” user attribute value is commonly called the “Password Blob”. It is an enciphered collection of several virtual user attributes used by SiteMinder Basic Password Services.
These virtual attributes are:
More on the blob and how to decrypt the blob here :
Tech Tip - CA Single Sign-On:Policy Server: Read Password Blob Utility
Particularly, for AD, we would also recommend to enable Enhanced Active Directory integration functionality :
Configure an Active Directory User Store Connection - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
This option improves the integration between the user management feature of the Policy Server and Password Services with AD by synchronizing AD user attributes with CA Single Sign-On mapped user attributes.
Let me know if you have any questions.
Thank you Ujwol for the fast response. One final question;
Do we absolutely have to map to the (3) attributes, carLicense, unicodePwd and audio?
or can we select any other attribute that's unused by AD?
For the Password Attribute, it has to be actual attribute used by LDAP to store user password. For AD, this is unicdoePwd so this is must.
You can use any attribute for Disabled Flag and Password Data but with some limitation as specified below :
From the doco :
Good day Ujwol,
Thanks for the follow-ups, I've successfully tested this is my DEV environment and it's working well, only item that I've noticed is an intermittent "Write" issue for the disabled attribute (ie: audio attribute) where there are no relevant error logs on the Siteminder side. Have you ever seen this before?
I've opened a case to get this tracked.
Thanks again for your help.
For the Disabled attribute , you would need to map an attribute of type "String" like carLicense.
"audio" is a binary attribute which needs to be mapped to "Password Data" attribute.
Thanks Ujwol. - I found the root cause, it's was due to a delay in AD (Intrasite/Intersite) replication .