Summary:
In order for Advanced Password Services (APS) to enforced every realm defined in the Policy Database must have Authentication and Authorization APS events enabled, except the Change Password realm. The instructions outlined use 'test' objects. The SiteMinder administrator configuring these objects will want to change the name to something more meaningful to their organization.
Instructions:
- Create a directory on the web server called ‘test’ This is the resource will be protected by the realm will create next.
- Create a domain (“Test Domain”) and a realm (“Test Realm”) to protect the resource ‘/test’. The agent must be the aps web agent. Basic auth is fine.
- There must be three Rules defined in every Realm, except the Change Password realm.
– An OnAuthAccept rule to catch password expiration, password change warnings and other events that occur, even though the user properly authenticates.
– An OnAuthReject rule to catch "three strikes you’re out" and other events that occur when SiteMinder accepts, but APS rejects, the user.
– An OnAccessAccept rule to process forced password change requests.
Create the following four rules for this realm:
Resource: /*
Allow Access
Enabled
Web Agent Actions: Get, Post
- Test_APS_On_Auth_Accept_Rule
Resource: *
Allow Access
Enabled
Authentication Events Action: OnAuthAccept
- Test_APS_On_Auth_Reject_Rule
Resource: *
Allow Access
Enabled
Authentication Action: OnAuthReject
- Test_APS_On_Access_Accept_Rule
Resource: *
Allow Access
Enabled
Authorization Events Action: OnAccessAccept
4. Create the following Responses for this realm:
- Test_APS_On_Auth_Accept_Response
Attribute: WebAgent-OnAccept-Redirect
Attribute Kind: Active
Advanced->Script: <@ lib="smaps" func="SmApsRedirect" param="" @>
Attribute Caching: Recalculate every 1 second
- Test_APS_On_Auth_Reject_Response
Attribute: WebAgent-OnReject-Redirect
Attribute Kind: Active
Advanced->Script: <@ lib="smaps" func="SmApsRedirect" param="" @>
Attribute Caching: Recalculate every 1 second
- Test_APS_On_Auth_Access_Response
Attribute: WebAgent-OnAccept-Redirect
Attribute Kind: Active
Advanced->Script: <@ lib="smaps" func="AZRedirect" param="" @>
Attribute Caching: Recalculate every 1 second
5. Create a policy called Test_Allow_Access_Policy. Add the Test_Get_Post_Rule to it.
6. Create another policy called APS_Policy. Add the following rules and corresponding responses:
- Test_APS_On_Auth_Accept_Rule with Test_APS_On_Auth_Accept_Response
- Test_APS_On_Auth_Reject_Rule with Test_APS_On_Auth_Reject_Response
- Test_APS_On_Access_Accept_Rule with Test_APS_On_Auth_Access_Response
Test Event Handling
1. From the bin directory on the Policy Server enter the following command:
$ ./APSForcePWChange –v –h<IP of user store> –p<port> –D<DN of user store admin> –w<admin password> –efpw_errors.txt
Example:
$ ./APSForcePWChange –v –h10.130.110.73 –p1489 –Duid=diradmin,ou=adminUsers,o=ca,c-us –wfirewall –e<error-file-name>
2. When prompted enter a DN to modify. (ex. enter “uidEUser3,ou=external,o=ca,c=us”). Hit <enter>. You should see a message “Processing (1): ui3=EUser2,ou=external,o=ca,c=us”
3. Check this user’s LDAP attributes using JXplorer. The attribute smapsImmediateChange should now be set. This will force the user to change their password the next time they log in.
4. From the web browser, enter the URL: http:// <hostname>/test/<your-test-page>.html
5. You will be prompted with a login form. Enter the user id and password.
6. After successful authentication and authorization you should see the following form:
7. Enter the old password, then a new password value into the new password fields and hit Submit. If the password change was successful you will see a confirmation message.