Symantec Access Management

Hello everyone,
I wrote a custom auth scheme which, in addition to verifying the password, also verifies a second attribute. I concatenate the value of the second attribute with the password using a **** character as a separator

This method work well.

I have use java auth api. I check also disabled status for disabled user, expired password, ecc.. and return correct value for example

• return new SmAuthenticationResult(SmAuthStatus.SMAUTH_REJECT, SmAuthenticationResult.REASON_PW_EXPIRED)

or

• return new SmAuthenticationResult(SmAuthStatus.SMAUTH_REJECT, SmAuthenticationResult.REASON_PW_MUST_CHANGE)

If I try to login with a user who has the disabled status at 16777216 I am correctly redirected to smpwservices.fcc with correct reason.
But if I try to change passwod it does not work! I will redirect on login page.

This doesn't happen if I use form authentication. In both cases the same user directory is used (it is an LDAP, ca directory)

Where am I doing wrong ?

Is it possible that smpwservices.fcc call my library and that the authentication fails because the second factor is not passed to my library ?
Any other ideas ?
Thanks in advance

Marco

About this I solved!
I have to manage the password change myself (it doesn't work "automagically!). It's simple: I distinguish if I'm receiving a POST from an authentication or a password change depending on whether I can retrieve the newPassword. :)
Original Message:
Sent: Apr 07, 2022 06:18 AM
From: Marco Trucillo
Subject: smpwservices.fcc and custom authscheme

Hello everyone,
I wrote a custom auth scheme which, in addition to verifying the password, also verifies a second attribute. I concatenate the value of the second attribute with the password using a **** character as a separator

This method work well.

I have use java auth api. I check also disabled status for disabled user, expired password, ecc.. and return correct value for example

• return new SmAuthenticationResult(SmAuthStatus.SMAUTH_REJECT, SmAuthenticationResult.REASON_PW_EXPIRED)

or

• return new SmAuthenticationResult(SmAuthStatus.SMAUTH_REJECT, SmAuthenticationResult.REASON_PW_MUST_CHANGE)

If I try to login with a user who has the disabled status at 16777216 I am correctly redirected to smpwservices.fcc with correct reason.
But if I try to change passwod it does not work! I will redirect on login page.

This doesn't happen if I use form authentication. In both cases the same user directory is used (it is an LDAP, ca directory)

Where am I doing wrong ?

Is it possible that smpwservices.fcc call my library and that the authentication fails because the second factor is not passed to my library ?
Any other ideas ?
Thanks in advance

Marco