ForceAuth parameter not working as expected after changing user password

  • 7003421
  • 02-Jun-2009
  • 26-Apr-2012

Environment


Novell Access Manager 3.1 Linux Access Gateway

Situation

Identity injection configured to inject the users username and password to any request for a back end web server being protected. When the users password is changes, the administrator used the forceAuth=TRUE parameter to make sure that the corresponding identity injection credentials would reflect the change. The ForceAuth parameter is documented at

https://www.novell.com/documentation/novellaccessmanager31/adminguide/index.html?page=/documentation/novellaccessmanager31/adminguide/data/bi0p4aq.html#bi4be0w

After making the changes, a user logged into and accessed a protected resource. WHilst logged in, the user changed password, and then access the IDP with the following URL:

https://idp.example.com:8443/nidp/idff/sso?id=SecNamePwdForm&forceAuth=TRUE

where https://idp.example.com:8443/nidp is the baseURL of the IDP server, and SecNamePwdForm is the logical name of the Authentication card on the contract assigned

Note that the URL above is also the value generated by <RETURN_URL> plus the forceAuth param.  When the IDP is accessed with the above URL, the IDP indeed prompts the user for re-authentication, on a screen distinctly different from the normal login page.

However when a protected resource using identity injection is then accessed, the old password continues to be used.   Administrator was using "Credential Profile":"LDAPCredentials:LDAP Password".  Unlike using "LDAP Attributes", there is no control for how often the values are refreshed.

Resolution

On the Linux Access Gateway, execute the "touch /var/novell/.PasswordMgmt" command, and then restart proxy using "/etc/init.d/novell-vmc restart". At this point, it will start refreshing the credentials for the session if and when the PW Mgmt Servlet is invoked.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.