SSPR Configuration options fail with CLE

  • 7015897
  • 14-Nov-2014
  • 08-May-2018

Environment

Self Service Password Reset
SSPR 3.x
SSPR 4.x
Client Login Extension
CLE3.8
CLE 3.9
CLE 4.2
Emergency Access
Active Directory
"Enable SSPR Configurations" selected in the CLE Configuration Utility

Situation

SSPR Configuration options fail with CLE
Features listed under "Enable SSPR Configurations" do not work.
 - Option to "Force user for challenge response enrollment"  doesn't do anything
 -  Option to "Change Password through SSPR"  does nothing when Ctrl, Alt, Del is pressed
 -  Emergency Access feature does not work
Forgotten password link brings up SSPR Forgotten Password page in restricted browser as expected and users can successfully change passwords.  Basic CLE functionality works, but the SSPR configuration features fail.


Resolution

Configure the REST URI setting correctly as shown.  

The REST URI should contain only the SSPR rest URL in the format
 https://<hostname:port>/sspr/rest   (with no .jsp at the end)

For example:



ALSO,  make sure REST settings are configured correctly in SSPR.   Check the following in SSPR Configuration Editor: 

-   Enable External Web Services --  set  "Enabled" to  "True

-   Allow Web Services Read Answers --  set  "Enabled" to  "True

- External Web Services Permissions -- add an LDAP Filter or Group and make sure the desired users are shown when "View Matches" is clicked  

In SSPR 3.3 these settings are found under     Web Services --> REST Clients
In SSPR 3.2 these settings are found under   Settings --> Integration/ Developer 
In SSPR 4.x these settings are found under   Settings --> Web Services/ REST Services 

The screen shot below shows the above settings for SSPR 4.2:




Additional Information


The "SSPR Configurations" are not needed in order to use CLE with SSPR (Self Service Password Reset) for basic forgotten password / change password functionality.  Configuring the Link URL to point to an SSPR server is all that is required for CLE to access an SSPR server to change a forgotten password.  The options under "SSPR Configurations" make REST calls to the SSPR server to provide the following added functionality:
- forcing users to enroll for challenge responses, 
- enabling the "Emergency Access" feature
- changing the password through SSPR when Ctrl+Alt+Del is entered.

Note that the working configuration is the same whether or not SSPR is integrated with IDM.

Also, note that the CLE - SSPR integration features only work in an Active Directory enivronment.  They are not currently supported with the Novell Client.  The CLE - SSPR Integration features include the following:  
1. Force User for C/R responses
2. Password expiration warning
3. CTRL+ALT+DEL change password
4. Emergency Access

The Novell Client has it's own mechanism for changing the eDirectory password with Ctrl, Alt, Del change password, but this mechanism does not consider the SSPR password settings.