Users not promted for SSPR challenge responses from IDM Landing page

  • 7017613
  • 17-May-2016
  • 20-May-2016

Environment

IDM 4.5.2
IDM 4.5.3
SSPR 3.3.0.2
SSPR 3.3.1.3 
OSP 6.0.0 r3

Situation

Users are not promted for SSPR challenge responses when hitting IDM Landing page
OSP not redirecting to SSPR to set initial C/R values
New users are not prompted to answer challenge questions unless they go directly to SSPR page

Resolution

Using SSPR Configuration Editor, set the “External Web Services Permissions” filter for the desired users. This is found under Settings, Web Services, REST services.

The default value for this filter is cn=WebServiceUsers,ou=Groups,o=example  
In this case the problem was solved by changing it to use the LDAP filter  “objectclass=*” 

Also verify that "Web Services Third Party Permissions" is enabled in SSPR Configuration Editor,  Settings, Web Services, REST services.

Cause

“External Web Services Permissions” filter had not been set and was still at the default value.

Additional Information

When a user hits the IDM Landing page, OSP sends the SSPR "Get Status" REST call to the SSPR server to determine if the user needs to answer challenge questions. The user will be redirected to the SSPR page if SSPR replies with "true" to any of the following:
"requiresResponseConfig":true
"requiresUpdateProfile":true
"requiresInteraction":true

If SSPR does not reply, or replies with "false" to all of the above, then the user will not be redirected. In this case SSPR did not reply to OSP, as shown in the SSPR debug log.

The following was seen in the SSPR debug log:

 
2016-05-17T09:07:59Z, TRACE, http.PwmRequest, {g2} GET request for: /sspr/public/rest/status (no params) [REST WebService Request]

2016-05-17T09:07:59Z, TRACE, ldap.LdapPermissionTester, {g2,uix05232} begin check for ldapGroup match for UserIdentity{"userDN":"cn=testuser,ou=something,o=whatever","ldapProfile":"default"} using queryMatch: cn=WebServiceUsers,ou=groups,o=system 


2016-05-17T09:07:59Z, TRACE, ldap.LdapPermissionTester, {g2,uix05232} checking ldap to see if UserIdentity{"userDN":"cn=testuser,ou=something,o=whatever","ldapProfile":"default"} matches group 'cn=WebServiceUsers,ou=groups,o=system' using filter '(groupMembership=cn=WebServiceUsers,ou=groups,o=system)'


2016-05-17T09:07:59Z, DEBUG, ldap.LdapPermissionTester, {g2,uix05232} user UserIdentity{"userDN":"cn=testuser,ou=something,o=whatever","ldapProfile":"default"} is not a match for group 'cn=WebServiceUsers,ou=groups,o=system' [10.179.232.36]

2016-05-17T09:07:59Z, DEBUG, http.SessionManager, {g2,uix05232} permission WEBSERVICE for user default|cn=testuser,ou=something,o=whatever is DENIED


Notes:

The SSPR debug log is part of the SSPR troubleshooting bundle which can be downloaded from SSPR configuration manager. For instructions see "How to enable logging for SSPR" at

The tool SLAnalyzer, available from Micro Focus Customer Care, has a REST client that can be used to test SSPR REST calls and was very useful in identifying this problem.