User with expired password on NAM IDP not redirected back to forwardURL after changing password on SSPR 4.2

  • Document ID:7022172
  • Creation Date:25-Oct-2017
  • Modified Date:25-Oct-2017
    • Micro Focus Products:
      Access Manager (NAM)

Environment


Access Manager 4.4
Access Manager 4.3
SSPR 4.2

Situation

Access Manager 4.4 (also tested this on 4.3.2) and SSPR 4.2 (and 4.2.0.1) integrated together so that users are automatically redirected to the SSPR password servlet authenticating with a password that has expired on NAM IDP user store. The redirection is working fine but after the password change SSPR is not redirecting users back to NAM IDP defined in the forwardURL parameter.

Looking at the specifics of the setup:

 The servlet URL configured on the NAM contract is: https://service-dev.netiq.com/sspr/private/ChangePassword?passwordExpired=true &forwardURL=<RETURN_URL>

The Fiddler trace shows the user logging into the IDP, and is successfully redirected to SSPR as users password has expired. The browser POSTs data to SSPR with the 'forwardURL' and 'passwordExpired' values. The password update works fine but then once user has submitted the updated password,  SSPR is not redirecting user back to that forwardURL as it should. If user manually tests the URL below by sending the forwardURL and passwordExpired parameters as query strings with URL, the user is redirected to forwardURL after updating password ie.

https://service-dev.netiq.com/sspr/private/ChangePassword?passwordExpired=true &forwardURL=https://login-dev.netiq.com/nidp/app

Looking at the SSPR logs, we can see incoming request uses the POST method as expected 

2017-10-13T17:09:33Z, TRACE, http.PwmRequest, {92} POST request for: /sspr/private/ChangePassword requestID=506 [10.38.234.65]

  passwordExpired=*hidden*
  forwardURL='https://login-dev.netiq.com/nidp/app'

 but then the SSPR logs show that we are dropping parameters

 2017-10-13T17:09:33Z, DEBUG, filter.SessionFilter, dropping non-query string (body?) parameter 'passwordExpired' during redirect validation)

2017-10-13T17:09:33Z, DEBUG, filter.SessionFilter, dropping non-query string (body?) parameter 'forwardURL' during redirect validation)

This probably expains why SSPR does not redirect to the redirectURL parameter after changing passwords.


Resolution

Modify /opt/novell/nam/idp/webapps/nidp/jsp/expiredpwd.jsp and replace the current POST method with a GET as shown below

     <body style="background-color: <%=handler.getBGColor()%>" marginwidth="0" marginheight="0" leftmargin="0" topmargin="20" rightmargin="0">

        <form method="GET" enctype="application/x-www-form-urlencoded" action="<%= (String) request.getAttribute("url") %>" target="_top">

<%

    String authUrl = (String) request.getAttribute("authUrl");

Cause

SSPR 4.2 rejects any POST data from a foreign server (including NAM).  This is part of SSPR's cross site scripting parameter.  In some cases this can be disabled by the setting 'Enable Form Nonce' which might allow this POST.  However this disables SSPR's CSRF prevention so it is not recommended

 Thus, the first request into SSPR by a user should be a GET, in which case the forwardURL should be honored.  In the logs you'll see:

 forwardURL parameter detected in request, setting session forward url to xxxxx

 You can also see the current session forwardURL in the “my account” page of the user.