Environment
Access Manager 4.4
Access Manager 4.3
SSPR 4.2
Situation
Looking at the specifics of the setup:
The servlet URL configured on the NAM contract is: https://service-dev.netiq.com/sspr/private/ChangePassword?passwordExpired=true &forwardURL=<RETURN_URL>
The Fiddler trace shows the user logging into the IDP, and is successfully redirected to SSPR as users password has expired. The browser POSTs data to SSPR with the 'forwardURL' and 'passwordExpired' values. The password update works fine but then once user has submitted the updated password, SSPR is not redirecting user back to that forwardURL as it should. If user manually tests the URL below by sending the forwardURL and passwordExpired parameters as query strings with URL, the user is redirected to forwardURL after updating password ie.
https://service-dev.netiq.com/sspr/private/ChangePassword?passwordExpired=true &forwardURL=https://login-dev.netiq.com/nidp/app
Looking at the SSPR logs, we can see incoming request uses the POST method as expected2017-10-13T17:09:33Z, TRACE, http.PwmRequest, {92} POST request for: /sspr/private/ChangePassword requestID=506 [10.38.234.65]
passwordExpired=*hidden*
forwardURL='https://login-dev.netiq.com/nidp/app'
but then the SSPR logs show that we are dropping parameters
2017-10-13T17:09:33Z, DEBUG, filter.SessionFilter, dropping non-query string (body?) parameter 'passwordExpired' during redirect validation)
2017-10-13T17:09:33Z, DEBUG, filter.SessionFilter, dropping non-query string (body?) parameter 'forwardURL' during redirect validation)
This probably expains why SSPR does not redirect to the redirectURL parameter after changing passwords.
Resolution
Modify
/opt/novell/nam/idp/webapps/nidp/jsp/expiredpwd.jsp and replace the current POST method with a GET as shown below
<body style="background-color: <%=handler.getBGColor()%>" marginwidth="0" marginheight="0" leftmargin="0" topmargin="20" rightmargin="0">
<form method="GET" enctype="application/x-www-form-urlencoded" action="<%= (String) request.getAttribute("url") %>" target="_top">
<%
String authUrl = (String) request.getAttribute("authUrl");
Cause
SSPR 4.2 rejects any POST data from a foreign
server (including NAM). This is part of SSPR's cross site
scripting parameter. In some cases this can be disabled by the setting
'Enable Form Nonce' which might allow this POST. However this disables
SSPR's CSRF prevention so it is not recommended
Thus, the first request into SSPR by a user should be a GET, in which case the forwardURL should be honored. In the logs you'll see:
forwardURL parameter detected in request, setting session forward url to xxxxx
You can also see the current session forwardURL in the “my account” page of the user.