4.8 Adding Password Self-Service to Your Company Portal

Most of the procedures in the Password Self-Service section assume that you are using the Password Self-Service features on an iManager 2.0.2 server, which is the last version of iManager to support password self-service. If you have a version of iManager later than 2.0.2, you can only perform password self-service through Novell’s User Application. For more information on performing password self-service using Novell’s User Application, see Chapter 2, Using the Identity Self-Service Tab” of the Identity Manager Roles Based Provisioning Module 3.6 User Application User Guide.

Refer to the following table for instructions on how Password Self-Service features can be used with portal products, including products other than iManager.

Table 4-1 Password Self-Service Features and Portal Products

Product

Support for Password Self-Service

Procedure

iManager 2.0.2

You can integrate the features.

This product supports Password Self-Service features if you install the password management plug-ins. These plug-ins are included with the Identity Manager 3 and are also available separately from download.novell.com.

Follow the steps in

Identity Manager User Application

User application allows users to perform password self-service tasks.

See Chapter 2,”Using the Identity Self-Service Tab” in the Identity Manager Roles Based Provisioning Module 3.6 User Application User Guide.

Virtual Office, provided with NetWare 6.5 Support Pack 2, running on an iManager server

You can integrate the features.

You can use the Password Self-Service features on the same NetWare server used for Virtual Office and iManager by installing the plug-ins and completing some additional steps.

Section 4.8.1, Integrating Password Self-Service with Virtual Office

Novell Portal Services (NPS) versions earlier than 4.1

You must link to the features.

Although these legacy NPS products run Novell portal modules (NPMs), they don't have some of the enhancements that are required for the Password Self-Service features of the ForgottenPassword.npm.

To use this product with Password Self-Service, create links from your company portal to the end-user password features on an iManager server.

Section 4.8.2, Linking to Password Self-Service from a Company Portal

Third-party products

You must link to the features.

Because third-party products don't run Novell portal modules, you can't use the Password Self-Service features directly in another product.

To use third-party products with Password Self-Service, create links from your company portal to the end user password features on an iManager server.

Section 4.8.2, Linking to Password Self-Service from a Company Portal

4.8.1 Integrating Password Self-Service with Virtual Office

Virtual Office supports all the features of Password Self-Service in NetWare 6.5 Support Pack 2 and later, and with OES 1 Linux. Virtual Office is not supported on OES 2 Linux.

For instructions, see the Virtual Office Configuration Guide.

4.8.2 Linking to Password Self-Service from a Company Portal

For products that can't provide the Password Self-Service features by running the ForgottenPassword.npm (as noted in Table 4-1), you can use the Password Self-Service features by creating another iManager server with the password management plug-ins installed and then linking from your portal home page to the iManager portal on the other server, such as https://iManager_server_IP_address/nps.

The password management plug-ins are included with the Identity Manager plug-ins and are available separately by downloading the Password Administration Plug-in for iManager 2.x from http:\\download.novell.com.

Complete the tasks in these sections:

Prerequisites

The iManager server and the tree you are using must be prepared as follows:

Linking to Forgotten Password Self-Service

To give users access to Forgotten Password Self-Service from your company portal, you can link to that service on a separate iManager Web server.

  1. Create a link such as “Forgot your password?” on the login page for your company portal and point it to the following URL on your iManager Web server:

    http://iManager_server_IP_address/nps/servlet/fullpageservice?NPService=ForgotPassword&nextState=getUserID

    This URL takes users to the following page, where they begin the Forgotten Password process.

    Forgotten Password page for entering username
  2. To customize the return page to go to the login page for your company portal, complete the steps in Returning Self-Service Users to the Company Portal.

Linking to User Password Management Tasks

  1. Make sure all the eDirectory users in the portal users container have rights to the Hint attribute, which is named nsimHint.

    When you install the DirXML plug-ins on an iManager Web server, this step is automatically completed for the tree that iManager is configured for.

    If you are pointing to a different tree, you must complete this step manually.

    A utility is provided to help you do this, which you can download and run by doing the following:

    1. Go to http:\\download.novell.com.

    2. Fill in the following fields:

      • Search By: Product

      • Choose a Product: Novell Identity Manager

    3. Download the item named 2.0 Password Management Plug-in for iManager 2.0.x.

    4. Follow the instructions in the nsimhintreadme.txt file.

      If users do not have rights to the nsimHint attribute, they get an error like the following when they try to create a hint:

      “Could not write user hint” (Task could not be completed).
      
  2. Provide users with a link from your company portal to the password management tasks.

    You can create a Manage Passwords link from the company portal and link to https://other_iManager_server/nps. This link would provide access to the Password Management end user tasks:

    • Hint Setup

    • Answer Challenge Questions

    • Change Password (Universal)

    A user who clicks on the link would first need to log in and then would see a page like the following example:

  3. Complete the steps in Returning Self-Service Users to the Company Portal.

Returning Self-Service Users to the Company Portal

The Password Self-Service features include scenarios in which users are provided with a link that lets them return to the login page. For example, when a user changes a password by using the Forgotten Password Self-Service, a page is displayed with the message Your password has been successfully changed. Click here to return to login page.

If you point from your company portal to Password Self-Service on a separate iManager server, you might want to customize the default return page so that users are returned to the login page for your company portal when they complete password tasks. By default, clicking the button returns the user to a page on the iManager Web server.

A link to return to the login page is provided in these three places:

  • The page where a user can set a new password

  • The page displayed after a user successfully changes a password

  • The page where a user views a hint

To customize the return page to go to the login page for your company portal:

  1. On the iManager Web server you are using for Forgotten Password Self-Service, locate the following directory:

    \tomcat\webapps\nps\portal\modules\ForgottenPassword\skins\default\devices\default

  2. Locate the following file in that directory:

    forgottenpassword.xsl

  3. Edit the forgottenpassword.xsl file to customize the default return page.

    Replace the code

    href="{LoginURL}"
    

    with a hard-coded URL such as

    href="(http:\\www.your_company_portal_home_page.com)"
    

    You need to make this change in three places in the file.

  4. Stop and restart Tomcat on the iManager server.

    The Return to Login Page links now redirect users to your company's portal login page.

4.8.3 Making Sure Users Have Configured Password Features

When users log in to the iManager portal at https://iManager_server_IP_address/nps, they are prompted to take action through a series of post-authentication pages if conditions such as the following are true:

  • The user password doesn't comply with Advanced Password Rules in the password policy

  • The password policy requires Challenge Questions when using Forgotten Password Self-Service and the user has not configured these questions

  • The password policy is using Forgotten Password with Display Password Hint as the action and the user has not created a hint

For example, these prompts are necessary to make sure that the user can use Forgotten Password Self-Service. If the password policy requires users to answer Challenge Questions and the user has never configured them initially, the user can't access Forgotten Password Self-Service. If the user has not created a password hint, the user can't retrieve it to help in remembering the password.

Because other portal products won't automatically provide the post-authentication features, you need to make sure that users log in to the iManager portal at least once to create compliant passwords and complete password management setup, and then again whenever you make changes to Password Policies.

This can be done by making sure that users go to a Manage Passwords link you provide as described in Linking to User Password Management Tasks, which requires users to log in to the iManager portal.