Bad password or login count attribute retrieval from Policy Server
search cancel

Bad password or login count attribute retrieval from Policy Server

book

Article ID: 189084

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


When developing a Custom Authentication Scheme to include a reCaptcha functionality, how to get the bad password count for a user, in order to determine whether or not we should present him the captcha control?

 

Environment

 

  Policy Server 12.8SP2 on RedHat 7;
  Policy Server JDK 1.8.0_201 64bit;
  Policy Store on CA Directory 14.1;

 

Resolution


At first glance, out of the box, the custom code would need to be able to read the password data from the "Password Data" value from the User Directory. Unfortunately, for security reason, this one cannot be read outside the Policy Server which needs the use of the Session Key (1).

Try utilizing SDK custom code and DmsApiSample.java (2)(3) to read it.

There's another way is to use the SMTRYNO cookie, but this one has very limited scope (4).

Finally, when running Advanced Password Services (APS) on the Policy Server, those login failure count can be read in an easier way, as APS will write in clear in the LDAP User Attribute the login failure count (5)(6).

 

Additional Information


 

  1. 1. Password policy data consideration when Upgrading Siteminder
    https://knowledge.broadcom.com/external/article?articleId=38200

  2. Problem to read the password data using SDK DMS API DmsApiSample.java
    https://knowledge.broadcom.com/external/article?articleId=30073
  3. Retrieval of information from user's Password Data from directory.xml
    https://knowledge.broadcom.com/external/article?articleId=11205

  4. Web Agent SMTRYNO cookie being reset on browser change
    https://knowledge.broadcom.com/external/article?articleId=76512

  5. Failure Count Retention
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/advanced-password-services-configuration/aps-configuration-file/run-time-password-checking.html

  6. Application Programming Interface (APSAPI)
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/advanced-password-services-configuration/aps-introduced/advanced-password-services-capabilities.html#concept.dita_e371bcc9cdba0768e0a1b3a4d6295d8be719642b_ApplicationProgrammingInterfaceAPSAPI