Setup Advanced Password Services in Siteminder (APS) to redirect user on auth event with Expired Password
search cancel

Setup Advanced Password Services in Siteminder (APS) to redirect user on auth event with Expired Password

book

Article ID: 378763

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

This KB highlights the steps to enable APS redirect to a specific URL upon user Authentication event with Expired password.

Environment

any Siteminder supported Releases

Resolution

To redirect the user to a specific URL upon password Expiration, please follow the below steps 

** 1) you need to create for each realm protecting the accessed resource the following 


## IN EVERY REALM IN EVERY POLICY DOMAIN, you must check the boxes
## labelled "Enable Authentication Events" and "Enable Authorization
## Events". If these boxes are not checked, SiteMinder will not perform
## redirections, even if the rest of the settings are correct. Note
## that there is ONE EXCEPTION: the "Change Password" realm should NOT
## have these events enabled, otherwise users will end up in an 
## infinite loop when attempting to change their passwords.

## The Response for OnAuthReject must have a single response of type
## OnReject-Redirect. This should be an Active Expression using the
## following values (these values are case-sensitive):
##      Library     = smaps
##      Function    = SmApsRedirect
##      Parameters  = (see below)


So create a Rule with action as "Authentication Event"  and Actions as --> OnAuthReject

once done , create a Policy OnAuthRejectPolicy  and add the Rule above to it .

Create a Response as  follows --> OnReject-Redirect -->  Active Expression --> Library = smaps , Function = SmApsRedirect    (no need to have Parameters populated , just leave it empty) 

 

** 2) Change the APS.cfg to have the following 

NOTE --> change the path in the below to match your environment 

define UNPROTECTED_PATH     https://app.example.com/PasswordExpiry.htm     --> this is the URL that the user will be redirected to when Expired password is triggered. 
                                                                                                                                         this can be any URL including a custom page hosted on your server that has link to password change page
Expired Redirect=<UNPROTECTED_PATH>


** 3) Restart your Policy Server 

** 4) trigger a flow where the user's password is expired and you will get redirected to the URL defined in Step 2 above.

You can also send an email at the same time to the user to notify him that the password is expired, to do so , please the following KB --> https://knowledge.broadcom.com/external/article?articleId=378403

Powered by Wolken Software