Password Policy Handling with Custom Authentication Scheme

Products

SITEMINDER

Issue/Introduction

When Custom Authentication is used and when the user has "User must change password at next logon" flag is set, does the Custom Authentication need to update the user attribute directly or how does the password policy get involved?

What should be the SmAuthStatus and SmAuthenticationResult value to be returned by the Custom Authentication?

Environment

SDK

All SiteMinder versions

Resolution

SDK bundles sample AuthApiSample.java

It has the following section for handling Disabled State.

// Check if the user account is disabled.
try
{
if (0 != Integer.parseInt(theUserContext.getProp("disabled")))
{
context.setUserText("User account is disabled.");

return
new SmAuthenticationResult(SmAuthStatus.SMAUTH_REJECT, SmAuthenticationResult.REASON_USER_DISABLED);
}
}

User must submit the correct username and password, then normally this will return AuthAccept but due to the "User must change password at next logon" flag the user must be rejected to trigger a redirect to password services url.

For that reason, user must be getting AuthReject status with ImmediatePWChangeRequired reason.

SmAuthStatus=3
0. SMAUTH_SUCCESS.
1. SMAUTH_FAILURE.
2. SMAUTH_ACCEPT.
3. SMAUTH_REJECT.
4. SMAUTH_CHALLENGE.
5. SMAUTH_ATTEMPT.
6. SMAUTH_NO_USER_CONTEXT.
7. SMAUTH_SUCCESS_USER_DN.

SmAuthenticationResult=20

Sm_Api_Reason_None = 0
,Sm_Api_Reason_PwMustChange = 1
,Sm_Api_Reason_InvalidSession = 2
,Sm_Api_Reason_RevokedSession = 3
,Sm_Api_Reason_ExpiredSession = 4
,Sm_Api_Reason_AuthLevelTooLow = 5
,Sm_Api_Reason_UnknownUser = 6
,Sm_Api_Reason_UserDisabled = 7
,Sm_Api_Reason_InvalidSessionId = 8
,Sm_Api_Reason_InvalidSessionIp = 9
,Sm_Api_Reason_CertificateRevoked = 10
,Sm_Api_Reason_CRLOutOfDate = 11
,Sm_Api_Reason_CertRevokedKeyCompromised = 12
,Sm_Api_Reason_CertRevokedAffiliationChange = 13
,Sm_Api_Reason_CertOnHold = 14
,Sm_Api_Reason_TokenCardChallenge = 15
,Sm_Api_Reason_ImpersonatedUserNotInDir = 16
,Sm_Api_Reason_Anonymous = 17
,Sm_Api_Reason_PwWillExpire = 18
,Sm_Api_Reason_PwExpired = 19
,Sm_Api_Reason_ImmedPWChangeRequired = 20
,Sm_Api_Reason_PWChangeFailed = 21
,Sm_Api_Reason_BadPWChange = 22
,Sm_Api_Reason_PWChangeAccepted = 23
,Sm_Api_Reason_ExcessiveFailedLoginAttempts = 24
,Sm_Api_Reason_AccountInactivity = 25
,Sm_Api_Reason_NoRedirectConfigured = 26
,Sm_Api_Reason_ErrorMessageIsRedirect = 27
,Sm_Api_Reason_Next_Tokencode = 28

,Sm_Api_Reason_New_PIN_Select = 29
,Sm_Api_Reason_New_PIN_Sys_Tokencode = 30
,Sm_Api_Reason_New_User_PIN_Tokencode = 31
,Sm_Api_Reason_New_PIN_Accepted = 32
,Sm_Api_Reason_Guest = 33
,Sm_Api_Reason_PWSelfChange = 34

,Sm_Api_Reason_ServerException = 35
,Sm_Api_Reason_UnknownScheme = 36
,Sm_Api_Reason_UnsupportedScheme = 37
,Sm_Api_Reason_Misconfigured = 38
,Sm_Api_Reason_BufferOverflow = 39

,Sm_Api_Reason_SetPersistentSessionFailed = 40
,Sm_Api_Reason_UserLogout = 41
,Sm_Api_Reason_IdleSession = 42
,Sm_Api_Reason_PolicyServerEnforcedTimeout = 43
,Sm_Api_Reason_PolicyServerEnforcedIdle = 44

,Sm_Api_Reason_ImpersonationNotAllowed = 45
,Sm_Api_Reason_ImpersonationNotAllowedUser = 46

,Sm_Api_Reason_FederationNoLoginID = 47
,Sm_Api_Reason_FederationUserNotInDir = 48
,Sm_Api_Reason_FederationInvalidMessage = 49
,Sm_Api_Reason_FederationUnacceptedMessage = 50

Which translate to

return
new SmAuthenticationResult(3, 20);

Then Password Services will kick in as the browser gets redirected to the smpwservices.fcc.

The Password Policy will take care of user account status(user attributes) updates so custom authentication do not need to update anything.

When submitting the old/new password and gets a successful password change(Sm_Api_Reason_PWChangeAccepted=23) then SMSESSION is issued at the smpwservices.fcc and redirects to the TARGET for Single Sign-On using the SMSESSION token.