b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<HTML>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<HEAD>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=windows-1252">

9e7bf91667639a2390207ab4d90bf88e2afcec2aStephan Bosch <TITLE></TITLE>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen <META NAME="GENERATOR" CONTENT="StarOffice 9 (Win32)">

feba5e502b2131c9a1c766b7ef9ff041dbf71d1dStephan Bosch <META NAME="AUTHOR" CONTENT="Rahul Gopal">

e8f1e510df3ab051a816715c2056f0d10aee929eStephan Bosch <META NAME="CREATED" CONTENT="20090729;12142600">

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch <META NAME="CHANGEDBY" CONTENT="Rahul Gopal">

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch <META NAME="CHANGED" CONTENT="20090729;12304100">

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch</HEAD>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch<BODY LANG="en-US" DIR="LTR">

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch</P>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch</P>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch<P ALIGN=CENTER STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><FONT SIZE=5 STYLE="font-size: 20pt">README</FONT></FONT></P>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch<P ALIGN=CENTER STYLE="margin-bottom: 0in"><BR>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch</P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=CENTER STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><FONT SIZE=4 STYLE="font-size: 16pt">(

6dad0888fcec8372f230941c70d8940b8c203b32Stephan BoschIntegration between OpenAM and Sun Identity Manager )</FONT></FONT></P>

6dad0888fcec8372f230941c70d8940b8c203b32Stephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen</P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen</P>

e8f1e510df3ab051a816715c2056f0d10aee929eStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen</P>

e8f1e510df3ab051a816715c2056f0d10aee929eStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">The

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenfiles in this directory, are intended as samples, to enable some of

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenthe usecases in the context of integration between OpenAM and Sun

9e7bf91667639a2390207ab4d90bf88e2afcec2aStephan BoschIdentity Manager. The samples are part of the opensso.zip

9e7bf91667639a2390207ab4d90bf88e2afcec2aStephan Boschdistribution.</FONT></P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen</P>

9e7bf91667639a2390207ab4d90bf88e2afcec2aStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">The

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenrelevant usecases are:</FONT></P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen</P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch</P>

feba5e502b2131c9a1c766b7ef9ff041dbf71d1dStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

1175415b88ff168e367c77df23901eada13225b9Stephan Bosch</P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><U><B>(1)

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo SirainenConfiguring &quot;Password-Expiry&quot; or &quot;Administrator-Driven

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo SirainenPassword-Reset&quot; Behavior</B></U></FONT></P>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch</P>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">When

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainena user's password is close to expiry, the Directory Server will send

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainena warning, at the time configured in the password policy. When this

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenevent occurs, the user will be redirected by OpenAM, to IDM, where

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenhe can change his password, the next time the user attempts to login

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainento OpenAM.</FONT></P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen</P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">If

1175415b88ff168e367c77df23901eada13225b9Stephan Boschthe user does not change his password, and lets his password expire,

1175415b88ff168e367c77df23901eada13225b9Stephan Boschhe will need to request the Helpdesk, for a password-reset.</FONT></P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

6dad0888fcec8372f230941c70d8940b8c203b32Stephan Bosch</P>

6dad0888fcec8372f230941c70d8940b8c203b32Stephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">When

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainena help-desk administrator resets an end-user's password, a flag will

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Boschbe set in the user's profile. The help-desk administrator will give

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenthe temporary password to the end-user, by email or over the phone.</FONT></P>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

208dcaf62332b80b220c8c66e776f7cc0c39253bStephan Bosch</P>

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainen<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">When

b72c3363092b73cab1da2de4a9d75592e7d8fd6bTimo Sirainenthe end-user logs in, using the temporary password, he is redirected

to Identity Manager's user interface, to reset his password. After

his password has been reset, the flag, that was earlier set, will get

un-set.</FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><A NAME="title-text"></A><A NAME="title-heading"></A>

<FONT FACE="Andale Sans UI, sans-serif"><U><B>(2) Configuring

&quot;Self-Service Password-Reset&quot; or &quot;Forgot Password&quot;

Behavior</B></U> </FONT>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">If

the user has forgotten his password, he should be allowed to change /

reset his password all by himself, without requiring assistance from

a helpdesk. <BR>To identify himself, he should correctly answer his

challenge questions. Unless he does this correctly, he will not be

able to change / reset his password. </FONT>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><U><B>(3)

Configuring Anonymous-Enrollment Or Self-Registration By User</B></U></FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY><FONT FACE="Andale Sans UI, sans-serif">This usecase

requires that an end-user be able to create his account in the

system.</FONT></P>

<P ALIGN=JUSTIFY><FONT FACE="Andale Sans UI, sans-serif">The user

will be allowed to provide the minimum details required of him, so

that an account can be created for him on IDM. This account will get

automatically provisioned into OpenAM. </FONT>

</P>

<P ALIGN=JUSTIFY><FONT FACE="Andale Sans UI, sans-serif">Such a

user-account, would be the most basic account with the least

privileges assigned / available to him.</FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><U><B>(4)

Configuring First-Time User Login Behavior</B></U></FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">When

a user is logging into the protected application, through OpenAM,

for the first time, after being provisioned, he should be requested

to set his challenge/response answers. These answers could later be

used to verify his identity, when he wants to reset a forgotten

password. </FONT>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><U><B>(5)

Configuring Single-Logout (SLO) Between IDM And OpenAM</B></U></FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">When

the user logs out from the IDM app, he should automatically logged

out from OpenAM as well.</FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><U><B>(6)

Configuring User-Account Self-UnLock Behavior</B></U></FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY><FONT FACE="Andale Sans UI, sans-serif">When a

user's account is locked, as a result of the conditions configured in

the password-policy assigned to the user, or as a result of marking

his ldap account as inactive, it is possible to allow the user to

unlock his account himself, without requiring an intervention from an

administrator.</FONT></P>

<P ALIGN=JUSTIFY><FONT FACE="Andale Sans UI, sans-serif">The user's

account could have been locked, due to the following reasons:</FONT></P>

<UL>

<LI><P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">in-memory

account locking </FONT>

</P>

<UL>

<LI><P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">the

user may have exceeded the allowed number of failed attempts to

login, as configured in the password policy. In such types of

locking, the user may remain locked for a set amount of time, and

can only reset his password after that time has passed. The &quot;locked

state&quot; of the user account is maintained in memory, and no

information is written to his LDAP profile. </FONT>

</P>

</UL>

<LI><P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">physical

account locking </FONT>

</P>

<UL>

<LI><P ALIGN=JUSTIFY><FONT FACE="Andale Sans UI, sans-serif">the

user's account may have been locked either explicitly by an

administrator, or as a result of some automated processes, by

changing the value of the </FONT><TT><FONT FACE="Andale Sans UI, sans-serif">inetuserstatus</FONT></TT><FONT FACE="Andale Sans UI, sans-serif">

attribute in his profile, to </FONT><TT><FONT FACE="Andale Sans UI, sans-serif">Inactive</FONT></TT><FONT FACE="Andale Sans UI, sans-serif">.

</FONT>

</P>

</UL>

</UL>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif"><B>For

a detailed description about how to configure OpenAM and Sun

Identity Manager, for the above usecases, and how to use the sample

files included here, please refer to the <A HREF="http://docs.sun.com/app/docs/doc/820-4729/ggsmu">OpenAM

Integration Guide.</A></B></FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><FONT FACE="Andale Sans UI, sans-serif">The

sample files included here are:</FONT></P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><IMG SRC="samples_sitemap.jpg" NAME="graphics1" ALIGN=LEFT WIDTH=1134 HEIGHT=697 BORDER=0><BR CLEAR=LEFT><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

<P ALIGN=JUSTIFY STYLE="margin-bottom: 0in"><BR>

</P>

</BODY>

</HTML>