5.16.4 Password Retrieval

If you have configured contracts that do not use a username and password for the credentials and you want to configure single sign-on to protected resources that require a user’s name and password, you can use PasswordFetchClass to retrieve the user’s name and password.

Create PasswordFetchClass and then create a method using this class. Assign this method as the second method to the authentication contract that does not prompt for the username and password. When Identity Server executes the contract, PasswordFetchClass retrieves the username and password and stores these with the LDAP credentials, which makes them available for Identity Injection and Form Fill policies.

For example, your contract uses Kerberos or X.509 certificate authentication where the password is not available. Use PasswordFetchClass to retrieve the username and password.

IMPORTANT:PasswordFetchClass works only with eDirectory user stores.

Perform the following steps:

  1. Click Devices > Identity Servers > Edit > Local > Classes > New.

  2. Specify a name for the class and select PasswordFetchClass in Java class.

  3. Click Next.

  4. Specify the following details:

    Field

    Description

    Ignore password retrieval failure

    Select this option if you want users to continue with their sessions when Identity Server cannot retrieve their passwords. If this option is not selected, users are denied access when their passwords cannot be retrieved.

    Retain Previous Principal

    Select this option to retain the principal obtained from the previous authentication method. If you do not select this option, then the principal will be used from the method associated with this class.

    Password to be retrieved

    If your users have been configured to use a universal password, select Universal Password. Otherwise, select Simple Password.

    NOTE:

    • Set the Universal Password Retrieval options in the configuration of the Universal Password policy, so that the policy allows the password to be retrieved from the user store.

    • User must reset the password after configuring the password policy for universal password.

    For more information about unable to retrieve universal password from eDirectory by using PasswordFetchClass issue, see TID 7007114.

    The user object must be looked up and found in an eDirectory user store for retrieval to succeed. This is done by matching the currently authenticated user by using the CN attribute. If your CN does not match in both of your directories (common when using Active Directory and eDirectory), then use the DN of the user to locate the matching user object. When NetIQ Identity Manager is used between Active Directory and eDirectory, the Active Directory DN value is populated in the DirXML-ADContext attribute, which can be used for lookup or matching. If no attribute has the DN value populated, use the Auto Provision feature.

  5. Configure the following userstore lookup settings:

    Field

    Description

    Based on the CN of the user object

    CN of users are mapped between two different user stores. CN is mapped with for retrieving the password from the user store. For example, Active Directory CN is mapped with eDirectory CN for retrieving the password from eDirectory.

    Based on the Attribute value of the user object

    User names are detected and handled in the LDAP attribute or DN of users of the Active Directory are mapped with LDAP attribute of the eDirectory. If you select this option, specify the attribute value in attribute details in Attribute name of the DN and select Auto Provision if required.

    Attribute Name of the DN

    Specify the attribute name of DN.

    This attribute must contain CN of user whose password you want to obtain. For example, if you are trying to obtain a password from eDirectory for a user with cn=a,dc=b, then you need to specify name of the attribute, which value is cn=a,dc=b.The passwordfetchclass tries fetching the password from the current user store based on the value of the LDAP attribute specified, which are mapped to user's DN of in Active Directory.

    Auto Provision

    If you select this option, the passwordfetchclass tries fetching the password from LDAP attribute specified which has the value of the DN users of Active Directory and retrieves the password, else it prompts to log in to eDirectory. If the login is successful, then the LDAP attribute value gets populated with the DN user of Active Directory. When the user is logged next time, the same value is used.

  6. Click OK.

  7. Create a method for this class.

    For instructions, see Section 5.1.3, Configuring Authentication Methods.

  8. Assign the password fetch method as the second method for a contract that is using one of the following methods:

    NOTE:You can use PasswordFetchClass as the second method of authentication for any of the protocols supported by Identity Server.

  9. Click Apply and update Identity Server.