Password Services defined in IDM aren't working when authentication and authorization directories are separate.

Document ID : KB000009496
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

When integrating SM and IM, one must be aware of a problem while defining the password policies in IDM and then separating the authentication and authorization directory.

Background:

IM allows creating and managing password policies. These password policies apply to users in the corporate store. In a standalone environment this is working well. However, when integrated with SiteMinder it is getting more complicated. SiteMinder allows authenticating a user against one storage while authorizing him off of another. When this feature is enabled then IM's corporate directory is in fact the authorization storage of SiteMinder. SiteMinder's authentication directory is unknown for Identity Manager. However, since IM defines password policies they are kicked in prior to the authentication. They, in turn, verify if the password needs to be reset and if other policies are valid in order to challenge the user for authentication. What happens is that when a user is trying to log into IM, it will kick in the password policies which are based off of the authorization directory, however, the user's password is in another storage (in the authentication directory) and so the password policies won't apply correctly. This only happens in this configuration where SiteMinder controls the authentication storage while IDM is controlling the password services on a different storage.

Instructions:

To alleviate this situation there are a number of possibilities

  • Do not define the password policies in IDM. Define them in SiteMinder so they're defined on the authentication directory.

  • Develop a TEWS custom page that will be launched when authentication to IDM and will turn to the authentication directory in order to query for the user's details and will then extend the returned user's object with the new information from the authentication directory.