Sun Idm  Secondary Authentication Policy Options

Hi,
I need some inputs on the below,
1. We have a situation where we need to configure 10 security questions in the policy.
2. Force the user to select minimum 5 questions during their first login.
3. Later on, whenever the user's tries to access password reset from Forgot password - they need to answer only 2 questions in order to reset their password.
The "Default Identity Manager Account Policy" policy has a security questions section to setup the questions. And there is an option to enter "Minimum Number of Questions User is Required to Answer " -
if i configure it as 5, it would work on the initial setup page, but when comes to password reset, it asks for 5 questions answered. Any inputs on this is highly appreciated.
Thanks,
Navatha

Navatha,
To force user to select minimum of 5 questions and allow user to login by answering any 2 of them you can follow these steps:
1) Default Identity Manager Account Policy can be modified by adding following entries in 'Secondary Authentication Policy Options ' section:
a) For Login interface: select 'User Interface' from the drop down.
b) Tick 'Enforce Answer policy at login'
c) slect Any from Authentication Question policy drop down.
d) Enter 2 as the minimum number of questions to be answered.
e) add all the quetions need to answered.
Now since i dont recommend the out of box 'Login Change User Answers Form' form modification, so copy the content in another form. Lets name it as 'Modified Login Change User Answers Form'. Modify the text in 'questionPrompt' label.
            <eq>
              <ref>waveset.loginInterfaces[<ref>selectedLoginInterface</ref>].questionPolicy</ref>
              <s>Any</s>
            </eq>
            <message name='UI_AUTH_QUESTION_PROMPT_2'>
              <i>5</i>  ---->  This has been hardcode. Original value would be two as per your configuration.
            </message>Also Add validation in the form button at bootom:
<block>
  <set name='questions'>
    <null/>
  </set>
  <cond>
    <neq>
      <length>
        <ref>waveset.questions[loginInterface=UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE]</ref>
      </length>
      <i>0</i>
    </neq>
    <dolist name='nmr'>
      <ref>waveset.questions[loginInterface=UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE].name</ref>
      <cond>
        <notnull>
          <ref><expand>
  <concat>
    <s>waveset.questions[</s>
    <ref>nmr</ref>
    <s>].answer</s>
  </concat>
</expand></ref>
        </notnull>
        <set name='questions'>
          <add>
            <ref>questions</ref>
            <i>1</i>
          </add>
        </set>
      </cond>
    </dolist>
  </cond>
  <cond>
    <lt>
      <ref>questions</ref>
      <i>5</i>
    </lt>
    <s>please answer all five questions</s>  ---> Custom message to be displayed.
  </cond>
</block>Import the form and change the form mapping of 'loginChangeAnswers' with 'Modified Login Change User Answers Form'.
I guess this matches your requirement.

Similar Messages

  • IdM Password Policy Options

    Anyone know of a way of configuring the Password Policy Options (found in the Identity System Policy) to lost password self-service?
    Specifically:
    Password Provided by "Generated"
    Reset Notification Option "email"
    A client (IdM 7.1) would like a person using the self-service lost password function (authenticating via questions) to have new random expired password emailed rather than changing it immediately
    The above settings only seem to apply to Administrative password resets.
    -Rob

    Any solution found for this? I have the same issue.

  • Sun idm 8.0.0.3: generate random password according to policy

    Hi all,
    probably a stupid question: using sun idm 8 I have an active-sync-source, containing employees but no passwords. So I should generate a new password in my active-sync-form and search for a way to export the password so new employees can be sent a letter "welcome at company, here is your password". Something like that.
    However, I fail to generate a password in the first place. I think I read about a PasswordGenerator once, but can't find it.
    So, what's the preferred way to generate a new password, if possible according to a selected password-policy?
    CU,
    Patrick.

    OK, OK if the policy is set to generate my troubles go away.... I thought that was gone with metaview?
    Anyway, what if I'd like to choose a special Policy for creation that differs from normal operations?
    CU,
    Patrick.

  • Sun IDM Key based authentication

    Hi All,
    I've a requirement in SUN IDM for configuring an AIX resource with key based authentication.
    For this, first i created public and private keys in the AIX resource ( AIX Server) with a passphrase. The files id_rsa and id_rsa.pub are now available in /home/<UserID>/.ssh on the AIX Server . UserID is the ID used to login to the AIX server( no root access)
    Then, i created a file named authorized_keys and copied the contents of the id_rsa.pub and pasted in authorized_keys file.
    For key based authentication, i configured the resource with the following parameters on SUN IDM console :
    Host name=Specific to server
    TCP Port=22
    Login User= <UserID> <User ID used while creating publice and priavte keys on AIX server)
    Login shell Prompt=$
    SUDO authentication =TRU
    Connection Type= SSHPubKey
    Private key = (Contents of id_rsa file from AIX server)
    Passphrase = created from the server
    Now, if i do the Test Configuration, I get the error message : Auth Failed.
    Do I need to create the authorized_keys file under the /.ssh ( root .ssh folder of the AIX server ) instead of the .ssh folder of the UserID used for creating the keys?
    Am i missing something here?
    Thanks in advance.

    The issue is resolved.
    Steps done to solve:
    1. Logged in to the IDM Server via putty with a User ID which has better Sudo rights and generated the keys with passphrase.
    2. Logged in to the target resource ( AIX Server ) and appended the contents of public key ( From the IDM Server) in authorized_keys file ( in AIX server)
    3. Gave the private key and passphrase (generated from IDM Server ) in the Resource parameters in IDM console.
    After following the steps above, i was able to do a test configuration successfully.

  • Error while Reading Idocs from ECC 6.0 to Sun IDM .

    Hi Gurus,
    We have a scenerio where we have to update the Sun IDM Server with all the changes in HR Data happening in ECC.
    For that... we have
    1. Created a Logical System for Sun IDM server, Port, RFC Connection (TCP/IP).
    2. Assigned Partner Profiles, Distribution Model etc. for msg. type HRMD_A ;
    3. We have created a Communications User used by the IDM server to connect to ECC.
    Idocs are created daily and are in status 03 - Data passed to Port OK !
    and on the In Sun Identity manager 8.0 we have created SAP resource adapter for ECC 6.0,
    after giving resource parameters our test connection is successful.
    We also changed edit synchronisation policy for the same but when we start synchronisation in IDM, it is unable to read any idocs although Idocs are generated in SAP .
    Log file gives the message as "Incoming IDoc list request containing 0 documents"
    We also have one more error ;
    some times while doing a connection test : JCO.Server could not find server function '剆䍟偉乇'
    while most of the times the connection is successful.
    Please suggest .

    Hi Gurus,
    The error got resolved .
    The changes in the settings i did :
    SAP SIDE : Made the RFC Connection Unicode.
    IDM SIDE : Checked on the "SAP Server Unicode" checkbox; while doing the HR Activ Synch Settings.
    This Resolved the error.
    regards
    Vaibhav

  • Sun IDM vs Oracle IDM

    Hi Everyone,
    The current version of IDM we are at is 6.0. We are thinking of the following options:
    1. Upgrade Sun IDM 6.0 -- IDM 8.1
    2. Migrate to latest Oracle IDM.
    Could someone please let me know the pros/cons in considering one over the other options?
    Thanks,

    Hi,
    A very interesting question but not one that can be answered easily.
    As Oracle is in the process of buying Sun then the future of both products is uncertain. Sun IDM might survive or Oracle IDM might survive or the future Oracle IDM product may be a combination of both. I do not believe that we will see a resolution to this for at least 6 months. Even then it will only be an annoucement.
    I also do not see an major improvements in either product until there is greater certainty of what will be the future product.
    For your particular circumstance I would upgrade from Sun IDM 6.0 -- IDM 8.1. The main reasons are as follows:
    - Software currency. IDM 6.0 is no longer supported.
    - The upgrade is free of licencing costs.
    - Improved functionaility of the latest version of Sun IDM.
    - Little training is required
    Migrating to Oracle IDM would not be a trivial task and would probably include significant cost eg training, licensing and potentially hardware.
    I hope this helps

  • Sun IdM newbie - netbeans question

    Our Sun IdM configurator consultants have left and I'm trying to open our Development IdM project in Netbeans (just went to admin training and want to poke around). I have all the software ready on the workstation and the Sun IdM Netbeans plugin installed.
    I cannot create a successfull project on my Windows XP workstation and I think I'm missing a few steps.
    Here's what I did so far:
    1. Checked out the code in Netbeans.
    2. Ran the command "ant -verbose dist-war" and got a BUILD SUCCESSFULL message.
    3. I open netbeans and browse to the IdM directory but instead of opening the project, it traverses into the next folder.
    What are my next steps in order to open this in Netbeans as a project? I can copy the IdM/nbproject directory from the workstation our consultants developed the software on into the IdM directory on my workstation and Netbeans will allow me to open the project.
    But to do this the correct way, what do I have to do after the build to get the nbproject and other project related directories/files into my IdM directory so I can open the folder as a Netbeans project?
    Any help would be appreciated.
    Thanks,
    Ed

    OK, OK if the policy is set to generate my troubles go away.... I thought that was gone with metaview?
    Anyway, what if I'd like to choose a special Policy for creation that differs from normal operations?
    CU,
    Patrick.

  • Sun IDM 8.0 download

    Dear All,
    I cannot find the link to Sun IDM 8.0 download. If you can provide the link I would appreciate it very much.
    Thank you for your time and help.
    Kind regards
    Maria

    IDM 8.0 can be obtained here: https://cds-tst.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_us/-/USD/ViewProductDetail-Start?ProductRef=SJS-IDMGR-8.0-OTH-G-F@CDS-CDS_SMI
    Please note, this site requires proper authentication credentials and the acceptance of licensing terms/conditions.
    Hope this helps.

  • Sun IDM 8.1 download

    Dear All,
    I cannot find the link to Sun IDM 8.1 download. If you can provide the link I would appreciate it very much.
    Thank you for your time and help.
    Kind regards
    Maria

    Identity Manager 8.1 can be found on http://edelivery.oracle.com. The site requires a proper account/authentication.
    The # for IDM 8.1 on the site is: V19877-01
    It can be found by choosing:
    Select A Product Pack: Sun Products
    Platform: Oracle Solaris On Sparc (32-bit)
    Hit Go
    Select: Sun Products Media Pack for Oracle Solaris on SPARC (32-bit)
    Hit Continue
    Scroll down and you'll see this:
    Download      Sun Identity Manager 8.1      V19877-01      158M
    Hit the Download button.
    Hope this helps.

  • EToken + RSA Key Secondary Authentication problem

    Hello. I need to access to an eToken using Java Security API (PKCS11) and I can't use the "RSA Key Secondary Authentication" mode because when I try to sign I've got an error (CKR_USER_NOT_LOGGED_IN).
    Do you know why it happens?
    This is my code:
    String pkcs11config;
    pkcs11config = "name = my-eToken";
    pkcs11config += "\nlibrary = c:\\WINDOWS\\system32\\eTpkcs11.dll";
    InputStream confStream = new ByteArrayInputStream(pkcs11config.getBytes());
    sunpkcs11 = new SunPKCS11(confStream);
    Security.addProvider(sunpkcs11);
    alias = "myAlias";
    KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", sunpkcs11,
      new KeyStore.CallbackHandlerProtection(new MyCallbackHandler()));
    KeyStore keyStore = builder.getKeyStore();
    // get my private key
    KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(alias,
            new KeyStore.PasswordProtection("aliasPwd".toCharArray()));
    privateKey = pkEntry.getPrivateKey();
    Serializable o = new SignedBean("bla bla");  //dummy object which wraps a String, just for testing
    sig = Signature.getInstance("SHA1withRSA");
    signedObject = new SignedObject(o, privateKey, sig);And when attempts to create an instance of SignedObject throws the exception:
    java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
         at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:420)
         at java.security.Signature$Delegate.engineSign(Signature.java:1131)
         at java.security.Signature.sign(Signature.java:527)
         at java.security.SignedObject.sign(SignedObject.java:227)
         at java.security.SignedObject.<init>(SignedObject.java:144)
         at ar.gov.mecon.esidif.firmaDigital.test.ETokenTest2.testLogin(ETokenTest2.java:99)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:585)
         at junit.framework.TestCase.runTest(TestCase.java:154)
         at junit.framework.TestCase.runBare(TestCase.java:127)
         at junit.framework.TestResult$1.protect(TestResult.java:106)
         at junit.framework.TestResult.runProtected(TestResult.java:124)
         at junit.framework.TestResult.run(TestResult.java:109)
         at junit.framework.TestCase.run(TestCase.java:118)
         at junit.framework.TestSuite.runTest(TestSuite.java:208)
         at junit.framework.TestSuite.run(TestSuite.java:203)
         at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:128)
         at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
         at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
         at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
         at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
         at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
    Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
         at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
         at sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:391)
         ... 23 moreThanks in advance

    Hello. Try redefining your callback:
    KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", sunpkcs11,
      new KeyStore.CallbackHandlerProtection(new CallbackHandler() {
        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
          //makes nothing... so the native driver login implemantation is called
    KeyStore keyStore = builder.getKeyStore();
    // get my private key
    privateKey = (PrivateKey) this.getKeyStore().getKey(alias, null); //send null cause the secondary pwd is gotten by the driver In my case, it works fine (JDK 1.5), but it open twice the dialog for the secondary key :( I don't know why!!
    If you know, please answer me!!
    Hope this help you

  • Sun IDM : License Expires

    Hello all,
    I have a random question here.
    We have been using Sun IDM (version 8.1) for the last 3 years or so.
    We purchased a subscription from Sun, which expires in May next year (2012).
    We are aware that, this means : we will no longer receive any form of support from Oracle, nor will we have access to any product updates.
    However, we are curious : will we still be able to use the product itself? Or, does the expiry of our license/subscription mean that our IDM system will suddenly shut down, and stop working?
    Thanks

    From what I understand, there are two components to the support contract, the level of support and the license to use the product. Please check with the Oracle sales guys or gals to get the details.
    I think the confusion stems from the fact that Sun used to give people a free to use license on most of their products and made the support contract for those products as a value-add option. However, not all products were available like that, some products actually had to be licensed in combination with a support contract. I think Identity Manager was one of the products which falls into the latter category.

  • How to delete the recon Taskresults in Sun IdM 7.1 thru automation

    How to delete the recon Taskresults in Sun IdM 7.1 thru automation either thru workflows or using java programs...
    We need to delete only recon Taskresults.

    Hi Dinesh,
    Try using waveset.adminRoles
    Thanks

  • SUN IDM with Windows Vista

    Hello,
    Has anybody tried installing SUN IDM with windows vista
    I tried IDM 7.1 with vista home premium and doesnt seem to work. Curious to know if any body has success with vista
    Awaiting replies
    Thanks,

    What error message are you getting?
    Have you installed Java and an apllication servers as requested?
    1) Set Up a Java Virtual Machine Software Development Kit and Java Compiler
    The application requires a Java compiler and a Java Virtual Machine (JVM) to run the Java classes that perform actions within Identity Manager. Both of these can be found in a Java SDK. Download from or http://java.sun.com/javase/downloads/index_jdk5.jsp *** You should add JAVA_HOME to your list of system environment variables and to your system path. To do this, add JAVA_HOME to your system environment and JAVA_HOME\bin to your path, making sure to list it before any other Java environment variables.
    2) Install Tomcat application server from official http://tomcat.apache.org/ to local hard drive. Configure Tomcat memory requirements and restart. Min: 256k

  • Looking for some one who can help me in SUN IDM

    Hi Friends,
    I am looking for some one who can help me to learn sun IDM. Off couse I will pay for your time.
    I can be reached at [email protected]
    Please let me know if you have some time
    Thx

    Hi Zebra,
    I really appreciate your reply. I would like to discuss out of this forum so that no one here annoyed with our newbie questions. Please send me email as I listed earlier to discuss best ways. I send email to Andy to join us.

  • ESSO-LM Secondary Authentication API

    Hi
    I am facing problem to implement Custom Secondary Authentication Library with ESSO -LM for Passphrase prompt.
    I have gone through documents, but it is not helpful up to much extend.
    Does anyone have implemented this one or any idea?

    You can do it by changing authentication level in LMconsole.
    Chage the setting write this setting to hklm.
    Check also documents for AM. you will get helped.

Maybe you are looking for

  • I need to load 10.9.3 combo.  I loaded 10.9.4 instead.  How can I fix this?

    I run Protools.. It does not work with 10.9.4  I forgot to check compatibility before I updated OSX   I need 10.9.3 Combo update I cannot load that as the message says I can't.  The only help I've seen involves time machine back ups- which i don't us

  • Questions in planning stage

    Hi Experts, These may be basic questions for you. But I have genuine concern on those so I would really appreciate if you can give some information on this. How can we check if system is single code or MDMP system ? TCPDB doesn't show any entries. An

  • Com.sun.mail.imap.IMAPFolder close

    Hi everyone, We are using BMC Remedy Email Engine with javamail function. Why is the message of ''com.sun.mail.imap.IMAPFolder close' message is indicated in stderr.log file' indicated? BMC and we don't know the reason at all. If someone knows, could

  • Why can't I play some of my songs?

    I just updated to iOS 5, and as I was scrolling through my songs on my iPod touch, a large majority of the songs names are tinted in grey, and cannot be played. Why is this? And how can I fix it? Anyone?

  • Updater no longer working.

    W520 running W7 64 bit for last few years with no problems getting Lenovo updater to run. Then I got a message that Lenovo Solution Center needed to be updated. I updated it and ever since when I open Solution Center and ask it to update Lenovo, the