Single Sign-On Service › SSO Policy Server Configuration Guide › Password Policies › User-initiated Password Changes

User-initiated Password Changes

User-initiated password changes allow end users to change their passwords without any intervention from an administrator. Users can elect to change their passwords by clicking a link to access the Password Change Request form.

Add a Change Password Link

To enable user-initiated password changes, the Policy Server administrator must add a Change Password link to an HTML page. For example, administrators might add this link to a login page so users can opt to change their password at login.

Note: For more information, see the Web Agent Configuration Guide.

Password Self-Changes

When users want to change their passwords they must:

1. Click Change Password.

   The CSP console displays the Password Change Request form.

2. Enter the requested information, then click the Change Password button.

   The CSP console displays another Password Change Information page, indicating that the user’s password has been changed.

Remove the Login ID When Redirecting for Password Services

During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.

To remove the login ID when redirecting for password services in Windows

1. Add the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL
   

2. Set the DWORD value to one of the following values:
   • 0 — Applies the default behavior of appending the UID to the request URL.
   • 1 — Changes the default behavior so that the UID is not appended to the request URL.

To remove the login ID when redirecting for password services in UNIX

1. Navigate to:

   <policy-server-install-dir>/registry/
   

2. In a text editor, open the following file:

   sm.registry
   

3. Add the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL
   

4. Set the DWORD value to one of the following values:
   • 0 — Applies the default behavior of appending the UID to the request URL.
   • 1 — Changes the default behavior so that the UID is not appended to the request URL.

Enable Password Change Failure Messages

By default, if a user enters incorrect information when changing a password, CA SiteMinder® returns a generic failure message. This message does not specify the failure reason.

You can change the default behavior and explicitly tell users why the change failed.

Follow these steps:

1. Access the Policy Server host system and do one of the following:
   1. (Windows) Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer.
   2. (UNIX) Open the sm.registry file. The default location of this file is siteminder_home/registry.

      siteminder_home

      Specifies the Policy Server installation path.

2. Create DisallowForceLogin using the following settings:

   KeyType: REG_DWORD

   Value: 0 or 1

   0

   (default) CA SiteMinder® returns a generic failure message. This behavior is consistent with the default CA SiteMinder® behavior.

   1

   CA SiteMinder® Returns an explicit failure reason.

   Note: A value other than 1 or 0 is not supported.

3. Do one of the following:
   • (Windows) Exit the Registry Editor.
   • (UNIX) Save the registry file.
4. Restart the Policy Server.