At the end of the FPS process, after the user has been identified and perhaps verified, FPS must give the user the information desired. This may include a new password and sometimes includes the user ID.
All of the information that FPS needs to do this is defined in a section headed by a single line in the FPS configuration file containing the text:
Everything appearing after this line and before the start of another section is considered part of the confirm section.
Prior to APS Version 4.0, this section was called [Confirm]. In Version 4, this was renamed to [FPS-Confirm]. The old name is still recognized and will be processed correctly, but a warning will be issued about the use of the deprecated name.
This section specifies the form(s) required to confirm information to the user, how the forms are to be used and how to handle various common error conditions.
Value: URL
Default: none
Recommended: yes, if required
Code Description: URL
Complexity Level: Basic
Under normal circumstances, this is the URL of a page to use to confirm the FPS process. Any data identified by the Initial setting (below) will be passed to this URL on its query string.
Some sites may consider this a security hole, so if this value is prefixed by an asterisk, FPS will display its own (internal) form for confirmation and will instead redirect the user to this URL upon completion. If this is the case, no query string will be used (since FPS can build the page dynamically).
If a password and user ID are to be recovered, only one should be displayed on this page (the other should be sent via mail), since both together open a larger security hole.
URL=/FPS/Confirm.jsp URL=*/HomePage.jsp
Value: mail file(s)
Default: none
Recommended: yes, if required
Complexity Level: Advanced
At the completion of the FPS process, one or more files can be sent, via email, using this setting.
If the user will be redirected to the No Data URL above, the file(s) specified by this setting can also be sent via email.
If both a password and user id are to be recovered, only one should be sent via mail (the other should be displayed on a page), since both together opens a larger security hole.
There are several special macros available to this mail.
|
Macro Name |
Purpose |
|
Password |
Clear text password that was randomly generated or that the user selected. |
|
HalfPassword1 |
The first half of the new password, in clear text. Useful for mailing half and displaying half. |
|
HalfPassword2 |
The second half of the new password, in clear text. Useful for mailing half and displaying half. |
|
OneShotPassword |
Only generated if the macro is requested, this is a random, 32-character password that can be used within 5 minutes (not-configurable) of generation to log this user in ONCE. Useful to automatically log in the user. Requires the APS Authentication Scheme to be installed. |
Mail=Confirm.email
Value: special (see text)
Default: none
Recommended: as needed
Complexity Level: Intermediate
The confirm page needs the information that it will display (usually the password and/or uid). This setting identifies the information that should be passed to the confirm page.
The format of this setting is as name/value pairs, separated by an equal sign ("="). Multiple pairs are separated by semicolons.
The name in each pair is the name that the page uses to identify the data element. It need not correspond to an HTML element. It is used in the query string to name the field.
The second part of the pair identifies the name of the attribute from which FPS is to read the data value. Multiple values are not supported. You cannot use userPassword, as this is a hashed field. Use password instead.
All of the macros defined in the table under the Mail keyword are available as additional attributes.
Initial=User=uid;PWD=password
Default: none
Recommended: yes
Complexity Level: Intermediate
When FPS sets the user's password, it can optionally set the force change password flag in the user's directory entry. FPS will only do this if this setting appears in the FPS configuration file.
Force Change
Value: -32
Default: 8
Complexity Level: Intermediate
At the completion of the process, FPS can reset the user's password. This setting controls the length of the new password. If specified out of the valid range, a length of 8 will be used.
If the user is allowed to change her own password (as described in the [FPS-Change] section), this setting has no effect.
New Password Length=10
Value: 0 or 60-3000 seconds
Default: none
Recommended: 90 seconds
Complexity Level: Intermediate
If non-zero, FPS will set the Must Login By date and time to the current time plus this value. If the user does not login to your site within this period, the user will not be allowed to login.
Timeout=90
Range: Character list
Default: none
Complexity Level: Advanced
The Allowed Characters keyword specifies a list of characters that are used in a generated password. Only characters listed with this keyword are used in generated passwords, subject to restriction by the Disallowed Characters and Force Case settings.
Each instance of this keyword can specify a list of characters. They may or may not be surrounded by double quotes. Since leading and trailing blanks in a setting value are ignored, these quotes may be necessary. If the value is surrounded by quotes, they will be removed from the list of allowed characters (though any contained quotes will be retained).
Multiple instances of this keyword may exist and may apply. APS will use the characters listed with every applicable instance of this setting.
If no Allowed Characters keyword is valid, then all characters will be used (subject to the Disallowed Characters setting below).
APS does not use characters that are both allowed and disallowed (they will be disallowed).
For example,
Allowed Characters=abcdefABCDEF01234
Range: Character list
Default: none
Recommended: none
Complexity Level: Advanced
The Disallowed Characters keyword specifies a list of characters that are not allowed in a generated password. Characters listed with this keyword are not used in generated passwords.
Each instance of this keyword can specify a list of characters. They may or may not be surrounded by double quotes. Since leading and trailing blanks in a setting value are ignored, these quotes may be necessary. If the value is surrounded by quotes, they will be removed from the list of allowed characters (though any contained quotes will be retained).
Multiple instances of this keyword may exist and may apply. APS uses the characters listed with every applicable instance of this setting.
If no Disallowed Characters keyword is valid, then all characters are allowed (subject to the Allowed Characters setting above).
APS does not use characters that are both allowed and disallowed (they are disallowed).
Disallowed Characters=xyzXYZ56789
Range: upper, lower, or none (default)
Default: none
Recommended: none
Complexity Level: Advanced
Controls whether alphabetic characters in generated passwords must be upper or lower case.
Default is "none" (characters may be either upper or lower case).
If Force Case is set to "upper" then a non-zero value for the Minimum Lower Case keyword cannot be satisfied. If Force Case is set to "lower" then a non-zero value for the Minimum Upper Case keyword cannot be satisfied.
For example:
Force Case=none
Range: 0 to 32
Default: 4
Complexity Level: Intermediate
This setting determines the minimum length of the generated password. If specified out of the valid range, a length of 4 is used.
For example:
Minimum Length=8
Range: 0 to 32
Default: 32
Complexity Level: Intermediate
This setting determines the maximum length of the generated password. If specified out of the valid range, a length of 32 is used.
For example:
Maximum Length=10
Range: 0 to 32
Default: 0
Complexity Level: Intermediate
This setting determines the minimum number of upper case characters in a generated password.
Note: Any upper case character generated also contributes toward the required number of characters that are defined in the Minimum Letters and Minimum Alphanumeric keywords.
For example:
Minimum Upper Case=1
Range: 0 to 32
Default: 0
Complexity Level: Intermediate
This setting determines the minimum number of lower case characters in a generated password.
Note: Any lower case character generated also contributes toward the required number of characters that are defined in the Minimum Letters and Minimum Alphanumeric keywords.
For example:
Minimum Lower Case=4
Range: 0-32 characters
Default: 0
Complexity Level: Intermediate
This setting requires that the generated password contain a certain minimum number of alphabetic letters. Alphabetic characters are defined as the letters in the alphabet, regardless of case.
For example:
Minimum Letters=2
Range: 0-32 characters
Default: 0
Complexity Level: Intermediate
This setting requires that the generated password contain a minimum number of numeric digits ("0" to "9").
For example:
Minimum Digits=1
Range: 0-32 characters
Default: 0
Complexity Level: Intermediate
This setting specifies that a generated password contains a certain minimum number of alphanumeric characters ("A"-"Z" or "0"-"9").
Note: If this setting is used together with one of the Minimum Letters or Minimum Numbers settings, characters can satisfy both requirements. For example, if Minimum Digits is 4 and this setting is 4, the password 1234 satisfies both requirements.
For example:
Minimum Alphanumeric=1
Range: 0-32 characters
Default: 0
Complexity Level: Intermediate
This setting specifies that a generated password contain a certain minimum number of punctuation marks. These can be periods, commas, exclamation marks, and so on.
Note: If this setting is used together with the Minimum Other setting, punctuation characters satisfy both requirements.
For example:
Minimum Punctuation=1
Range: 0-32 characters
Default: 0
Complexity Level: Intermediate
This setting specifies that a generated password contain a certain minimum number of symbol characters. Symbols are defined within APS as the following characters and all extended ASCII characters, including diacritical marks:
|
"~" (tilde) |
"@" (at) |
"#" (number) |
|
"$" (dollar) |
"%" (percent) |
"^" (circumflex) |
|
"&" (ampersand) |
"*" (asterisk) |
"(" (open parenthesis) |
|
")"(close parenthesis) |
"_" (underscore) |
"-" (hyphen) |
|
"+" (plus) |
"=" (equals) |
"{" (open brace) |
|
"}" (close brace) |
"[" (open bracket) |
"]" (close bracket) |
|
"<" (less than) |
">" (greater than) |
"/" (virgule) |
|
"\" (back slash) |
"|" (vertical bar) |
|
Note: If this setting is used together with the Minimum Other setting, symbol characters satisfy both requirements.
For example:
Minimum Symbols=1
Range: 0-32 characters
Default: 0
Complexity Level: Intermediate
This setting specifies that a generated password contains a specified minimum number of non-alphanumeric characters. This includes punctuation marks and other symbols located on the keyboard.
For example:
Minimum Other=1
Range: 0-32 characters
Default: 0
Complexity Level: Basic
This setting specifies maximum number of identical characters that can appear consecutively in a generated password. For example, if this setting is four, then aaaa should not appear anywhere in the password.
Note: This setting is advisory; the password generation algorithm makes every effort to satisfy this limitation but might not be able to, depending on the other settings. For example, if Maximum Repeat is set to 2, the password "A2bbc9j" would satisfy this guidance but "A2bbb9j" would not.
For example,
Maximum Repeat=3
|
Copyright © 2014 CA.
All rights reserved.
|
|