Some strange things can happen when using Authorization (AZ) mapping and AZRedirect in the same Policy Domain. The problem arises because the authenticating user is checked during the authentication process, but the authorizing user is used during AZRedirect. The problem occurs when the two users are not the same.
APS checks the Force Password Change flag, Generational Redirects, and several other user settings both at authentication time and during AZRedirect. If the two users are not the same, APS will not be looking at the same set of flags.
In addition, the change password process needs to update the authenticating user rather than the authorizing user. Thus, you should never perform AZ mapping within the change password domain. This also means that the Immediate Password Change setting will only be reset in the authenticating user.
|
Copyright © 2014 CA.
All rights reserved.
|
|