This section contains the following topics:
User Session and Account Management Prerequisites
The Policy Server provides user session and account management functionality, allowing you to flush the session cache, enable and disable users, and manage passwords for individual users.
To manage user sessions and accounts, the following prerequisites must be met:
Note: For more information about configuring administrator privileges, user directories, and password policies, see the Policy Server Configuration Guide.
SiteMinder begins a user session after a user logs in and is authenticated. SiteMinder stores user attributes in its user session cache. When you disable a user, the Agent flushes the session cache, removing user identification and session information.
When the user attempts to access additional resources in the current session, the Web Agent no longer has the user’s data in its cache. The Agent contacts the Policy Server and attempts to re-authenticate the user. The Policy Server determines that this user is disabled in the user directory and rejects the Agent’s request to authenticate, which ends the session.
To enable or disable a user account
The Manage User Accounts pane opens.
The Policy Server displays the Directory Users pane.
The Policy Server displays search results in the Users/Groups group box.
The Change user's state group box contains a button. This button is labeled Enable for a disabled user, or Disable for an enabled user.
The Policy Server disables or enables the selected user by changing a value in the user’s profile.
The Manage User Accounts pane in the Administrative UI enables you to force password changes for users, or change user passwords to new values.
Be sure that a password policy exists before you force users to change passwords. If no password policy exists, users will not be able to change their passwords, and therefore will not be able to access protected resources.
If you force a user to change passwords, and the user is accessing resources through an Agent that is not using an SSL connection, the user’s new password information will be received over the non-secure connection. To provide a secure change of passwords, set up a password policy that redirects the user over an SSL connection when changing passwords.
To manage user passwords
The Policy Server displays the user directory search dialog box associated with the type of directory you selected from the Directory drop-down list.
The Policy Server displays search results in the Users/Groups group box.
Note: The password that you specify is not constrained by any password policy but it is recorded in the user's password history.
Use the Web Agent’s auditing feature to track and log successful authorizations stored in the user session cache, allowing you to track user activity and measure how often applications on your Web site are used.
When you select this option, the Web Agent sends a message to the Policy Server each time a user is authorized from cache to access resources. You can then run log reports that shows user activity for each SiteMinder session.
If you do not enable auditing, the Web Agent will only audit authentications and first-time authorizations.
Note: For instructions on how to enable auditing, see the Web Agent Configuration Guide.
Web Agents automatically log user names and access information in native Web Server log files when users access resources. Included in the audit log is a unique transaction ID that the Web Agent generates automatically for each successful user authorization request. The Agent also adds this ID to the HTTP header when SiteMinder authorizes a user to access a resource. The transaction ID is then available to all applications on the Web server. The transaction ID is also recorded in the Web Server audit logs. Using this ID, you can compare the logs and follow the user activity for a given application.
To view the output of the auditing feature, you can run a SiteMinder report from the Administrative UI.
|
Copyright © 2013 CA.
All rights reserved.
|
|