Previous Topic: Configure CachesNext Topic: Clustering Policy Servers


User Session and Account Management

This section contains the following topics:

User Session and Account Management Prerequisites

Enable and Disable Users

Manage User Passwords

Auditing User Authorizations

User Session and Account Management Prerequisites

The Policy Server provides user session and account management functionality, allowing you to flush the session cache, enable and disable users, and manage passwords for individual users.

To manage user sessions and accounts, the following prerequisites must be met:

Note: For more information about configuring administrator privileges, user directories, and password policies, see the Policy Server Configuration Guide.

Enable and Disable Users

SiteMinder begins a user session after a user logs in and is authenticated. SiteMinder stores user attributes in its user session cache. When you disable a user, the Agent flushes the session cache, removing user identification and session information.

When the user attempts to access additional resources in the current session, the Web Agent no longer has the user’s data in its cache. The Agent contacts the Policy Server and attempts to re-authenticate the user. The Policy Server determines that this user is disabled in the user directory and rejects the Agent’s request to authenticate, which ends the session.

To enable or disable a user account

  1. Log into the Administrative UI.
  2. Click Administration, Users, Manage User Accounts.

    The Manage User Accounts pane opens.

  3. Select the user directory connection for the directory that contains the user you want to enable or disable.
  4. Click the Search icon.

    The Policy Server displays the Directory Users pane.

  5. Enter search criteria in the Users/Groups group box and click GO to execute a search for the user you want to enable or disable. The search criteria is determined by the type of user directory you selected. You can enter the search criteria as either an attribute and a value, or as an expression. You can click Reset to clear the search criteria.

    The Policy Server displays search results in the Users/Groups group box.

  6. Select a single user from the list of results.

    The Change user's state group box contains a button. This button is labeled Enable for a disabled user, or Disable for an enabled user.

  7. Click Enable/Disable.

    The Policy Server disables or enables the selected user by changing a value in the user’s profile.

Manage User Passwords

The Manage User Accounts pane in the Administrative UI enables you to force password changes for users, or change user passwords to new values.

Be sure that a password policy exists before you force users to change passwords. If no password policy exists, users will not be able to change their passwords, and therefore will not be able to access protected resources.

If you force a user to change passwords, and the user is accessing resources through an Agent that is not using an SSL connection, the user’s new password information will be received over the non-secure connection. To provide a secure change of passwords, set up a password policy that redirects the user over an SSL connection when changing passwords.

To manage user passwords

  1. Log into the Administrative UI.
  2. Click Administration, Users, Manage User Accounts.
    The Manage User Accounts pane opens.
  3. Select the user directory connection for the directory that contains the user for whom you want to manage passwords.
  4. Click the Search icon.

    The Policy Server displays the user directory search dialog box associated with the type of directory you selected from the Directory drop-down list.

  5. Enter search criteria in the Users/Groups group box and click GO to execute a search for the user you want to enable or disable. The search criteria is determined by the type of user directory you selected. You can either enter an attribute and a value, or enter an expression. You can click Reset to clear the search criteria.

    The Policy Server displays search results in the Users/Groups group box.

  6. Select a single user from the list of results.
  7. To force the selected user to change passwords on their next login, click Force Password Change in the Reset User's Password group box.
  8. To change a user’s password to a new value, enter a new password in the Change user's password group box. Re-enter the password to confirm.

    Note: The password that you specify is not constrained by any password policy but it is recorded in the user's password history.

Auditing User Authorizations

Use the Web Agent’s auditing feature to track and log successful authorizations stored in the user session cache, allowing you to track user activity and measure how often applications on your Web site are used.

When you select this option, the Web Agent sends a message to the Policy Server each time a user is authorized from cache to access resources. You can then run log reports that shows user activity for each SiteMinder session.

If you do not enable auditing, the Web Agent will only audit authentications and first-time authorizations.

Note: For instructions on how to enable auditing, see the Web Agent Configuration Guide.

Web Agents automatically log user names and access information in native Web Server log files when users access resources. Included in the audit log is a unique transaction ID that the Web Agent generates automatically for each successful user authorization request. The Agent also adds this ID to the HTTP header when SiteMinder authorizes a user to access a resource. The transaction ID is then available to all applications on the Web server. The transaction ID is also recorded in the Web Server audit logs. Using this ID, you can compare the logs and follow the user activity for a given application.

To view the output of the auditing feature, you can run a SiteMinder report from the Administrative UI.