Previous Topic: Password Services OverviewNext Topic: Apache Web Server Prerequisites

Policy Server GuidesPolicy Server Configuration GuidePassword PoliciesPassword Services OverviewHow Password Services Work

How Password Services Work

The following illustration depicts an example of how Password Services work in a SiteMinder environment configured to protect web resources. In the example, a user’s password has expired and must be changed.

When a user attempts to access a protected resource:

  1. The user attempts to access a Web page by sending a request to the Web Server.
  2. The SiteMinder Web Agent intercepts the request and checks with the Policy Server to see if the requested resource is protected.
  3. If the resource is protected, the Policy Server requests user credentials from the browser.
  4. The user sends credentials to the Policy Server.
  5. The Policy Server authenticates the user.

    Once the user is authenticated, the Policy Server checks to see if user information is stored in a directory or database associated with a password policy. If it is, the Policy Server makes sure that the user’s password is valid based on the password policy criteria.

  6. If the password has expired, the Policy Server sends a redirection URL pointing to the password services servlet to the Agent.

    The Agent redirects the browser to request the password services servlet using the redirect URL.

  7. The password services CGI or servlet determines which HTML/JSP (as appropriate) form to present to the user from a set of HTML/JSP templates and displays that form in the browser.

    The form displays a message explaining why the user has been redirected. It prompts users to enter their old password and new password, then confirm the new password by re-entering it.

  8. Once the user has completed the form, the Password ServicesCGI or servlet passes the information received from the Agent and the encrypted information the user entered to the Forms Credential Collector (FCC).
  9. The FCC passes the information received from the Password ServicesCGI or servlet to the Policy Server.

    The Policy Server checks the new password against the password policy to ensure that it is valid, then changes the password.

  10. The Policy Server again sends a request to the Agent to redirect the browser to the Password Services CGI/servlet.
  11. The Password Services servlet displays a message informing the user that the password has been successfully changed.

    Once the user has read the message, she is redirected to the page she originally requested.