7022172: User with expired password on NAM IDP not redirected back to forwardURL after changing password on SSPR 4.2

Access Manager 4.4 (also tested this on 4.3.2) and SSPR 4.2 (and 4.2.0.1) integrated together so that users are automatically redirected to the SSPR password servlet authenticating with a password thathas expired on NAM IDP user store. The redirection is working fine but after the password change SSPRis not redirecting users back to NAM IDP defined in the forwardURL parameter.

Looking at the specifics of the setup:

The servletURL configured on the NAM contract is:https://service-dev.netiq.com/sspr/private/ChangePassword?passwordExpired=true&forwardURL=<RETURN_URL>

The Fiddler trace shows

the user logging into the IDP, and is successfully redirected to SSPR as users password has expired. The browser POSTs data to SSPR with the ‘forwardURL’ and ‘passwordExpired’ values. Thepassword update works fine but then once user has submitted the updated password, SSPR is not redirecting user back to that forwardURL as it should. If user manually tests the URL below by sending the forwardURL and passwordExpired parameters as query strings with URL, the user is redirected to forwardURL after updating password ie.

https://service-dev.netiq.com/sspr/private/ChangePassword?passwordExpired=true&forwardURL=https://login-dev.netiq.com/nidp/app

Looking at the SSPR logs, we can see incoming request uses the POST method as expected

2017-10-13T17:09:33Z, TRACE, http.PwmRequest, {92} POSTrequest for: /sspr/private/ChangePassword requestID=506 [10.38.234.65]

passwordExpired=*hidden*

forwardURL=’https://login-dev.netiq.com/nidp/app’

but then the SSPR logs show that we are dropping parameters

2017-10-13T17:09:33Z, DEBUG, filter.SessionFilter, droppingnon-query string (body?) parameter ‘passwordExpired’ during redirectvalidation)

2017-10-13T17:09:33Z, DEBUG, filter.SessionFilter, droppingnon-query string (body?) parameter ‘forwardURL’ during redirect validation)

This probably expains why SSPR does not redirect to the redirectURL parameter after changing passwords.

Related:

Leave a Reply