So we have a UP policy that gives the user 2 grace logins (due to auth
issues with NAM and IDM UserApp)
But since we're using SSPR3 (or trying to) now, I figured this would go
away, but it seems to be worse.

User logs into NAM with expired password (grace login gets decremented
from 2 to 1).
NAM SSO's to the SSPR interface (grace login gets decremented from 1 to

I set SSPR to not require the password when expired.
So user enters NEW password.

The issue:

We require unique passwords, and it seems SSPR doesn't detect that the
password was previously used, until after you submit (okay maybe fine?)
But then, you've consumed all your grace logins and SSPR won't let you
back to the change password screen to enter a new/different password so
you have to call the helpdesk to have them re-up your grace logins or
re-set the password again.

Is there a way to configure SSPR (or is this an eDir/NMAS setting) so
that you can be allowed to enter a different password instead of the
"one shot" approach?

kjhurni's Profile:
View this thread: