Here comes the spammer once again (me).

I have the following case:

A customer uses SAML 2 federation with a remote IDP to gain access to a
password reset webapplication. This works perfectly.

What the customer wants:

When a successful password reset has happened, the webapplication, or
AM, should redict to a different URL. I do this with an AM form fill
policy that searches for a string on the page, for example: "The
password has successfully been changed". This works great. The user is
redirected. But, now the user is authenticated against the SAML IDP,
which enables the user to revisit the password reset URL, without
providing credentials. This is not safe. What I would like, is that when
the successful password reset has happened, the users is logged out of
the SAML2 IDP and then redirected to the new page. I can redirect to the
AG logout page, but, then I am unable to redirect to the new page. Is it
possible, maybe through code (Java) to do a logout against the AM and
then have the FF polcy redirect at the same time?

Also, as an added thing, is it possible through AM, to do a sort of
wait. When the FF policy runs, it sees the "The password has
successfully been changed", then waits 5 seconds and redirects? I would
like the user to see the "The password has successfully been changed"
message before the redirect. I know I can recode the webapplication to
wait, then write for example a hidden attribute which the FF policy
looks for, but it would be cool if it could all be handled by AM. As I
see it, the Form Login Failure does not have any other actions than

Thanks in advance,


jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=54269