Alex,
Thanks for input. I have it working now but I had to remove
forwardURL=<RETURN_URL> from the command servlet url as SSPR reported a
5075 error and the SSPR log showed similar to below, so maybe that
doesn't work with CommandServlet?
2016-02-05T09:53:40Z, ERROR, filter.SessionFilter, {4r} 5075
ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path
at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
2016-02-05T09:53:40Z, ERROR, http.PwmRequest, {4r} 5075
ERROR_REDIRECT_ILLEGAL (unable to parse url: Illegal character in path
at index 0: <RETURN_URL>) [xx.xxx.xxx.xx]
If I set the Login Redirect URL setting to just:
https://some.company.biz.biz/sspr/pr...on=checkExpire the it will work
and if usere is in warning period they'll be shown warning screen with
Skip option and Skip takes them to where they were going, if the
password is expired or just about to they get the Expired password page
where they're required to set the new password. If they have plenty of
time left they are redirected to where they were going. So that's all
good.

However, we have 3 different domain urls https://some.company.biz,
https://some.other.biz and https://some.third.biz (the apps behind these
urls are located in the same place its just we brand the pages
differently). We've created separate reverse proxies for the 3 company
urls. As SSPR is protected by NAM and the application URL in the config
needs to be a FQDN url whereas before it could be a relative path, how
do I achieve the following:
application URL=https://some.company.biz but user works for one of the
other companys in the group and so accesses https://some.other.biz
I can configure the contract for https://some.other.biz to have a Login
Return
URL=https://some.company.biz.biz/sspr/private/CommandServlet?processAction=checkExpire
but that will mean he will need to login again as SSPR will not be using
the contract for https://some.other.biz
I tried configuring a proxy service and protected resource for SSPR on
the https://some.other.biz reverse proxy and provide Login Return
URL=https://some.other.biz/sspr/private/CommandServlet?processAction=checkExpirebut
that just leads to a 5075 error as below
2016-02-05T07:48:29Z, ERROR, filter.SessionFilter, {4n} 5075
ERROR_REDIRECT_ILLEGAL (https://some.other.biz is not a match for any
configured redirect whitelist, see setting: Settings ? Security ? Web
Security ? Redirect Whitelist) [xx.xxx.xxx.xx]
So do I need to add a whitelist entry or have I done something wrong?
Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55315