My client wants to set up forgotten password for a consumer facing
application. They already use iChain to secure their servers. I have set
up a test of this in my labtop but I am having some difficulty getting
this to behave as I might expect.

In iChain, I set the password servlet to
http://userapp.idm.cis.vm.lab/IDM/po...swordChangeJsf which is accelerated through iChain as a restricted resource. This seems to work OK. However I also want the user to have to enter their challenge questions. I added a rule which would count the number of values in the SAS:Secrets and place it into an attribute, which in this particular customer for now is good enough to tell if the user has entered their challenge question answers (they don't use any other login methods). I then forward this value in the header through iChain's OLAC facility. So far so good. I created a test ASP page to see how this might be done which is reading that attribute and redirecting the user to the challenge response page in the User App. This works too. The problem is that it does not seem to store the data in the user object reliably, and I get strange responses once I submit the request.

My URL I am redirecting the user to is:
http://userapp.idm.cis.vm.lab/IDM/po...ngeResponseJsf. Is there another form for the URL that would potentially work better for use within another application?

<%@ Page Language="vb" %>
<html>
<head>
<title>Showing HTTP Headers via the Headers Collection in
ASP.NET</title>
</head>
<body>
<b>Headers follow:</b><br>

<%
Dim AllHttp As String
AllHttp = Request.ServerVariables("ALL_HTTP")

AllHttp = Replace(AllHttp, "HTTP", "<br>HTTP")
' Response.Write(AllHttp & "<br>")

Dim Counter1, Counter2 As Integer
Dim Keys(), subKeys() As String
Dim HeaderColl As NameValueCollection
Dim result As String

HeaderColl=Request.Headers

Keys = HeaderColl.AllKeys
%>
<table>
<%

For Counter1 = 0 To Keys.GetUpperBound(0)
subKeys = HeaderColl.GetValues(Counter1) ' Get all values under this
key.
%><tr><td><%
call response.write(keys(Counter1))
%></td><td><%
for Counter2 = 0 to subkeys.GetUpperBound(0)
Response.write(Subkeys(counter2) & "<br>")
next
%></td></tr><%
next Counter1

For Counter1 = 0 To Keys.GetUpperBound(0)
subKeys = HeaderColl.GetValues(Counter1) ' Get all values under this
key.
select case Keys(Counter1)
case "X-CHALLENGE-COUNT"
select case subkeys(0)
case ""
call
response.redirect("http://userapp.idm.cis.vm.lab/IDM/portal/cn/DefaultContainerPage/ChallengeResponseJsf")
case "0"
call
response.redirect("http://userapp.idm.cis.vm.lab/IDM/portal/cn/DefaultContainerPage/ChallengeResponseJsf")
case else
Response.Write("User has already set their challenge
questions.<br>")
Response.write("Click <a
href=""http://userapp.idm.cis.vm.lab/IDM/portal/cn/DefaultContainerPage/PasswordChangeJsf"">here</a> to change password.<br>")
Response.write("Click <a
href=""http://userapp.idm.cis.vm.lab/IDM/portal/cn/DefaultContainerPage/ChallengeResponseJsf"">here</a> to set challenge questions.<br>")
Response.write("Click <a
href=""http://userapp.idm.cis.vm.lab/IDM/portal/cn/DefaultContainerPage/HintChangeJsf"">here</a> to set password hint.<br>")
end select
case "X-AUTHENTICATION"
Response.write("Logged in as "+subkeys(0)+"<br>")
end select
Next Counter1
%>
</table>

</body>
</html>


Rob Rawson
Director: Identity Management Consulting Practice
Computer Integrated Services Company of New York
561 7th Avenue
13th Floor
New York, NY 10018
(212) 577-6033
(818) 377-6033 (FAX)
(914) 325-3674 (Mobile)
DirectorIDM4CIS (AIM)
Robert.Rawson (Skype)
rrawson@ciscony.com