No Redirect To Set OAM LPM Challenge-Response After Changing Password (Change On Reset) (Doc ID 1110434.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4.0.1 to 10.1.4.2 - Release: 10g to 10g
Information in this document applies to any platform.

Symptoms


When accessing an Oracle Access Manager (OAM) protected site new users are not redirected to set Lost Password Management (LPM) Challenges/Responses after resetting their password.

The effective OAM password policy has Change On Reset enabled so all new users are forced to reset their password on first login. After changing the password successfully the new users should be redirected to set their Challenge questions and Response answers for LPM. Instead the OAM-protected page is displayed after resetting the password, or if OAM Automatic Cache Flush is not configured then the user is prompted to login again after the password is changed then the OAM-protected page is displayed.

 
Steps to reproduce

1. Configure an OAM password policy for Lost Password Management and Change On Reset.
2. Configure the OAM authentication scheme to implement password policy checking.
3. As Administrator, create a new user in User Manager and set an initial password.
4. Close all open browser sessions.
5. Access a Webgate protected application page.
6. The OAM login page is displayed: enter the new user's credentials
7. The user is redirected to the Identity system Change Password page and submits the initial password plus a new password (twice).
8. A page is displayed confirming successful password change. User clicks the Back button in this page.
9.
a. If Automatic Cache Flush is configured in OAM Identity System, the user is then redirected directly back to the originally requested resource and the application page is displayed.
b. If Automatic Cache Flush is not configured in OAM Identity System, the user is then prompted to login again using the new password, then the application page is displayed.

Expected behaviour: user should be redirected to the OAM LPM Set Challenge/Response page at step 9 and only after setting LPM attributes should the application page be displayed.

The next time the user logs into the OAM-protected site they are prompted to set LPM Challenges/Responses. However this should occur on first login not second login.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms