SECURING


Caching Internet password changes for SSO

When Web users change their Internet passwords, the HCL Domino® HTTP server remembers the new Internet password in its cache. Caching is required because it can take some time for the password change to take effect, as the change must be processed by the Domino administration server and replicated throughout the Domino environment.

Caching of the user's new password allows the HTTP server to immediately recognize the user's new Internet password and accept it for login, even though the password change information may not be finished replicating in the Domino environment.

Password changes are cached when the HTTP server is configured for SSO. This means that users can log in to an SSO environment, change their Internet password, log out, and log in again using the new Internet password while the change is still replicating throughout the system.

Caching location and duration

The user's cached new Internet password is only stored on the HTTP server where the password change was requested. Other servers in the SSO environment do not have access to this cached information; therefore if the user is prompted for a password by any of these other servers, the user may have to supply the old password rather than the new one. On servers that do not have the cached information, the user must provide the password that matches password information found by that server in the directory.

Note that for SSO users, initial log in provides access to the entire SSO environment. Therefore, users will have no problem if all log in activity can be done consistently at the server that cached the new password. The user can attempt to access a URL on the target server and be prompted for a password by that server, rather than opting to supply a password to a server that does not have the cached new password.

By default, the cached new Internet password is honored by the HTTP server for 48 hours. The length of time that the information is cached can be configured using the server NOTES.INI parameter HTTP_PWD_CHANGE_CACHE_HOURS. Once the information times out from the cache, the user can only login using the password that can be verified against the password information found by the server in the Domino Directory.

Note: If the HTTP server is restarted, the cached password information will be discarded. Again, the user must provide the password that matches password information found by the server in the Domino Directory.

Password caching and SSO login name

Use of the new password relies on the HTTP server finding the user in its cache. In order for the cached new Internet password to work, the user must login with the same spelling of the user name that the user logged in as before. For example, if the user logged in previously as "John Doe" when changing the password, the user can't login later with the new password and a valid other name such as "jdoe". The user must login with the new password using "John Doe" as before.

Best practices for SSO password caching

You should instruct your users to follow these steps for best results:

1. Log in to a Domino HTTP server that supports SSO password caching.

2. Submit the Internet password change request by invoking the ChangePassword URL on the server. For example:


Note: HCL iNotes® users can also use the Change Password button.

It may take some time for the password change to take effect on all the servers in the SSO environment. During this time, whenever users login, they should always log in first to the server where they requested the password change, using the same user login name as before and providing the new password.

If for some reason, a user's new password is not accepted on the server to which the password change was requested, the user should try again using the new password and their user name in distinguished name format (for example, John Doe/MyCompany).

Troubleshooting Internet password caching for SSO

The following list describes some common problems with setting up and using Internet password caching in an SSO environment.


Parent topic: Multi-server session-based authentication (single sign-on)

Related concepts
Managing Internet passwords