Scenario: FIM self-service password reset Users can reset their own passwords Starts from a domain-joined PC or any browser Challenges user (questions, SMS,
Download ReportTranscript Scenario: FIM self-service password reset Users can reset their own passwords Starts from a domain-joined PC or any browser Challenges user (questions, SMS,
Scenario: FIM self-service password reset Users can reset their own passwords Starts from a domain-joined PC or any browser Challenges user (questions, SMS, email) User chooses a new password Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction Key Asks from TechEd 2011 for FIM SSPR Allow reset in more scenarios Broader browser support Mobile device support Meet stricter security requirements Enhanced Q&A authentication gate SMS authentication gate Email authentication gate Improved end user and Portal customization administrator Programmatic registration experiences Streamlined deployment FIM 2010 R2 Password Reset Components Example Topology End User Browser Mobile Phone Reverse Proxy FIM Password Reset Portal FIM Service FIM Password Registration Portal End User Browser FIM Admin FIM Sync Service AD Windows FIM Password Reset Extensions (optional) Email provider (optional) SMS Provider (optional) Other Directories (optional) Installation of FIM Password Portals Choose to install Password Portals Installation of FIM Password Portals Specify whether host is extranet accessible Installation of FIM Password Portals Specify AD user account for Portal Installation of FIM Password Portals Password Portals visible in IIS Manager Post installation configuration Configure SSL Ensure appropriate Kerberos configuration http://setspn.blogspot.com/search/label/Kerberos http:/social.technet.microsoft.com/wiki/contents/articles/3385.aspx http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-forkerberos-authentication-with-iis-7-0.aspx http://support.microsoft.com/kb/929650 Proxy configuration (if Internet-facing) Localization Password Reset & Registration Portals, FIM Password Reset Extensions 33 languages Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian FIM Portal and Service 19 languages Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Italian, Japanese, Korean, Norwegian (Bokmal), Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, Turkish Parameter Description -Container The organizational unit where users will be synchronized from Active Directory to Forefront Identity Manager 2010 R2. -DatabaseName The Forefront Identity Manager 2010 R2 service database name. -DatabaseServer The Forefront Identity Manager 2010 R2 Service database server. -ForefrontIdentityManagerServiceBaseAddress The Forefront Identity Manager 2010 R2 service base URI. -RunInitialLoad Indicate whether initial synchronization from Active Directory to Forefront Identity Manager 2010 R2 will be run automatically or not. Optionally configure a workflow so that one or more gates apply only to requests from extranet Gate QA Gate OTP SMS Gate Reach All users Users with SMScapable mobile phones OTP Email Gate Users with email accounts (not the same Exchange server) Secured by User knowledge Access to mobile phone Considerations Usability of questions with sufficient security Requires contract & integration with SMS service provider Access to email Compliance with account organizational security policies Number of questions • • • • in the gate shown to the user required for registration required for reset Allowed answers Text to describe allowed answers to users User Experience How to Achieve this Experience User enters mobile phone number and/or email address • Configure gate to be “Read-Write” (default) User sees mobile phone number and/or email address, and can edit this data inline with the registration user experience • Configure gate to be “Read-Write” • Set value of users’ OTPMobilePhone and/or OTP EmailAddress (e.g., via workflow, custom client) User sees mobile phone number and/or email address, but cannot edit it inline • Configure gate to be “Read Only” • Set value of users’ OTPMobilePhone and/or OTP EmailAddress (e.g., via sync) Whether email address during registration is editable by user Length of one-time password Email template for sending the one-time password One-Time Password SMS Gate Whether mobile phone is editable by user Length of one-time password SMS text message that contains the security code One-Time Password SMS Gate Windows Server FIM Service FIM OTP SMS Gate SMS Provider DLL SMS Provider User’s Cellular Service Provider User’s Cellphone Choose an SMS provider and establish a service relationship Get documentation for the protocol/API which is implemented by the SMS service provider Write SMS Provider to target this protocol/API Compile this code into a DLL with a specific filename Deploy this DLL to the host of the FIM Service machine into a specific location One-Time Password SMS Gate: API public void SendSms( string mobileNumber, string message, Guid requestId, Dictionary<string, object> deliveryAttributes ) http://technet.microsoft.com/en-us/library/hh824692(v=ws.10).aspx Purpose Gets template for an authentication workflow Required Parameters AuthenticationWorkflowName Purpose Registers one user for one authentication workflow Required Parameters UserName, AuthenticationWorkflowName Purpose Unregisters one user from one authentication workflow Required Parameters UserName, AuthenticationWorkflowName Purpose Returns true if the specified user is registered for the specified workflow, otherwise returns false Required Parameters UserName, AuthenticationWorkflowName Scenario Migrate to FIM Password Reset without requiring registered users to re-register Goal Register existing users for FIM Password Reset using without user interaction Approach Read users’ password registration data from existing solution Use this data to register users for FIM Password reset with the Register-AuthenticationWorkflow cmdlet Scenario Organization has existing business process that collects all data needed for password reset Goal Register existing and new users for FIM Password Reset without user interaction Approach New users • Script to get new/updated data & invoke the Register-AuthenticationWorkflow cmdlet Scenario Organization wants users to periodically re-register for FIM Password Reset Goal Cause users to be prompted for re-registration on a defined schedule Approach Implement a process to identify users who are targeted for reregistration Schedule periodic run of a script to deregister targeted users SSPR Portal Customization Admin can define overrides to password reset portal UI: Theme: font, color, layout Banner graphics User interface text http://technet.microsoft.com/en-us/library/jj134297(v=ws.10) <?xml version="1.0" encoding="utf-8"?> <root> <resheader name="resmimetype"> <value>text/microsoft-resx</value> </resheader> <resheader name="version"> <value>2.0</value> </resheader> <resheader name="reader"> <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <resheader name="writer"> <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 </value> </resheader> <!-- Customizations begin here --> <data name="StringName" xml:space="preserve"> <value>Customized String Value</value> </data> </root> http://technet.microsoft.com/en-us/library/jj134312(v=ws.10) Summary of Options in FIM 2010 R2 User Interface • Windows client logon • Web portals – cross browser, mobile devices Authentication • QA gate with configurable of answers allowed • Challenge sent via SMS or email Configuration • Create MPR, Sets, workflows in FIM Portal • Configuration migration • Quickstart Registration • User self-registration at Portal • Programmatic registration cmdlets Reporting • FIM Portal for recent requests • FIM Reporting (DW) for historical changes Takeaways: FIM self-service password reset Reduces helpdesk costs Improves compliance outcomes Increases user productivity and satisfaction http://europe.msteched.com www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://europe.msteched.com/sessions