none
SSPR options questions RRS feed

  • Question

  • Hi,

    When deploying MIM SSPR, can we:

    1. Provide one set of users with the OTP option, and another set of users with the Question & Answer option on the same MIM SSPR Portal (Registration and Reset Portal)? Or do we need multiple Registration and Reset Portals deployed linked to different Sets?

    2. Can we offer a user the both options at Registration (Question&Answer or OTP) and they can pick which one they want to register for?

    3. Say a user is registered for BOTH 'Question&Answer' and 'OTP', do they have to get both correct in order to reset their password, or is there a way for them to only get one of them correct?

    Thank you,

    SK

    Friday, September 30, 2016 3:35 AM

Answers

  • 1. Yes

    2. No at least to the "At registration" part, unless you do some sort of hackery or write your own registration portal. You could allow users to decide this somewhere else like on their profile in the portal (not ideal for the majority of users).

    3. No, only the one they're viewing (you should configure your sets so a user is only going to be displayed one or the other)

    Example configuration:

    • Create two AuthN workflows based on the default, one for OTP and one for QA. 
    • Create an attribute, "ChosenSSPRGate" with possible values of "OTP" or "QA" - you could set this using a function evaluator, allow users to set it themselves via the portal or sync it from somewhere.
    • Create two sets, one for "QA" users, one for "OTP" users, criteria based membership based on the ChonseSSPRGate value
    • Create two MPRs based on the default "Anonymous users can reset their password" MPR but linking the appropriate sets and workflows together

    When a OTP user accesses the gates they'll be shown OTP registration/reset and QA will be shown QA reg/reset.

    It is possible a user can register for both (so they were OTP and registered then it changed to QA and they registered again) but only the current set membership will be shown - the old registrations retained unless a process to clear them is configured (perhaps do this on set transition).

    If an OTP user is somehow a member of both sets, it'll default to one but I'm not sure how it decides which one (ordered by GUID perhaps? dunno)

    It's a nice idea to automate the decision making around which gate a user should fall under. For example I implemented SSPR where users with a corporate mobile number were pre-registered (powershell) and presented the OTP gate (due to set criteria of 'mobile number exists') and users without a mobile were presented the QA gate to register at. 

    The gates displayed are based entirely on the Set they fall under which links them via the MPR to the AuthN gate config.

    • Marked as answer by Shim Kwan Monday, October 3, 2016 8:03 PM
    Monday, October 3, 2016 12:02 PM

All replies

  •  1. Provide one set of users with the OTP option, and another set of users with the Question & Answer option on the same MIM SSPR Portal (Registration and Reset Portal)? Or do we need multiple Registration and Reset Portals deployed linked to different Sets?

    YES YOU CAN.  You need to create separate sets, WFs, and MPRs

    2. Can we offer a user the both options at Registration (Question&Answer or OTP) and they can pick which one they want to register for?

    YES.  You need to create a custom attribute that allows people to pick their own option, which then puts them on one of the sets mentioned above

    3. Say a user is registered for BOTH 'Question&Answer' and 'OTP', do they have to get both correct in order to reset their password, or is there a way for them to only get one of them correct?

    This is not possible.  You can register twice


    Nosh Mernacaj, Identity Management Specialist

    Saturday, October 1, 2016 4:25 PM
  • Thank you. Happy with answer 1 & 3.

    With regards to answer 2 - in addition to creating a custom attribute, would I need to customise or create another SSPR page so the user can select which of the 2 registration options they will use?


    • Edited by Shim Kwan Monday, October 3, 2016 2:09 AM
    Monday, October 3, 2016 2:08 AM
  • No you do not. Page loads data from a database based on policies you created. One page only

    Nosh Mernacaj, Identity Management Specialist

    Monday, October 3, 2016 2:20 AM
  • Hmm...still dont see how an end-user could then be presented with an option...

    lets say I am a first time SSPR registration user, I type in the URL, and get presented with a choice: click here if u want OTP, or click here if u want Q&A....surely this needs another web page before we hit the actual SSPR Registration URL?

    Monday, October 3, 2016 2:46 AM
  • 1. Yes

    2. No at least to the "At registration" part, unless you do some sort of hackery or write your own registration portal. You could allow users to decide this somewhere else like on their profile in the portal (not ideal for the majority of users).

    3. No, only the one they're viewing (you should configure your sets so a user is only going to be displayed one or the other)

    Example configuration:

    • Create two AuthN workflows based on the default, one for OTP and one for QA. 
    • Create an attribute, "ChosenSSPRGate" with possible values of "OTP" or "QA" - you could set this using a function evaluator, allow users to set it themselves via the portal or sync it from somewhere.
    • Create two sets, one for "QA" users, one for "OTP" users, criteria based membership based on the ChonseSSPRGate value
    • Create two MPRs based on the default "Anonymous users can reset their password" MPR but linking the appropriate sets and workflows together

    When a OTP user accesses the gates they'll be shown OTP registration/reset and QA will be shown QA reg/reset.

    It is possible a user can register for both (so they were OTP and registered then it changed to QA and they registered again) but only the current set membership will be shown - the old registrations retained unless a process to clear them is configured (perhaps do this on set transition).

    If an OTP user is somehow a member of both sets, it'll default to one but I'm not sure how it decides which one (ordered by GUID perhaps? dunno)

    It's a nice idea to automate the decision making around which gate a user should fall under. For example I implemented SSPR where users with a corporate mobile number were pre-registered (powershell) and presented the OTP gate (due to set criteria of 'mobile number exists') and users without a mobile were presented the QA gate to register at. 

    The gates displayed are based entirely on the Set they fall under which links them via the MPR to the AuthN gate config.

    • Marked as answer by Shim Kwan Monday, October 3, 2016 8:03 PM
    Monday, October 3, 2016 12:02 PM
  • Ok, to get this done on the SSPR Registration page, you will need to modify the ASPX Pages, which can redirect them to the Main FIM Portal where they make the choice.  My idea was to ask them to make the choice before registering.  But no other web page is needed. 


    Nosh Mernacaj, Identity Management Specialist

    Monday, October 3, 2016 1:05 PM
  • thank you Nosh and FIM-EN - crystal clear now.
    Monday, October 3, 2016 8:03 PM