none
Where is FIM SSPR Questions / Answers Stored? RRS feed

  • Question

  • Hi

    Where is the FIM SSPR QA Gate questions / answers stored for a user?

    In FIMService DB? If so which table?

    Couldn't find it in the AD account of the user...

    Cheers

    Thursday, November 7, 2013 2:57 AM

Answers

  • It's neither documented nor supported to go looking directly to the database.  That said, the GateRegistration data are stored in FIMService.ObjectValueBinary.  Also FWIW, the SSPR portal host hashes the answers before submitting them to the FIM web service.

    Steve Kradel, Zetetic LLC

    • Marked as answer by FIM N00b Thursday, November 7, 2013 9:11 PM
    Thursday, November 7, 2013 9:09 PM

All replies

  • Answers are hashed in the database.

    Hash algorithm for SSPR answers

    Thursday, November 7, 2013 7:05 AM
  • More specifically, if memory serves they are SHA256-hashed, then salted with the user's internal FIM GUID and hashed with SHA256 a second time.

    Steve Kradel, Zetetic LLC

    Thursday, November 7, 2013 7:23 PM
  • Thanks guys

    just out of curiosity, do we know which table in which database are they stored?

    Regards

    Thursday, November 7, 2013 8:54 PM
  • It's neither documented nor supported to go looking directly to the database.  That said, the GateRegistration data are stored in FIMService.ObjectValueBinary.  Also FWIW, the SSPR portal host hashes the answers before submitting them to the FIM web service.

    Steve Kradel, Zetetic LLC

    • Marked as answer by FIM N00b Thursday, November 7, 2013 9:11 PM
    Thursday, November 7, 2013 9:09 PM
  • Just out of curiosity - what is a reason for this question? Security concerns or some business case? I'm asking because just recently I was asked something similar and driver was a business case (someone else validates user's identity based on answers provided for SSPR).

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, November 7, 2013 11:54 PM
  • We are just trying to get around the limitations of SSPR.. in our scenario we need to move users from one workflow to another in a seamless fashion.. as SSPR does not have "Set" Password feature.. we will programmatically (still looking into it how) register a new user to SSPR reset portal, so that they can use their username generated by FIM and their existing email address to "set" (for workflow purpose - reset) their password.. and as soon as they are done doing that, we want them to "register" for QA and SMS gate (provide mobile number and answers) so that in future when they goto "reset" password page, they will have to authenticate via QA / SMS gates.. We can't see a simple yet seamless way way of doing this without sending user multiple emails to do these things.. 

    Our idea was if we could create a custom frontend page asking them QA and Mobile number and feed it directly to the FIM database, we didn't need to flip them to the "register" page after "set/reset".. and thus easy.. but I guess cannot be done as explained above that hashing is done at multiple locations..

    Friday, November 8, 2013 12:07 AM
  • Actually right now you can register user in SSPR programaticaly - Powershell might be convenient way - take a look at this link: http://technet.microsoft.com/en-us/library/jj134294(v=ws.10).aspx

    If I understand scenario you are trying to achieve it is:

    1. you want user to go through simple workflow  to "set" their password where they will go through pre-registered simple workflow (account name, e-mail). User will provide this well known and simple data and will be able to reset its password (like initial set of a password). 

    2. Once this is done you want to move user to a bit more complex workflow where user will have to register with its own Q&A and mobile number. 

    For 2:

    - moving user to this workflow is actually easy - at the end of Action W-Flow for you use case with set password (1) put a simple activity which will change a flag on a user or other user value, which will allow you to calculate that user is in a set of users who went through (1). Then for user who have not done this you will have a set and you will assign them workflow to execute process (1) and once it is done attribute will be set to move them to another workflow (2) 

    - actually forcing them to register to second workflow is tricky as you can't force them to register in SSPR. Even if you will do this in custom app not through FIM SSPR register page, they can always close it not doing this. For one of customers I've done it differently - basically if they will  not register in SSPR they are in kind of "quarantine" and FIM will not put them in any security groups :). So if they want to gain some access to resources, they need to register in SSPR. One possible solution - not saying that it fit to all environment. 

    Hope this helps a bit.


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Friday, November 8, 2013 11:06 PM