FIM 2010 R2 Password Registration Portal

FIM 2010 R2 Password Registration Portal

The FIM 2010 R2 Password Registration Portal page is the starting point for users to begin enrolling in self-service password reset. It consists of two logical pages which are specific to the reset experience:

  • Home Page

  • Completion Page

Additionally, depending on the Authentication Workflow and type of Authentication Gates that are specified in that workflow, you may see pages for any of the following:

  • Password Gate

  • QA Gate

  • One-Time Password Email Gate

  • One-Time Password SMS Gate

By default, the Password Reset AuthN Workflow has a Password Gate and a QA Gate. It also has a Lockout Gate but this gate does not have a user interface that is part of the registration experience. For additional information on Gates see the SSPR Authentication Gates section of this document.

Home Page

The Password Registration home page provides a user interface that welcomes the end user, provides information that lets the user understand they’ve navigated to the place where they intended to begin the registration process, and initiate that process.

The only interactive element is the Next button. When clicked, the Next button initiates a request to the FIM Portal. That request is to register the user for any password registration workflows for which the user is eligible.

FIM 2010 R2 SSPR Registration Portal

If the user is not eligible for any password registration workflows, the user is redirected to the error page.

If the user is eligible for one workflow, the registration portal will load the user interface corresponding to the first interactive gate in the workflow. If a user is eligible for multiple password workflows, the GUIDs for each workflow is submitted. The execution of each workflow is handled by the Security Token Service (STS) on the FIM Service. The Registration Portal will then handle the messages from the STS and present the appropriate gate to the user.

Completion Page

The Password Registration completion page provides a user interface that informs the user that they’ve successfully completed the registration process.

There is one primary element of user interaction on the Success page a Finish button. Clicking the Finish button will re-direct the user to a custom Session Ended page. By default this button is not visible and will only appear if there is a value configured for FinishUrl in the registration/reset portal web.config file. If there is a value, a user will be re-directed to the custom page specified.

FIM 2010 R2 Password Registration Completion

FIM 2010 R2 Registration Portal Communication with the FIM Service

The Registration Portal communicates with the FIM Service using the FIM Service’s normal web services endpoint, via the WS-T protocol which is recognized by the FIM Service. The Registration Portal takes advantage of certain facilities which were added to the FIM Service to enable password registration from an internet user with a browser.

The Registration Portal makes requests to the FIM Service using the AD identity which was specified during the setup process for the registration portal. This identity is well-known to the FIM Service. The FIM Service recognizes request which originate from this identity, evaluates the “real” requestor based upon data in the message header described below, and changes the request to be from the “real” (human) requestor before it enters the request pipeline. This behavior enables the FIM Registration Portal to communicate with the FIM Service, even if the end user doesn’t have a Kerberos token.

When the FIM Registration Portal makes a request to the FIM Service, it includes a message header to identify the actual Windows user who is being served by the Registration Portal. This enables the FIM Service to evaluate and apply policy to the request, and to update the request. This allows an auditor the ability to see the request as originating from the user, rather than the identity of the registration portal.

<UserIdentitierProperty 
xmlns="https://schemas.microsoft.com/2006/11/ResourceManagement">
{USERS-REAL-SID-HERE}
</UserIdentifierProperty>

When the FIM Registration Portal is configured during Setup as being on a host which is accessible to extranet users, it includes an additional message header when it submits requests to the FIM Service:

<SecurityContextAssertionProperty 
xmlns="https://schemas.microsoft.com/2006/11/ResourceManagement">
Extranet
</SecurityContextAssertionProperty>

This property is stamped on requests and enables auditors to determine requests that from an extranet-facing portal.

FIM 2010 R2 SSPR Registration Portal Flow

The following flow chart shows the registration process.

FIM 2010 R2 SSPR Registraion Portal Flow