(2012-11-11) Finding All Users Within FIM That Have (Not) Registered For SSPR
Posted by Jorge on 2012-11-11
As you may know already, both FIM 2010 and FIM 2010 R2 have a feature called “Self-Service Password Reset” (SSPR). With that people that have registered for SSPR can reset their own password in AD by using the FIM SSPR portal. However, before being able to use SSPR you MUST have registered for it. Every user that is allowed to use it will be notified to register for SSPR every time they logon to a domain joined computer that also has the FIM Add-In Extensions installed locally. Unfortunately the user is not enforce to register as the user can click [Cancel] to not register. The only downside for the user is that he/she will be remembered to register for SSPR until he/she actually registers for SSPR.
So, as an IdM admin, how do YOU know which users have and have not registered for SSPR and of course how many? Within the FIM Portal this can be easily achieved through Search Scopes.
So, first things first….
By default FIM contains one authentication workflow that is used in SSPR. It is called “Password Reset AuthN Workflow”. Before using SSPR you must have configured the “Password Reset AuthN Workflow” or any other custom authentication workflow you want to use. An example can be found below of the configurations needed for FIM 2010 R2. For FIM 2010 not all configurations shown apply.
Figure 1a: Configuring The QA Gate Within The Password Reset AuthN Workflow
Figure 1b: Configuring The QA Gate Within The Password Reset AuthN Workflow
For questions to use within the QA gate have a look at the following blog post: (2010-09-24) Security Questions For The FIM QA Gate. Make sure the questions you use apply to your employees, their language of even culture.
After configuring the authentication workflow, you need to configure a SET that groups all Password Reset Authentication Workflows. Well, there is only one Password Reset Authentication Workflow, so why is this needed? In a company that uses more than one Password Reset Authentication Workflow, it is recommended to group all of these through a SET. The reason for having more than one if you are a multinational, you most like will need to have a Password Reset Authentication Workflow for every language spoken within the company.
The grouping of multiple Password Reset Authentication Workflows can be achieved in multiple ways:
- Static membership by adding all specific Password Reset Authentication Workflows
- Criteria based membership by adding every specific resource ID of each Password Reset Authentication Workflow to the filter
- Criteria based membership by configuring the filter to be based on a specific part of the name
In this case I chose  as that gives me less management overhead. I only need to make that every Password Reset Authentication Workflow is named in a very specific way.
Figure 2: Creating A SET To Group All Password Reset AuthN Workflows
After creating the SET, make sure to copy the object ID of the SET somewhere as you will need it later on!
Now it is time to create the Search Scopes that will help determine the (number of) users who have or have not registered for SSPR
Let’s start with the Search Scope that will determine the users that have registered for SSPR.
Figure 3a: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR
The objectGUID you see below is the objectID of the SET you wrote down earlier/above.
Figure 3b: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR
Figure 3c: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR
Figure 3d: Create A Search Scope That Will Determine The Users Who Have Registered For SSPR
Let’s now continue with the Search Scope that will determine the users that have NOT registered for SSPR.
Figure 4a: Create A Search Scope That Will Determine The Users Who Have NOT Registered For SSPR
Figure 4b: Create A Search Scope That Will Determine The Users Who Have NOT registered For SSPR
Figure 4c: Create A Search Scope That Will Determine The Users Who Have NOT Registered For SSPR
Figure 4d: Create A Search Scope That Will Determine The Users Who Have NOT Registered For SSPR
After having configured both Search Scopes, make sure to close Internet Explorer, or whatever other browser you are using and perform an IIS Reset through IISRESET commando.
Open up the FIM Portal again after the IIS Reset and click on the users navigation bar. Click on the “Search Within..” drop down list and select the Search Scope that returns all users that have registered for SSPR.
Figure 5: List Of Users That Have Registered For SSPR
Figure 6: List Of Users That Have NOT Registered For SSPR
Interestingly enough when you select the search scope it will not return al users right away. Instead you can see the number of users at the bottom of the Internet Explorer. If you want you can search for specific users or use a wildcard in the name.
Would it be possible to create a navigation bar link instead? YES, that is possible, but be aware of the following. The major downside of that is that it returns all the results immediately. That will impact performance negatively and more specifically when you have lots of users within the FIM Portal.
However, if you still want to go the navigation bar way make sure to read the following blog posts:
- (2010-05-20) Creating Navigation Bar Links For A Subset Of Objects in FIM 2010 (Part 1)
- (2010-05-20) Creating Navigation Bar Links For A Subset Of Objects In FIM 2010 (Part 2)
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########