FIM 2010 R2 - Web-Based Password Reset, Part 2

Web-Based Password Reset is not just about writing a web client in ASP.NET. I mentioned that a few times when talking to different people. Everyone can do that by writing their own WCF client. If reverse engineering the FIM WebService protocol is too hard, there is the open source client supported by the community. In fact, BlueVault has done exactly that. It definitely will not be too hard for us to do. However, when we think through the scenarios in depth, we realize most customers want web-based SSPR so that people not connected to the network can also reset their password. That implies exposing not only the portal, but also indirectly exposes FIMService to the extranet. This make us rethink our security model.

In this blog post and the coming few ones, I am going to talk about a few improvements related to the security aspect of web-based SSPR.

Scenario

In FIM 2010, password reset from the intranet would require user authenticates themselves using QA Gate. In R2, when ITPros exposes web-based SSPR to the extranet, they might want to have additional authentication for added security (e.g. RSA token) yet keeping intranet reset as easy as before.

What is Security Context?

We tackle this scenario by introduce something called security context which can be found in the extended attribute of the request.

 namespace Microsoft.ResourceManagement.WebServices.WSResourceManagement
{
    public enum SecurityContext
    {
        Extranet,
        NoneSpecified
    }
}

A request tagged with Extranet means it comes from the SSPR portal that is serving requests coming from the extranet.

How does Security Context Work?

If you look at the new workflow designer UI, you will notice some of the gate-configuration pages have an extract section for SecurityContext. The description is self-explanatory. If set to Extranet, the activity/gate will only be run if the request comes from the extranet.

How do I Configure SecurityContext Tagged in Requests from SSPR Portals?

In setup, there is the option to specify that.

That translates to <add key="SecurityContextAssertion" value="[Extranet|NoneSpecified]" /> at "C:\Program Files\Microsoft Forefront Identity Manager\2010\Password [Registration|Reset] Portal\Web.config"

Comments

  • Anonymous
    January 01, 2003
    Nice! :-)

  • Anonymous
    January 01, 2003
    Basically this means we will know that the request is coming from the Extranet by checking the Request and then have the option to add an additional authentication gate of some kind if we like to? Will there be more authentication gates delivered with with FIM? //Henrik Nilsson

  • Anonymous
    January 01, 2003
    Yes, the new registration and reset portal in R2 are designed to allow people to use the portal from any coffee shop

  • Anonymous
    January 01, 2003
    Yes and Yes. FIM R2 ships with additional OTP gates which I wil talk about in coming pots

  • Anonymous
    November 29, 2011
    Really nice! can't wait to see your blog post!

  • Anonymous
    March 29, 2012
    Hi! Can I use FIM Password Registration Portal over internet? For example, if I have users without a joined domain pc or FIM client installed,  Are users able to do the registration over internet (out of corp network) and then change the password??

  • Anonymous
    October 25, 2014
    I installed FIM portal but i recieved this
    An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)
    do you have any idea?