Wednesday 30 September 2015

FIM2010: Localize Self Service Password Reset

Intro

If you ever had the pleasure of installing one or multiple language packs in FIM, you know that not everything is covered. The question and answer gate is a good example and is very visible to the end user. This blog post discusses how you can localize such a configuration and shows how it is possible to automate this task using powershell.

SSPR

Self service password reset consists of the following configuration blocks:
  • A workflow: Password Reset AuthN Workflow
  • A management policy rule: Anonymous users can reset their password
  • A set: Password Reset Users Set
The workflow defines which actions are necessary before a user is allowed to reset her password. This can be an otp email, sms or a question and answer gate. The management policy rule links the users that are allowed to reset their password to the correct authentication workflow. The set is linked to the MPR as the target resource field, because the requestor of a password reset authentication workflow is always an anonymous user.

Localize

The language packs that come with FIM do not include localized configuration objects. So, we have to configure these ourselves. Once you know how the mechanism works, it is pretty simple. You duplicate the three configuration items that are required to have a working SSPR configuration for each language you want to support and make sure you define the correct population in the MPR target set. Then you disable the default MPR to avoid confusion. A sample configuration could look like this:
 sspr_mpr sspr_mpr2

You make sure that the authentication workflow uses the language corresponding to the target population. It is also recommended to configure one of the languages as default for the user accounts that do not have a proper language configured. This can be configured as follows:


sspr_set

As last step, you need to add these new objects to the Password Reset Objects Set. Otherwise SSPR will not work.

Powershell

Of course it is a lot of work to localize SSPR if you have more than two languages. That is why we wrote a powershell function to do this for us. It is also very handy to update an existing configuration. So if you want to add or change a secret question, powershell is a lot easier and faster than doing this job manually. Sample code can be found at github. The module Is4uFimSspr.psm1 provides following functions:
  • Enable-Sspr
  • Disable-Sspr
  • Install-LocalizedSspr
The first two enable and disable builtin MPR's for SSPR. The last one localizes the default question and answer gate based on information provided in an XML configuration file: sspr.xml. The function assumes that the default configuration of Password Reset AuthN Workflow is untouched. It copies the XOML field and does a string replace of the questions, constraints and error messages with the values from the configuration file.

Resources