IBM Tivoli Access Manager for Enterprise Single Sign-On: Desktop Password Reset Adapter (TAM E-SSO: Desktop Password Reset Adapter) enables workstation users to reset their own Windows domain passwords without the intervention of administrative or help-desk personnel. It provides end users with an alternative means of authenticating themselves by taking a quiz comprising a series of passphrase questions.
Each question is weighted with point-values. As the end user answers the quiz questions, TAM E-SSO: Desktop Password Reset Adapter keeps a running score. Points are added to the score for each correct response and points are deducted for each incorrect response. When the end user accumulates sufficient points to meet a preset "confidence level," TAM E-SSO: Desktop Password Reset Adapter permits the end user to select a new password. If the end user's score does not achieve the required confidence level after all questions have been presented, or if it falls below a preset negative value, the quiz ends and the end user is not permitted to reset the password.
The reset service is available to each end user after completing a one-time enrollment interview to record passphrase answers. The questions can be any combination of those prepared the administrator and those created by the end-users themselves. Answers can also be derived from data stored in directory user objects. The TAM E-SSO: Desktop Password Reset Adapter Management Console provides easy configuration of the enrollment interview and reset quiz, including question text and point-values, answer sources, and confidence-level limits. The Console also affords convenient reports of enrollment/reset activity and status.
After you have installed the TAM E-SSO: Desktop Password Reset Adapter server application, the first task is to configure the service for use with the directory-server or relational database and Web services. You perform this first-time configuration with the dialog pages in the System tab:
When you have completed these steps, you can begin the configuring the reset service itself. These tasks include:
When the user starts the enrollment program, TAM E-SSO: Desktop Password Reset Adapter displays the Enrollment Interview.
The Enrollment Interview comprises a series of questions in two three groups:
The required and optional questions (in groups 1 and 3) are called system questions. System questions are predefined and managed by the administrator using the Questions tab of the TAM E-SSO: Desktop Password Reset Adapter Management Console. During the Enrollment Interview, the system questions are presented in random order (within their respective groups). Another type of predefined system question uses an attribute of the end user's directory object for its answer and therefore does not appear in the Enrollment Interview. See Configuring System Questions and Question Examples for more information.
Questions created by the end user (in group 2) are referred to as user questions. Only the end user knows the text of the question/answer pair he or she has created. The administrator uses the Settings tab of the TAM E-SSO: Desktop Password Reset Adapter Management Console to set the minimum number of user questions required to complete the interview and the maximum number of user questions allowed. See Configuring User Questions for more information.
When the end user has answered the Required questions, provided the minimum number of user questions, and answered (or skipped) all of the available Optional questions, the Enrollment Interview ends.
National Language Support
The initial enrollment dialog can be presented in the preferred language for each business unit as required by National Language Support (NLS). NLS support is required for English, French, Spanish, Italian, German, Brazilian Portuguese, Korean, Simplified Chinese, and Japanese.
The text that is displayed during the initial page of the enrollment page is stored in a XML file called UserText.xml. To implement this feature, you must create multiple XML files with the filenames UserText.<language code>.xml; for example, UserText.de.xml, UserText.fr-ca.xml.
The language code follows the RFC 1766 format that is used by .NET. Each XML file contains text in their respective language. The files are stored in the \WebServices folder.
TAM E-SSO: Desktop Password Reset Adapter loads all the files with the above naming pattern and uses the appropriate version to display the 'Welcome' screen of the enrollment page.
On the client side, WindowsInterface passes the language the user installed within the URL to tell TAM E-SSO: Desktop Password Reset Adapter to show the enrollment page in that language.System questions are those prepared by the administrator. See Creating and Editing System Questions for the procedure.
Each system question has the following settings:
Secure implementation of self-service reset depends on the selection and weighting of the individual system questions. Here are some primary considerations for each question:
See also Question Examples.
The following table provides some examples of system questions, recommended as Required or Optional, with suggested point-values based on the default score thresholds of -100 to 100 points.
Required questionsThese questions are good prospects for Required questions. Note that all of these questions have answers that are facts on record. It is strongly recommended that your selection of Required questions have answers come from as many different sources as possible. For example, in some states, a driver's license may display the social security number and date of birth. |
|||
Question | Required? | Points if correct | Points if Incorrect |
---|---|---|---|
What is your Social Security Number (numbers only, no spaces)? | Y | 10 | -75 |
What is your date of birth (mmddyy)? | Y | 25 | -75 |
In which city were you born? | Y | 25 | -50 |
What is your Mother's maiden name? | Y | 25 | -75 |
What was the name of the first school you attended? (or "...that you remember attending?") | Y | 25 | -25 |
What is the name of the last high school that you attended? | Y | 25 | -25 |
EliminatorsThese questions are "eliminators" because the authorized end user is very unlikely to answer them incorrectly. The answers are personal, and therefore have low or no point-value for correct answers and high negative point-value if answered incorrectly. |
|||
Question | Required? | Points if correct | Points if Incorrect |
What is your eye color? | Y | 0 | -75 |
Are you left/right handed or ambidextrous (l, r or a)? | Y | 5 | -75 |
What is your gender (male or female)? | Y | 0 | -75 |
Optional questionsThese questions are acceptable as Optional questions only, because they may not apply to all enrollees. |
|||
Question | Required? | Points if correct | Points if Incorrect |
What was the name of your first/favorite pet? | N | 25 | -25 |
What color was your first car? | N | 25 | -25 |
What is your wife's maiden name? | N | 25 | -25 |
What is your blood type (O, A+/-, B+/-, AB)? | N | 25 | -25 |
How many siblings do you have? | N | 25 | -25 |
What is your spouse’s date of birth? (mmddyy) | N | 25 | -25 |
By default, TAM E-SSO: Desktop Password Reset Adapter requires that all the questions and weights used for reset are entered and set up by the administrator and answered by the user upon enrollment. TAM E-SSO: Desktop Password Reset Adapter can also work with external validator sources to simplify this process. External validators allow organizations to write an interface to their backend which can be accepted by TAM E-SSO: Desktop Password Reset Adapter. This validator can call data from various sources (i.e. HR database) which contain pre-defined answers.
For example, lets say one of the reset questions is "What is your Social Security Number?". By default, when a user enrolls, the enrollment interview asks them to supply their social security number. Then when a user resets their password, they are asked to enter their social security number. With an external validator in place, an administrator can direct TAM E-SSO: Desktop Password Reset Adapter to an external data source which contains a pre-defined list of social security numbers. The validator supplies the answer to that question upon user enrollment so that the user does not even have to see that question. A user will only have to enter the answer to that question when attempting to reset their password. If all system questions are answered by an external validator, users can be automatically enrolled.
Follow these basic steps to implement the use of external validators:
1. Write an external validator.
2. Install the validator.
3. Direct TAM E-SSO: Desktop Password Reset Adapter to the external validator.
The external validator must be written in .Net 2.0. To write an implementation, add a reference to the library Passlogix.PasswordReset.dll. Within your assembly, a class implementing the interface, ISSPRValidator, must be written. The interface has the following five methods:
Initialize
Cleanup
IsValidQuestion
IsValidAnswer
FriendlyName
Note: Validators that do not implement the ISSPRValidator interface or fail on startup will be ignored.
Below is the validator interface definition:
interface ISSPRValidator
{
// Called by SSPR on first use of validator.
void Initialize();
// Called once by SSPR when the service shuts down.
void Cleanup();
// Returns true/false if question is valid for a given user
bool IsValidQuestion(ISSPRQuery iquery);
// Returns true/false if question/answer pair is correct
bool IsValidAnswer(ISSPRQuery iquery, string strAnswer);
// The friendly name for SSPR to display
string FriendlyName { get; }
}
The ISSPRQuery interface is supplied by the TAM E-SSO: Desktop Password Reset Adapter service and contains the following properties:
interface ISSPRQuery
{
// The guid of the question
Guid QuestionGuid { get; }
// The users identity (in SID format)
string UserIdentity {
get; }
}
Once this interface has been implemented, the following attribute must be declared referencing the implementation:
[assembly: ISSPRValidatorType("<Validator class>")]
Replace the string <Validator class> with the full name of the class (including namespace) that implements this interface.
Once the validator DLL is written, follow these steps:
1. Create a directory called “Validators” under <INSTALL_DIR> \VIBMSelfServiceReset\WebServices. The actual validator directory is defined in web.config and can be changed if a different folder for discovery is preferred.
2. Copy the validators into this directory.
3. Restart the TAM E-SSO: Desktop Password Reset Adapter Web Service.
Once the validators are installed, follow these steps:
1. Open the TAM E-SSO: Desktop Password Reset Adapter Management Console.
2. Click Questions from the top menu and then select System Questions. Select an existing question or create a New Question.
3. The Answer Source dropdown field lists the available external validators which can be used. The default is User Supplied, which indicates that the user must answer that question during enrollment. If a validator is installed and detected, its friendly name will now be listed here. Simply select the appropriate validator and save the question settings.
User Enrollment
Enrollment can contain a mix of User Supplied and Validator Supplied questions. Questions that require external validation will be checked against IsValidQuestion and allowed / discarded based on the result. A user will only be prompted for answers on questions that are user supplied. In a pure external validation case, the user will be automatically enrolled.
Reset
During a Password Reset, questions with answers supplied by an external validator will be sent to IsValidAnswer to determine a pass or fail for a particular question.
User questions are those prepared by the end-user during the Enrollment Interview. For each user question, the end-user is prompted to enter a question and its correct answer. Only the end user knows the text of the question/answer pair he or she has created. The Enrollment Interview prompts the end user for user questions after he or she has answered the Required system questions and before posing the Optional system questions.
The administrator controls these settings:
See Editing Reset Service Settings for the procedure.
When an end user requests a password reset, TAM E-SSO: Desktop Password Reset Adapter displays the Reset Quiz.
The Reset Quiz is a series of questions drawn from the system and user questions that the end user answered in the Enrollment Interview. The Reset Quiz first presents all of the Required questions one at a time, in random order, for the end user to enter a response. With each response, the preset point-value for correct answers is added to the total score, or the point-value for incorrect answers deducted.
After all of the Required questions have been presented, the Reset Quiz continues until all either a) all Optional questions have been presented, or b) the end user answers a sufficient number of questions to meet either of two score thresholds:
If the end user answers all of the questions without achieving either score threshold, the Reset Quiz ends with no password reset, and the end user returns to the initial logon dialog. TAM E-SSO: Desktop Password Reset Adapter records The Quiz session as an implicit failure indicating that the end-user failed the Quiz with an insufficient score to pass or explicitly fail.
The Success and Failure score thresholds, and the point-values for user questions are set by the administrator in the Settings tab of the TAM E-SSO: Desktop Password Reset Adapter Management Console. The text and point-values for individual system questions are set in the System Questions tab.
The score thresholds are the point-values that determine whether the end user passes or fails the Reset Quiz.
See Editing Reset Service Settings for more information.
The administrator sets the minimum and maximum number of user questions end users create for themselves. User questions have the same pair of point-values for correct and incorrect answers.
See Editing Reset Service Settings for more information.
[to come]
Use the Web Service Account dialog (under the System tab) to set or change the Anonymous Logon for IIS Web Services. This is the domain account through which all end users access TAM E-SSO: Desktop Password Reset Adapter Web interface.
The Web Service Account dialog displays the current Anonymous Logon account and provides a logon form for changing this account.
The account selected as the Anonymous Logon should have local Administrator privileges, including permission to perform the following tasks:
Note: To create a new User account with administrator privileges, use the Users and Groups tool in the Windows Computer Management Console.
Use the Storage dialog (under the System tab) to view or change connection settings for the database (SQL Server or Oracle Database) or directory service (Active Directory or ADAM) that is used as the repository for TAM E-SSO: Desktop Password Reset Adapter system questions and user enrollments. To do this, use the settings in the System Configuration group. When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.
You also use the Storage dialog to have TAM E-SSO: Desktop Password Reset Adapter perform the first-time setup tasks that prepare the database or directory-server repository for use with the enrollment and reset services. These tasks include:
To perform these tasks, use the controls in the Storage Configuration group:
Storage Type | The type of service used: SQL Server, Oracle Database, Active Directory or ADAM. |
Provide these four settings for Active Directory or ADAM storage only: |
|
Server Name |
Enter either the name of the server or the IP Address of the server in the first text box. In the second text box enter the numerical port number used by the directory service. Click Add to add the connection to the Servers list. Multiple servers can be added for failover support. If more than one Server address is entered, TAM E-SSO: Desktop Password Reset Adapter iterates through the list in sequential order until either it has successfully connected or all connections have failed. |
Servers |
TAM E-SSO: Desktop Password Reset
Adapter attempts connections in the
order they appear in the list from top to bottom. Use the up and down arrows
to arrange the servers in the order in which connections should be attempted.
To delete a server from the list, select the server in the list box and click
the Delete button. Note that you cannot delete a connection if it is
the only connection present in the list.
In some cases, such as long server names, the entire string is not displayed in the list box. Clicking on an item in the list box populates the Server Name/IP Address and Port text boxes with that item. The full string can then be viewed by scrolling in the text box, and if desired, modified and added as a new connection to the list. |
Server Timeout |
Enter a value (in seconds) that TAM E-SSO: Desktop Password Reset Adapter should wait for a response from a server before moving on to the next server in the list. |
Storage Location |
The distinguished name or naming context of the connection node. |
Use SSL |
Select to enable secure socket layer. |
Provide this setting for SQL Server storage only: |
|
Connection String |
The complete connection string to the
database server; example:
Provider=SQLOLEDB.1;Integrated Security=SSPI;Initial Catalog=SSPR;Data
Source=Servername; Click Add to add the connection to the Database Connections list. Multiple connections can be added for fail over support. If more than one connection is entered, TAM E-SSO: Desktop Password Reset Adapter iterates through the list in sequential order until either it has successfully connected or all connections have failed. |
Database Connections |
TAM E-SSO: Desktop Password Reset Adapter attempts connections in the order they appear in the list from top to bottom. Use the up and down arrows to arrange the connection strings in the order in which connections should be attempted. To delete a connection string from the list, select the string in the list box and click the Delete button. Note that you cannot delete a connection string if it is the only connection present in the list. In some cases, such as long database connection strings, the entire string is not displayed in the list box. Clicking on an item in the list box populates the Connection String text box with that item. The full string can then be viewed by scrolling in the text box, and if desired, modified and added as a new connection to the list. |
Database Timeout |
Enter a value (in seconds) that TAM E-SSO: Desktop Password Reset Adapter should wait for a response from a database before moving on to the next database in the list. This value is not used in database connections if the connection string contains a “Connect Timeout” parameter. |
Provide this setting for Oracle Database storage only: |
|
Connection String |
The complete connection string to the
database server; example:
Provider=OraOLEDB.ORACLE;Data Source=XE;User ID=system;Password=password Click Add to add the connection to the Database Connections list. Multiple connections can be added for fail over support. If more than one connection is entered, TAM E-SSO DPRA iterates through the list in sequential order until either it has successfully connected or all connections have failed. |
Database Connections |
TAM E-SSO DPRA attempts connections in the order they appear in the list from top to bottom. Use the up and down arrows to arrange the connection strings in the order in which connections should be attempted. To delete a connection string from the list, select the string in the list box and click the Delete button. Note that you cannot delete a connection string if it is the only connection present in the list. In some cases, such as long database connection strings, the entire string is not displayed in the list box. Clicking on an item in the list box populates the Connection String text box with that item. The full string can then be viewed by scrolling in the text box, and if desired, modified and added as a new connection to the list. |
Database Timeout | Enter a value (in seconds) that TAM E-SSO DPRA should wait for a response from a database before moving on to the next database in the list. This value is not used in database connections if the connection string contains a “Connect Timeout” parameter. |
Initialize Storage for TAM E-SSO: Desktop Password Reset Adapter | Activates the first-time configuration tasks. If this option is checked, TAM E-SSO: Desktop Password Reset Adapter automatically iterates through the new connections in the list and attempts to initialize them sequentially. If a connection fails to initialize, initialization stops and connections further down in the list will not be initialized. If this occurs, resolve the issue and then retry initialization. |
Connect As (User Name) | The user name of a directory/database Administrator. |
Password | The password of the administrator. |
Use the Reset Service dialog (in the System tab) only to specify the credentials (username and password) of the user account that the TAM E-SSO: Desktop Password Reset Adapter reset service uses to log on. The Service Account must have password-change privileges for the domain.
Notes:
The Reset Service dialog also displays the current status of TAM E-SSO: Desktop Password Reset Adapter (Running or Not Running), and the port that the service uses to detect a password reset attempt.
Change service account |
|
User Name | The user name of the Reset Service Account |
Password and Confirm Password |
The password of the Reset Service Account. Type the password in both fields. |
Service Options |
|
Listening Port | The number of the port used to detect password reset activity (default 45000). |
Domain | The trusted domain where user accounts are located. This setting is required only if the user accounts are in a domain other than that of the TAM E-SSO: Desktop Password Reset Adapter machine’s domain. Note: Changes to this setting take effect immediately and do not require a restart of the IIS or Password Reset Service. |
You can configure TAM E-SSO: Desktop Password Reset Adapter to reset Windows passwords and unlock Windows accounts in its own domain or any domain you designate as trusted.
Multi-domain support requires the following conditions:
In the Management Console, select the domain you want to designate as trusted from any of the following screens.
When you make a domain selection on any one of these screens, that change is reflected in all the other screens. The domain that you select is saved in the registry value, HKLM\SOFTWARE\Passlogix\SSPR\SSPRService\DisplayDomain.
When performing queries again a trusted domain, you may receive the error message: “The server is not operational.” This can occur if the guest account on the trusted domain is turned on, because that account does not have the rights to enumerate users.
To eliminate this error, do one of the following:
This feature allows TAM E-SSO: Desktop Password Reset Adapter users to enroll to the ITIM Challenge/Response system through the TAM E-SSO: Desktop Password Reset Adapter Enrollment client. This feature also allows them to reset their Windows password or unlock their Windows account through the TAM E-SSO: Desktop Password Reset Adapter Reset client by answering the ITIM Challenge/Response questions.
When ITIM is selected, a logon page is added to the user's Enrollment process. This page appears after the user clicks the “Enroll” button (to start the enrollment process). TAM E-SSO: Desktop Password Reset Adapter uses the credentials to authenticate to ITIM and to relay the user’s enrollment answers to ITIM.
Select the connector from the Selected Connector drop-down box.
Note: Switching between connectors takes effect immediately. IIS does not need to be restarted. See the TAM E-SSO: Desktop Password Reset Adapter Server Installation and Setup Guide for instructions on configuring the ITIM connector.
Use the Settings dialog (under the Settings tab) to modify general settings for the Reset Quiz. When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.
Also see Configuring Reset Authentication for more information.
Authentication thresholds |
|
Authentication Success Level | The score (the point-value total achieved for the quiz) that end users must achieve in order to reset their passwords. The default value is 100. |
Authentication Failure Level | The minimum (negative) score that end users can accrue. If the end user's score falls below this setting, the Reset Quiz ends without a password reset. The default value is −100. |
Reset Lockout |
|
Lockout Thresholds | The number of consecutive unsuccessful reset attempts permitted. If an end user fails the Reset Quiz this number of times in a row, no further Reset Quiz attempts are permitted for the Lockout Duration interval. |
Lockout Duration | The time period, in hours, that an end user is not permitted to take the Reset Quiz. The Lockout Duration begins when the end user consecutively fails the Reset Quiz the number of times given for Lockout Thresholds.
Note: To override lockout for individual end users, click the Users tab, select the end user form the list, then click the Unlock button |
Forced Enrollments |
|
Deferrals allowed | The maximum number of times a user can defer TAM E-SSO: Desktop Password Reset Adapter enrollment. When the user exceeds the maximum number of deferrals they will not be allowed to log on until they complete the enrollment process. |
User Emails |
|
Required during enrollment | Controls whether or not users are required to enter their email address during the enrollment process. |
Email format (regular expression) | Controls the valid format of the user email address. The default setting allows for most acceptable email formats. |
Reset Experience |
|
Show 'Unlock account option' only | Controls whether or not users are given the option to unlock their account rather than reset their password. This option is presented after a user passes the Reset Quiz. |
Enable 'Display temporary password' mode | Controls whether or not TAM E-SSO: Desktop Password Reset Adapter should allow the end user to reset the password regardless of the Active Directory password policy. With this checkbox enabled, TAM E-SSO: Desktop Password Reset Adapter overrides any AD restrictions that are in place and provides the user with a temporary password. The user can then logon with that temporary password and change it through Windows. |
User question settings |
|
Minimum | The minimum number of user questions the end user must create in order to complete enrollment. |
Maximum | The maximum number of user questions the end user can create. |
Correct response weight | The number of points added to the score if a user question is answered correctly. |
Incorrect response weight | The number of points deducted from the score if a user question is answered incorrectly. |
Locations (distinguished name) |
|
User Root | The distinguished name of the root directory for user objects. |
Service configuration | The distinguished name of the directory. |
Use the Password Policy dialog (under the Settings tab) only to adjust the password constraints to make certain that they match or are within the constraints of the Group Policy of the Windows domain. This setting does not apply to end- user passwords (see Note, below). In typical usage (that is for typical Group Policies), these settings need not be changed.
When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.
Note: In order for TAM E-SSO: Desktop Password Reset Adapter to reset end user passwords, it performs an intermediate reset, using a internally-generated password that must conform to the domain's Group Policy. The policy settings in this dialog apply only to that intermediate password, not to end-user passwords.
Constraints |
|
Minimum Length | Minimum internal password length: 1-63 (default: 16) |
Maximum Length | Maximum internal password length: 1-63 (default: 16) |
Number of times characters can repeat | 0-62, default: 7 |
Alphabetic Characters |
|
Allow Uppercase characters | Select to allow uppercase characters (default: allowed) |
Allow lowercase characters | Select to allow lowercase characters (default: allowed) |
Numeric Characters |
|
Allow Numeric Characters | Select to allow numeric characters (0-9), (default: allowed) |
Minimum Occurrences | 1-63, default: 1 |
Maximum Occurrences | 1-63, default: 1 |
Special Characters |
|
Allow Special Characters | Select to allow special characters (non-alphabetical, non-numeric) (default: not allowed) |
Minimum Occurrences | 1-63, default: 1 |
Maximum Occurrences | 1-63, default: 1 |
Special Characters List | Characters that may be used (default: !@#$%^&*()_-=+[]\|.?) |
Use the Alerts dialog (under the Settings tab) to configureTAM E-SSO: Desktop Password Reset Adapter to notify an administrator by e-mail when specified events occur, such as an end user is "locked out"; that is, prevented from taking the Reset Quiz because of one or more failures to pass the quiz.
All of the fields on this dialog must be completed in order to activate the e-mail alert.
To test your settings, click Send Test Email. When you have completed your changes, click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.
E-mail Settings |
|
Enable e-mail alerts | Select to activate email alerts |
"From" e-mail address | The e-mail address that originates the alert; this can be any valid email address for SMTP mail server specified below. |
Admin e-mail address | The e-mail address of the admin to which the alerts will be sent. |
Admin name (displayed in emails) | The name of the admin to which alerts will be sent to. This name will be displayed in the emails. |
SMTP mail server | The name of the outbound mail server. |
Send Alert When User: |
|
Fails a reset attempt | Select who should receive
email alerts if a user fails a reset attempt, Admin and/or User.
This field is only active if Enable Email Alerts is selected. Also see Editing System Settings for the lockout controls. |
Successfully resets password | Select who should receive email alerts if a user successfully resets their password, Admin and/or User. This field is only active if Enable Email Alerts is selected. |
Use the Logging dialog (under the Settings tab) to configure TAM E-SSO: Desktop Password Reset Adapter to enable logging, to specify the Syslog server and port, and to select the types of events that should generate Syslog messages. This logging feature allows TAM E-SSO: Desktop Password Reset Adapter to generate Syslog messages so that administrators can receive notifications of user enrollment and reset events. TAM E-SSO: Desktop Password Reset Adapter generates the Syslog messages which are received by a Syslog listener. This enables the administrator to see the activities of TAM E-SSO: Desktop Password Reset Adapter users.
Enter the following information and click Submit to apply your new settings to TAM E-SSO: Desktop Password Reset Adapter.
Syslog Settings |
|
Enable | If checked, Syslog logging will be enabled. |
Server Name/IP Adress | The name or IP address of the Syslog server. |
Server Port | The port where the Syslog server is listening for Syslog messages (default port is 514). |
Event Filters: |
|
Start | If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user begins an enrollment or reset session. |
Cancel | If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user cancels an enrollment or reset session. |
Success | If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user successfully completes an enrollment or reset session. |
Fail | If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user fails the reset session. |
Locked Out | If checked, TAM E-SSO: Desktop Password Reset Adapter sends a message when the user gets locked out of the TAM E-SSO: Desktop Password Reset Adapter system (by failing too many reset quizzes). |
Use the Enrollment UI dialog (under the Settings tab) to customize the Enrollment Interview User Interface.
You can edit the look and feel of all TAM E-SSO: Desktop Password Reset Adapter Client pages (the Enrollment and Reset interviews, not the Management Console). This page allows you to adjust colors, fonts & logos on the Enrollment UI.
Logo |
|
Image | Select the logo image to appear in the top left
area of the Enrollment UI. Click the ... button to launch
the Edit Property dialog. Highlight the desired image and click OK.
For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder.
Note: There is no size requirement for this image. For reference, the
IBM enrollment logo is 146x47.
|
Status Panel |
|
Text Color | Select the text color to be displayed for the text in the status panel. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Background |
Select either a background image or solid color for the status panel. Click
the ... button to launch the Edit Property dialog. Select the desired
Property Type: Image or Solid Color. If Image is
selected, highlight the desired image. For images to appear in this dialog,
they must exist in the "%SSPR%\Images" folder. If Solid Color is
selected, enter the appropriate RGB color values or color #. Click OK. Note: There is no size requirement for this image. For reference, the IBM status panel background image is 408x28. |
Buttons |
|
Normal Color | Select the normal color for buttons in the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Hover Color | Select the hover color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Text Color | Select the text color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Top Panel |
|
Text Color | Select the text color to be displayed for the text in the top panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Background | Select either a background
image or solid color for the top panel. Click the ... button to launch
the Edit Property dialog. Select the desired Property Type: Image
or Solid Color. If Image is selected, highlight the desired image.
For images to appear in this dialog, they must exist in the "%SSPR%\Images"
folder. If Solid Color is selected, enter the appropriate RGB color
values or color #. Click OK. Note: There is no size requirement for this image. For reference, the IBM top panel background image is 408x47. |
Page |
|
Background | Select either a
background image or solid color for the page background. Click the ...
button to launch the Edit Property dialog. Select the desired Property Type:
Image or Solid Color. If Image is selected, highlight the
desired image. For images to appear in this dialog, they must exist in the
"%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate
RGB color values or color #. Click OK. Note: There is no size requirement for this image. |
Border Color | Select the border color for the page. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Text Font | Select the font to be
used for the Enrollment UI. Click the ... button to launch
the Edit Property dialog.
Highlight the desired font and click OK. Note: The font list is generated from fonts installed on the TAM E-SSO: Desktop Password Reset Adapter Server. To add a font to the list, install it on the server. |
Main Panel |
|
Text Color | Select the text color to be displayed for the text in the main panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Background | Select either a background
image or solid color for the main panel. Click the ... button to launch
the Edit Property dialog. Select the desired Property Type: Image
or Solid Color. If Image is selected, highlight the desired image.
For images to appear in this dialog, they must exist in the "%SSPR%\Images"
folder. If Solid Color is selected, enter the appropriate RGB color
values or color #. Click OK. Note: There is no size requirement for this image. For reference, the IBM main panel background image is 408x273. |
Side Panel |
|
Normal Text Color | Select the text color for the normal text in the side panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Current Step Text Color | Select the text color for the current step text in the side panel of the Enrollment UI. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Background | Select either a
background image or solid color for the side panel. Click the ... button
to launch the Edit Property dialog. Select the desired Property Type:
Image or Solid Color. If Image is selected, highlight the
desired image. For images to appear in this dialog, they must exist in the
"%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate
RGB color values or color #. Click OK. Note: There is no size requirement for this image. |
Use the Reset UI dialog (under the Settings tab) to customize the Reset User Interface.
You can edit the look and feel of all TAM E-SSO: Desktop Password Reset Adapter Client pages (the Enrollment and Reset interviews, not the Management Console). This page allows you to adjust colors, fonts & logos on the Reset UI.
Window |
|
Border Color | Select the border color for the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Background |
Select either a background image or solid color for the reset window. Click
the ... button to launch the Edit Property dialog. Select the desired
Property Type: Image or Solid Color. If Image is
selected, highlight the desired image. For images to appear in this dialog,
they must exist in the "%SSPR%\Images" folder. If Solid Color is
selected, enter the appropriate RGB color values or color #. Click OK. Note: There is no size requirement for this image. For reference, the IBM reset window background image is 450x350. |
Normal Text Color | Select the text color for the normal text in the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Help Link Color | Select the text color for the help link in the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Error Color | Select the text color for error messages that appear during the reset process. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Version Info Color | Select the text color for version information shown on the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Buttons |
|
Normal Color | Select the normal color for buttons in the reset window. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Hover Color | Select the hover color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Text Color | Select the text color for buttons. Click the ... button to launch the Edit Property dialog. Enter the appropriate RGB color values or color # and click OK. |
Logo |
|
Image | Select the logo image to appear in the reset
window. Click the ... button to launch
the Edit Property dialog. Highlight the desired image and click OK.
For images to appear in this dialog, they must exist in the "%SSPR%\Images" folder.
Note: There is no size requirement for this image. For reference, the
IBM reset logo is 106x29.
|
Page |
|
Background | Select either a
background image or solid color for the page background. Click the ...
button to launch the Edit Property dialog. Select the desired Property Type:
Image or Solid Color. If Image is selected, highlight the
desired image. For images to appear in this dialog, they must exist in the
"%SSPR%\Images" folder. If Solid Color is selected, enter the appropriate
RGB color values or color #. Click OK. Note: There is no size requirement for this image. |
Text Font | Select the font to be
used for the Reset UI. Click the ... button to launch the
Edit Property dialog.
Highlight the desired font and click OK. Note: The font list is generated from fonts installed on the TAM E-SSO: Desktop Password Reset Adapter Server. To add a font to the list, install it on the server. |
Use the Questions tab to review and modify the current set of system questions. You can create new questions, set their language, set their point-values, set Required/Optional status, set answer sources and validity checks on the end user's answers, and select Users and Groups to allow or deny access.
You can modify the text of existing questions, the language of existing questions, the weights of existing questions, and you can also disable system questions; that is, remove them from the Enrollment Interview. Questions that you disable from the Enrollment Interview will still appear in the Reset Quiz to end users who have already provided answers to the disabled question, but they will no longer be presented to users who subsequently enroll or re-enroll.
[Caveats/limits on modifying existing questions]
See Setting up the Enrollment Interview for more information.
The weight of a question may be modified if it is determined to be more or less effective in the reset test. A possible ramification of modifying a correct response weight after a question has been created is that enrolled users may not be able to pass the reset test due to an insufficient score, even if they answer all the questions correctly. In attempt to prevent such an occurrence, if a correct response weight is changed, a dialog appears which presents the option to:
Modify this question: If this option is selected, the change will be made to this question. Note that users who answered this question during enrollment may not be able to reset their password if the correct response weight is set too low.
or
Disable this question and create a new question: Disables this question and creates a new question with the changes. The benefit is that currently enrolled users will not be affected by the changes. Note that disabled questions are shown as “disabled” (grayed out) in the System Questions list.
See Question Examples for suggested text and settings for system questions.
Question Properties |
|
Question Text | The text of the question as it is displayed to the end user. Include formatting instructions or examples. For instance, if asking for a telephone number, provide an example, such as "(333) 555-1234" to insure consistency between the Enrollment Interview and the Reset Quiz. |
<Language> Text | Enter the tranlated question text into this field. |
Points (weights) |
|
Correct Response Weight | Specify the number of points to add to the end user's score if the question is answered correctly. If modifying this field, see Changing Question Weights above. |
Wrong Response Weight | Specify a negative number to indicate the number of points to deduct from the end user's score if the question is answered incorrectly. If modifying this field, see Changing Question Weights above. |
Required | If checked: This is a Required question. The end user must provide an answer to the question in order to complete enrollment. A Required question is always used in the Reset Quiz.
If unchecked: This is an Optional question. The end user can skip this question in the Enrollment Interview, in which case the question will not be used in this end user's Reset Quiz. If the end user supplies an answer to an Optional question, the question is used in the Reset Quiz only after all Required questions have been asked. |
Enabled | If checked: This question is used in the Enrollment Interview and in the Reset Quiz.
If unchecked: This question is not used in the Enrollment Interview. It is used in a Reset Quiz only if 1) it has previously been enabled and 2) if the end user has answered the question in an Enrollment Interview. |
Answer constraints |
|
Answer Source | Specify the source from which the answer to this question should come. The default, User supplied, should be selected if the end user will supply the correct answer in the Enrollment Interview. An external validator source can also be used. |
Minimum Answer Length | Specify the minimum number of characters the end user must type as an answer. |
Answer Format | Specify the format and punctuation
for the answer using a regular expression. For example, you can specify the date
format "12/1/1983" with the expression \d*\d/*\d\d/\d{4} (allowing the entry of single or double-digit month and day and requiring a four-digit year). If you want to require the end user to type a Social Security number with dashes, use the expression \d{3}-\d{2}-\d{4} |
Case Sensitive | If checked: The end user's
answer is checked for consistent use of upper- and lower-case characters.
If unchecked: The end user's answer is not checked for consistent use of upper- and lower-case characters. |
Access Control |
|
Users and Groups |
System questions can be assigned to particular roles or user groups. Role/Group
assignment determines the questions a user will be presented with during the
enrollment interview.
The Users and Groups list is populated with the domain’s groups, which are not currently assigned Allow or Deny access for the given question. Individual users are also populated in this list if the Show Users box is checked. When a user or group is selected, the arrow buttons (<< and >>) become active. Use the arrow buttons to move users back and forth between the Users and Groups list and the Allow and Deny lists. When Create or Modify is clicked, the Role/Group access rights are written to the backend storage for the system question. The rules for Access Control are as follows:
|
Show Users |
If checked: Individual users are shown in the Users and Groups list. If unchecked: Individual users are not shown in the Users and Groups list. |
Allow | This list contains users and groups that will have to answer the question during the enrollment interview. |
Deny | This list contains users and groups
that will not have to answer the question during the enrollment interview.
Note: By default, if any user or group is denied access, all users and groups are denied access except those specified in the Allow list. |
Use the Users tab to generate a report on the enrollment status of end users. This generates a report on whether or not users have completed the Enrollment Interview, the date/time of enrollment, and whether or not the user is currently locked out.
To generate a report, select the appropriate display options. Select Export to save the report as a CSV file or click Search to generate and display the report in the Web browser.
Display Options |
|
Show users that are: | Select the users to generate a report on: Enrolled, Not Enrolled, or Both. |
Show date/time of enrollment | Select to display the date and time of enrollment. Enabling this may slow down report generation time. |
Enrollment Status Report Results |
|
Username | Click a User Name to view additional details about a particular end user's
TAM E-SSO: Desktop Password Reset Adapter activity:
|
Delete Checkbox | Select to delete user. Check box next to User Name to select all users for deletion. Click Delete. |
Enrolled |
|
Locked Out |
|
Use the View Enrollments dialog (under the Enrollments tab) to view the enrollment log. This log records all enrollment activity for all users who have taken (or at least started) the Enrollment Interview, the current enrollment status for each end user, the total point-values of all system questions (Required and Optional) that the end user answered during enrollment, and the date and time of each enrollment activity.
To view log entries within a specific date range, type a Start Date and an End Date (or click the Choose button to select a date from a pop-up calendar), then click Submit.
See Setting up the Enrollment Interview for more information.
Use the Manage Enrollments dialog (under the Enrollments tab) to export or delete enrollment log entries within a specified date range.
See Setting up the Enrollment Interview for more information.
Use the View Resets dialog (under the Resets tab) to view the reset log. The record for each Reset Quiz given shows the username, the date and time of the quiz, the Quiz score, the current reset status, and the IP address of the workstation used to take the quiz.
To view log entries within a specific date range, type a Start Date and an End Date (or click the Choose button to select a date from a pop-up calendar), then click Submit.
Change_Done
Completed_Declined
Request_Cancelled
Finished_withdrawn
Finished_failed
Started_Pressed_Cancel
See Configuring Reset Authentication for more information.
Use the Manage Resets dialog (under the Resets tab) to export or delete reset log entries within a specified date range.
See Configuring Reset Authentication for more information.