Automate SSPR registration in FIM 2010 R2

Since customers started using the OTP (One Time Password) authentication for SSPR (Self-Service Password Reset) I’ve had several discussions if registration should be manual or automatic. In a recent case the decision was that an external system was to be master for the email used for OTP based authentication. I then needed to configure FIM to automate this task. In this post I will show you how I did this in this particular case and hopefully it will give you some ideas on how to solve your own automatic registration.

Workflow

The registration management is made as an action Workflow in FIM. I decided to use the PowerShell Workflow Activity you can find on CodePlex. The workflow adds two parameters AccountName and Email before calling the PowerShell activity. This was a single-domain environment. If you have multiple domains just add the domain as a workflow attribute the same way and modify the script below accordingly.
SSPRAutoRegistrationWF
The Workflow data is using the built-in Function Evaluator activity.
GetOTPEmail
Before you can start using the PowerShell activity there are two things you need to configure.

  • The FIM Service account will do the request and needs to be defined as user in FIM and this user needs to be in the Administrators Set in order to perform the registration actions.
  • The FIM Service configuration file (Microsoft.ResourceManagement.Service.exe.config) needs to be updated. The
    <resourceManagementClient resourceManagementServiceBaseAddress="localhost" />

    needs to be changed to have the full URL of the FIM Service. Something like

    <resourceManagementClient resourceManagementServiceBaseAddress="http://fimserver:5725" />

Finally we need to have the script that we use in our PowerShell activity. This example uses the email workflow data to decide if registration or unregistration should happen. NOTE! Due to some wordpress issue the backslash between the $Domain and the $AccountName is stripped. Remember to add it before using this script or download it here.

Add-PSSnapin FIMAutomation
$AccountName = $fimwf.WorkflowDictionary.AccountName
$Email = $fimwf.WorkflowDictionary.Email
$Domain = "AD"
if($Email)
{
$template = Get-AuthenticationWorkflowRegistrationTemplate -AuthenticationWorkflowName 'Password Reset Email OTP AuthN Workflow'
$template.GateRegistrationTemplates[0].Data[0].Value = $Email
Register-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationWorkflowRegistrationTemplate $template
}
else
{
Unregister-AuthenticationWorkflow -UserName "$Domain$AccountName" -AuthenticationWorkflowName 'Password Reset Email OTP AuthN Workflow'
}

Synchronization Rules

I extended the Synchronization Service schema with a new attribute called OTPEmail.
The external system had an attribute controlling the status of the user. Using the status as a criteria I ended up with this inbound flow.
IIF(Enabled,extEMailAddress,Null()) -> OTPEmail
on the FIM Service MA I added the flow
msidmOneTimePasswordEmailAddress <- OTPEmail
NOTE! Requires that the msidmOneTimePasswordEmailAddress attribute is added to the MPR allowing the Synchronization Account to manage Users.

MPR (Management Policy Rule)

The last thing was to solve how to trigger the workflow. I initially was thinking about using a Set transition MPR but decideed to go for a Request MPR. This MPR will fire of the workflow whenever the OTP email address is changed. This is one way of detecting the inactivation of the user in the external system that will clear the OTPEmail attribute in the MV according to the sync rule above.
The MPR has the following properties.

  • Name: Update SSPR Registration if OTP Email is changed.
  • Type: Request
  • Requestor: All People
  • Operation: Modify a single-valued attribute
  • Target: Password Reset Users using Email OTP
  • Target Attribute: One-Time Password Email Address

8 Replies to “Automate SSPR registration in FIM 2010 R2”

  1. Sarwar

    Hi Kent,

    Thanks for your post but it dint work with me as I have done almost exactly as mentioned above except MRP and changes in Microsoft.ResourceManagement.Service.exe.config

    Can you please assist how it works automatically ?

    Regards
    Sarwar

    Reply
    • Kent Nordström Post author

      If you do not change the .config file the FIM Service account will not be able to connect back to the service to make the request. If you would like to automate, some form of MPR is required to fire off the registration workflow.

      Reply
      • sarwar

        Thanks for prompt response. Actually I have already changed in Microsoft.ResourceManagement.Service.exe.config therefore I didn’t need to change. I have also created MPR exactly the same as you mentioned but can you please elaborate this Sync rule i.e. IIF(Enabled,extEMailAddress,Null()) -> OTPEmail. I am Mail as a OPTemail attribute and added in MAmsidmOneTimePasswordEmailAddress <- Mail however if I use your Sync rune entry it gave me error to set OTPemail as Enabled in not a valid attribute.

        Reply
        • Kent Nordström Post author

          Ok, now I see your problem. 🙂 The Enabled attribute is a custom Boolean attribute used by this customer to know if an account is active or not. Using that boolean attribute in the flow rule allows me to un-register by deleting the OTP Email attribute when user is no longer active. If you do not have that just flow your mail->msidmOneTimePasswordEmailAddress.

          Reply
          • Sarwar

            Hi Kent,

            Sorry to bother you again but I really need to make it work therefore I contact you again. I have done but nothing happened and the following message appears in Event view: I will appreciate you can give me any clue please..

            Regards
            Sarwar

            Event ID: 3

            Requestor: urn:uuid:10c491fb-a0fa-4dd5-9a27-66f5a4465963

            Correlation Identifier: 42f74d59-bb91-480a-9582-d9c588436ebb

            Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ResourceIsMissing

            at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteGetAction(RequestType request)

            at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)

            at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)

            at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey, Boolean isRedispatch)

            at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)

            at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Get(Message request

  2. Sarwar

    Hi Kent, I have resolved the above error but now I get the following warning message :

    Event 2
    System.InvalidOperationException: Exception of type ‘Microsoft.ResourceManagement.Workflow.WorkflowExtensionException’ was thrown.
    at FimExtensions.FimActivityLibrary.PowerShellActivity.Execute(ActivityExecutionContext context)
    at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
    at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
    at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
    at System.Workflow.Runtime.Scheduler.Run()

    Reply
    • Kent Nordström Post author

      I think you should add some Try/Catch in your PS script and write the error into a log file. This usually gives a better error message then the generic one you get.

      Reply
  3. Sarwar

    Hi Kent,

    Thanks for your suggestion. I have enabled try and catch and narrow down the problem however I couldn’t make it work. It works fine if I type the email address instead of $fimwf.WorkflowDictionary.Email while no changes required in rest of the script. I got an impression that Function Evaluator activity to pick email address didn’t work. I didn’t get any error message in the file however the following warning messages in event view under Forefront Identity Manger.

    Unable to resolve type: string.
    Unable to resolve type: System.Collections.Generic.Dictionary.
    Unable to resolve type: System.Collections.Generic.IEqualityComparer.

    I am very close to make it work as I did that if manually type email address. Any help would be highly appreciated.

    Regards
    Sarwar

    Reply

Leave a Reply to Kent Nordström Cancel reply

Your email address will not be published. Required fields are marked *