Hi,

I'd like to configure 2 different SSPRs. One for Staff and one for Students.

I have installed SSPR onto 2 different servers, and Staff and Students have different URLs (for registration and reset).

Staff will be the typical Q&A; while Students will be the OTP route (with auto registration).

How do I configure the FIM Portal for 2 different scenarios, and make sure the right config is associated with the correct staff and student server & URL?

thanks,

sk

• Edited by Shim Kwan Friday, April 04, 2014 4:51 AM

You can achieve this in two ways:

1. Create multiple FIM Service partitions 

or

2. Copy password reset AuthN workflow and create another MPR/Set/Workflow triple for Students and change the first triple to be only on Staff, so you can have something like:

• Set: Students (here you can configure auto-registration for them)
• MPR: Students can reset their password
• Workflow: Password Reset AuthN Workflow for Students (here you configure OTP activity in workflow)

And a triple for Staff:

• Set: Staff 
• MPR: Staff can reset their password
• Workflow: Password Reset AuthN Workflow for Staff (here you can configure Q&A questions)

(but this one would be accessible from both URLs - "StaffPasswordResetSite" may be used by Students in this scenario)

Thanks...still trying to work through this.

Staff will get the normal SSPR Registration Portal with question & answers; Students will be auto registered. This means I only need one URL for example: staffpasswordregister.adatum.com

However, Staff and Students will require their own SSPR Reset Portal(s).

Staff will need to answer the questions in order to reset the password. Students will need to type in their received OTP to reset their password. Since connectivity to the SSPR Reset Portal is anonymous - how can this be done without actually setting up 2 different FIM environments?

As you noticed, SSPR Reset Portal has anonymous access - so you cannot restrict one group to use it. But why cannot they both use the same reset page? They would have another gates to go on with.

For Registration - you can restrict this site to Staff Set, but for reset - you are unable to do so.

One idea here - maybe do it on a network level - proxy/ISA/TMG? So students (I assume they have their VLAN) would not be able to connect to "StaffResetPage.adatum.com" and Staff would not be able to use "StudentResetPage.adatum.com".

But if for example UserA from Staff would use "StudentResetPage.adatum.com" from student's workstation - he will be able to process with his password change in this case.

Unfortunately I don't see how Staff & Student could use the same 'anonymous' Reset Portal, for the following reasons:

• Staff Reset Portal would invoke the Question & Answer activities.
• Student Reset Portal would invoke the One-Time-Password activities.

There is no way of directing Staff or Student to the correct URL/Activity since the connection is anonymous.

Additionally, Students won't necessarily know which domain they are in, so we need to tweak the .config file for them (DefaultDomainName - http://technet.microsoft.com/en-us/library/jj134306%28v=ws.10%29.aspx).

While staff reside in a few domains/forests - they will need to type in their Domain\Username when Resetting Password.

I'm also not sure whether resolving this on a network level would work too...I am starting to think the only way to achieve this is to have 2 separate FIM Sync,Service, Portal, SSPR deployments...one for Staff and one for Students.

Shim,

You should be able to do this using one password reset portal. As Dominik suggested above, you would have different triples (MPR/workflow/set), one for students, one for staff. The workflow for each of these would be different one with a 'default' QA gate version of SSPR, the other using OTP. There have been similar solutions for having different questions presented for users using different languages, for example.

Unfortunately I don't see how Staff & Student could use the same 'anonymous' Reset Portal, for the following reasons:

• Staff Reset Portal would invoke the Question & Answer activities.
• Student Reset Portal would invoke the One-Time-Password activities.

There is no way of directing Staff or Student to the correct URL/Activity since the connection is anonymous.

They would be directed to another password reset gates after they would type their login. For example:

If you put DomainA\StaffUser1 in a login name on a screen, after clicking Next, you would have Q&A gate. If you put DomainB\Student30 in a login name, you would have mail-OTP activity. So you can differ them on one password reset page.

Considering students don't know the domain - how would they log in to workstations without knowing it? If they would use "Domain\student" format - it would be accepted on reset page as well as Student@domain.edu - both of them are accepted. DefaultDomainName would help here as students would not have to write domain name, but on password reset page you would still need typical "domain\user" input.

thank you Dominik, things are clearer now.

with regards to DefaultDomainName, are you saying this cannot be used on the FIM Password Reset page?

Yes, as far I have tested this one, you would receive "access denied" if you would type wrong credentials. And just account name would be considered as wrong creds. Examples are pretty clear:

so you have to use DOMAIN\USER format or USER@UpnSuf.fix