FIM 2010 R2 - Web-Based Password Reset, Part 2

Web-Based Password Reset is not just about writing a web client in ASP.NET. I mentioned that a few times when talking to different people. Everyone can do that by writing their own WCF client. If reverse engineering the FIM WebService protocol is too hard, there is the open source client supported by the community. In fact, BlueVault has done exactly that. It definitely will not be too hard for us to do. However, when we think through the scenarios in depth, we realize most customers want web-based SSPR so that people not connected to the network can also reset their password. That implies exposing not only the portal, but also indirectly exposes FIMService to the extranet. This make us rethink our security model.

In this blog post and the coming few ones, I am going to talk about a few improvements related to the security aspect of web-based SSPR.

Scenario

In FIM 2010, password reset from the intranet would require user authenticates themselves using QA Gate. In R2, when ITPros exposes web-based SSPR to the extranet, they might want to have additional authentication for added security (e.g. RSA token) yet keeping intranet reset as easy as before.

What is Security Context?

We tackle this scenario by introduce something called security context which can be found in the extended attribute of the request.

 namespace Microsoft.ResourceManagement.WebServices.WSResourceManagement
{
    public enum SecurityContext
    {
        Extranet,
        NoneSpecified
    }
}

A request tagged with Extranet means it comes from the SSPR portal that is serving requests coming from the extranet.

How does Security Context Work?

If you look at the new workflow designer UI, you will notice some of the gate-configuration pages have an extract section for SecurityContext. The description is self-explanatory. If set to Extranet, the activity/gate will only be run if the request comes from the extranet.

How do I Configure SecurityContext Tagged in Requests from SSPR Portals?

In setup, there is the option to specify that.

That translates to <add key="SecurityContextAssertion" value="[Extranet|NoneSpecified]" /> at "C:\Program Files\Microsoft Forefront Identity Manager\2010\Password [Registration|Reset] Portal\Web.config"