Self-service password reset (SSPR) question and answer (QA) gate complexity criteria in FIM 2010 R2

In Forefront Identity Manager (FIM) 2010 it is possible for a user to provide the same answer for each question when registering for SSPR.  There is also no control on the minimum length of an answer, whether it must have a number or not, etc.

FIM 2010 R2 (release candidate) supports QA gate complexity constraints via regular expressions.  In the QA gate activity settings in addition to defining the total number of questions, the number of questions displayed and required during registration, and the number of questions displayed and required during reset (as well as the new security context option that defines whether the gate applies to extranet or all) there are some new settings:

  • Allow duplicate answers.  A Boolean value, implemented as a checkbox that, as the name implies, permits the same answer when checked.  For most of us this will remain unchecked.
  • Answer constraint.  A regular expression that defines the permissible structure and complexity of answers, i.e. you can define the minimum and maximum length, allowed characters, etc.  This answer constraint is a global setting –there is not one constraint per question.
  • Message to user that describes uniqueness and answer text constraints.  As the label implies this is the string that defines (displays) the constraints on the registration page.
  • Terse inline error message to user for answers that violate uniqueness or text constraints.  Again, as the label nicely describes, this is the error string presented on a per-answer input basis if the answer does not match the regex defined as the answer constraint.

This is a long awaited and great improvement to the core functionality of SSPR.  To close this post and summarise the above here’s a screenshot.



About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, FIM 2010 R2, News, Self Service Password Reset and tagged , , , , , , , . Bookmark the permalink.

3 Responses to Self-service password reset (SSPR) question and answer (QA) gate complexity criteria in FIM 2010 R2

  1. Pingback: Web-based Self-Service Password Reset with FIM 2010 R2 | Dominik's Cloud Security Blog

  2. David Graham says:

    We have gone live last year with SSPR and left ‘Allow Duplicate Answers’ unchecked and minimum password length of 4. Now some key stakeholders want to see that the password length be changed to 3 and we allow duplicate answers. Can this be changed now without affecting the existing registration?

    • My understanding is yes, you can make this configuration change without the invalidating the existing gate registrations. I would look to test in a lab to be 100% sure ahead of rolling into production, but I asked around and the general consensus (all untested :)) is that this will be fine.

      Sorry for the delay in responding!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s