Page Comparison

The login assistance workflow in EID Login Assistance Workflow in EmpowerID is designed to help users resolve login issues. It offers provides step-by-step instructions for problems related to password recovery, account lockouts, and difficulties with multiMulti-factor authentication Factor Authentication (MFA) on Azure and Empower ID EmpowerID platforms. The possible outcome of the wizards are

Resetting passwords for individuals and accounts and unlocking

Capabilities of the Login Assistance Workflow

The Login Assistance Workflow helps users achieve the following:

Reset Passwords: Reset passwords and unlock locked accounts for both EID EmpowerID and Azure logins.
Sending Send Azure Temporary Access Pass (TAP) for : Provide temporary access to Azure accounts.
Resetting Reset Azure MFA: Unblock or unenroll users from Azure Multi-Factor Authentication (MFA) by unblocking or unenrolling from it.Resetting .
Reset EmpowerID MFA: Unblock or unenroll users from EmpowerID Multi-Factor Authentication (MFA) by unblocking or unenrolling from it and deleting and delete all MFA assets and preferences.

This

Authentication Methods

The process employs both automated and manual methods to authenticate user identity. :

Automated Methods: For users enrolled in

Multi-Factor Authentication (

MFA

)

, the system utilizes MFA

is utilized

to assist in resolving

any

login issues. If a user is not enrolled in MFA but can access a personal email or mobile phone,

we attempt

the system attempts to send

them

a

one

One-

time password

Time Password (OTP) to resolve the issue.
Manual Methods: If the OTP is not received or the user does not have a suitable contact method, a business request or task is initiated as a fallback option. This requires an approval process where a designated individual vouches for the user's identity to resolve the login issue

for a user

.

Procedure

Configuring the Login Assistance Workflow

Step 1: Configure

workflow parameters

Workflow Parameters

The Create Azure Application wizard Login Assistance Self Service Wizard workflow provides extensive customization options, enabling you administrators to modify the displayed fields for users utilizing the workflow. These customizable parameters are presented in the table below, allowing allow you to adapt the workflow according to your organization's specific requirements and preferences.

List of

parameters

Parameters

Name	Description
AzureADSCIMConnectorAssembly	Specifies the assembly information for the Azure AD SCIM connector. Default: `SCIMAzureConnector,Version=4.0.180.1,Culture=neutral,PublicKeyToken=2d2253f74d4496ef`
AzureADSCIMConnectorType

TheDotNetFactory.Framework.ClassLibrary.AzureAuthenticationMethodsProvider

Defines the type of Azure AD SCIM connector.
CallBackURLDomain	Specifies the domain for the callback URL

,

(e.g., `https://api.empoweriam.com`).
DateTimeFormatForEmail	Specifies the date and time format used for TAP

(Third-Party Application)

expiration dates in

email.

emails (e.g., `dddd, dd MMMM yyyy HH:mm:ss`).
DefaultAccountStoreFQNForPersonLookup	Specifies the default account store fully qualified name (FQN) used for person lookup

.

(e.g., `https://linux-scim-aad.azurewebsites.net`).
EmailMessageNameForTAP	Specifies the email message template name used for TAP emails. The default

email

template is `LoginAssistanceAzureTAPEmail`.
IsAzureFirstTimeLoginIssueEnabled	Determines whether to show or hide Azure first-time login as a problem. If set to `true`

the

, users will see the

“Need

option "Need help logging into Azure for the first time (TAP)

“

" to help them resolve issues

to login

logging in for the first time with an Azure account.
IsCreateCollaborationTask	Determines whether to generate an old-style workflow task instead of a business request.
IsMFAIssueEnabled

This function decides

Decides whether the MFA

(Multi-Factor Authentication)

issue should be displayed

or not

. Enabling it will prompt the user to select the option "I recall my password, but I am unable to perform multi-factor authentication" in the wizard.
IsPasswordIssueEnabled	Determines whether to display the password issue option. If enabled, the user will be able to access the "I'm unable to remember my password or I've gotten locked out" option, which can assist them in resolving login issues caused by a forgotten password.
IsTestMode	When enabled, the wizard relaxes certain restrictions, such as the "hasAccess" check.
IsUnknownIssueEnabled	Determines whether to show or hide the unknown issue problem option in the wizard. If enabled, the wizard will show

“I

"I'm not sure what the problem is but I can't

login “

log in" option.
OAuthConsumerID	Specifies the OAuth consumer ID used for Twilio/Sendgrid.
OTPValidityDurationInMinutes	Specifies the validity duration of the OTP

(One-Time Password)

in minutes.

SendPasswordToEmail

When assisting with logging in through email and phone, this feature decides

Determines whether the system will send the OTP to the email linked to the account

.

SendPasswordToMobile

When

when assisting with logging in through email and phone

, this feature decides

.
SendPasswordToMobile	Determines whether the system will send the OTP to the mobile phone linked to the account

.

SendPasswordToPersonalEmail

When

when assisting with logging in through email and phone

, this feature decides

.
SendPasswordToPersonalEmail	Determines whether the system will send the OTP to the personal email provided by the user when assisting with logging in through email and phone.
SendPasswordToTwilioSMS	Determines whether to send the password

by

via Twilio SMS.
SendPasswordToTwilioVoiceCall	Determines whether to send the password

by

via Twilio Voice Call.
SendTAPForAzureMFAIssue	If set to `true`, a TAP will be sent instead of an MFA reset for Azure MFA

issue

issues.
SkipEmpowerIDMFA	Specifies whether to skip EmpowerID MFA

(Multi-Factor Authentication)

.
SMSOTPKeyEntryName	Specifies the SMS message template for OTP delivery. The default template is `PasswordResetCenterOTPSMSMessage`.
TwilioOTPVoiceMessageTemplateName	Specifies the Twilio voice call OTP delivery template.
WhichLoginIdP

The "WhichLoginIdP" parameter allows

Allows you to specify a specific Identity Provider (IdP) and hide the UI option to select. If the value is set to "all,"

indicating that

the UI option to select an IdP is not hidden, and users can choose from all available IdPs during the assistance.

If you want to

To hide the UI option and enforce a specific IdP,

you would need to

replace the value "all" with the desired IdP identifier or name.

To

configure workflow parameters, do the following:

Configure Workflow Parameters

On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.
Select the Workflow tab and search for Login Assistance Self Service Wizard
Click the Display Name for the workflow.
On the View One page for the workflow, expand the Request Workflow Parameters accordion and search for the parameter you need to configure. In this example, we set the IsUnknownIssueEnabled parameter to false. This change , which means that the wizard will not show the “"I'm not sure what the problem is, but I can't log in“ " option on the screen.
Click the edit Edit button for the parameter, enter false for IsUnknownIssueEnabled in the Value field for IsUnknownIssueEnabled, and click Save.
Please use the same instructions Repeat the above steps to adjust any parameter values as needed.

Step 2:

Configure the business request approval policy

Review the Business Request Approval Policy

If the automated validation of a user's request is unsuccessful, our the system proceeds with manual approval to establish a business request. This step involves human verification that can be customized to fulfill particular needs. In the next segment, we will The following steps guide you on how to view and modify the policies that regulate the manual identity verification process.

On the navbar, expand Low Code/ No Code Workflow and click No Code Flows.
Click the Business Request Type tab and search for the Login Assistance Voucher. Clickon the edit icon to activate the edit mode of the business request type.
While in the edit mode, you'll observe that the approval policy is configured to the Login Assistance Voucher Approval Policy. This is the standard policy used for handling business requests that demand manual verification of identity.
Click on the Login Assistance Voucher Approval Policy link , which will help you to navigate to the details page for the approval policy. Scroll and to find the Approval Steps in Policy accordion to view the specific steps configured for the policy.
To modify the approval policy, refer to the comprehensive guide on handling user requests for resource access policies located here.

Step 3: Run the
Using the Login Assistance Workflow
To receive help logging in to EmpowerID, click on the Login Assistance Workflow on the login screen.
First is the identification process. Please enter Enter either your EID EmpowerID login name or the Email email associated with your account.
Please select your identity provider
Select Your Identity Provider (IdP): Choose between Microsoft Azure or EmpowerID, based on your authentication method. You can choose between Azure AD or EmpowerID.
If you choose "I log in using EmpowerID", proceed with the instructions under Login Assistance Options for EmpowerID.
If you choose
“
"I log in using
EmpowerID, “please follow the instructions below or skip to step #4 if you use Azure login.
I'm unable to remember my password, or I've gotten locked out: This option in the wizard Microsoft Azure", proceed with the instructions under Login Assistance Options for Microsoft Azure.
Login Assistance Options for EmpowerID
Option 1: I’m Unable to Remember My Password or I’ve Gotten Locked Out
This option allows users who cannot remember their password or have been locked out of their account to regain access.
The system
now finds
identifies all registered MFA methods and
will prompt
prompts you to select
an option to choose your multi-factor authentication. The wizard will guide
one.
The wizard guides you through the recovery process
from
using the Login Assistance
With
with MFA flow.
In case
If the account does not have MFA registration
, the system will find
:
The system locates the email and phone numbers registered for the user
and attempt
.
Attempts to send a
one-time password
One-Time Password (OTP) to either of them.
The wizard
now
enters the Login
assistance
Assistance with
email
Email/
phone
Phone flow and guides you through recovery.
If you cannot receive an email or a voice call for the OTP
, you
:
You can create a manual request to have someone vouch for you.
The wizard
will guide
guides you through the recovery process
from
using the Login
assistance by requesting identity validation
Assistance by Requesting Identity Validation flow.I remember my password
Option 2: I Remember My Password, but I
can
Can't
perform multi-factor authentication (lost or new phone or another issue): This wizard option is handy
Perform Multi-Factor Authentication
This option is useful for users who
recall
remember their
passwords
password but face obstacles
while undergoing multi-factor authentication. It provides a solution for users who lose their phone, acquire a new one, or encounter other issues. The system will find
with MFA, such as losing their phone or acquiring a new one.
The system locates the email and phone numbers registered for the user
and attempt
.
Attempts to send a
one-time password
One-Time Password (OTP) to either of them
so that you can easily
.
You can reset the multi-factor authentication registered for your account.
Please follow
Follow the instructions in Login
assistance
Assistance by
resetting
Resetting MFA to troubleshoot your login issue.
Option 3: I'm
not sure what the problem is
Not Sure What the Problem Is, but I
can
Can't
log in:
Log In
If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide helpful troubleshooting steps and guidance.
The wizard
will now enter
enters the Login
assistance by requesting identity validation
Assistance by Requesting Identity Validation flow for
the
login recovery.
Please follow the instructions below if you choose “I log in using
Login Assistance Options for Microsoft Azure
“ Anchorstep4step4
Option 1: I'm
unable to remember my password,
Unable to Remember My Password or I've
gotten locked out:
Gotten Locked Out
This option
in the wizard
allows Azure users who cannot remember their password or have been locked out of their account to regain access.
The system now finds
Similar to EmpowerID, the system identifies all registered MFA methods and
will prompt
prompts you to select
an option to choose your multi-factor authentication. The wizard will guide
one.
The wizard guides you through the recovery process
from
using the Login Assistance
With
with MFA flow.
In case
If the account does not have MFA registration
, the system will find
:
The system locates the email and phone numbers registered for the user
and attempt
.
Attempts to send
a one-time password
an OTP to either of them.
The wizard
now
enters the Login
assistance
Assistance with
email
Email/
phone
Phone flow
and guides you through recovery
.
If you cannot receive
an email or a voice call for
the OTP
, you
:
You can create a manual request
to vouch
for
you
identity validation.
The wizard
will guide
guides you through
the recovery process from
the Login
assistance by requesting identity validation
Assistance by Requesting Identity Validation flow.I remember my password
Option 2: I Remember My Password, but I
can
Can't
perform multi-factor authentication (lost or new phone or another issue): This wizard option is handy for users who recall their passwords but face obstacles while undergoing multi-factor authentication. It provides a solution for users who lose their phone, acquire a new one, or encounter other issues. The system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them so that you can easily reset the multi-factor authentication registered for your account. Please follow the instructions in Login assistance by resetting MFA to troubleshoot your login issue.
I'm not sure what the problem is, but I can't log in: If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide helpful troubleshooting steps and guidance. The wizard will now enter the Login assistance by requesting identity validation flow for the login recovery
Login assistance with MFA AnchorLoginAssistanceWithMFALoginAssistanceWithMFA TipIn case
Perform Multi-Factor Authentication
This option assists Azure users who remember their password but are unable to complete MFA.
The system sends an OTP to your registered email or phone.
You can reset your MFA settings after verifying the OTP.
Follow the instructions in Login Assistance by Resetting MFA.
Option 3: I'm Not Sure What the Problem Is, but I Can't Log In
Select this option if you're unsure about the login issue.
The wizard initiates the Login Assistance by Requesting Identity Validation flow.
Login Assistance Flows
Login Assistance with MFA (h4)
If the administrator has established a password policy with more than 2 Level of Assurance (LOA) points,
the user
you might have to go through multiple rounds of
multifactor authentication (
MFA
)
.
The system has identified identifies all registered MFA methods and will prompt prompts you to choose your preferred multi-factor authentication method. Kindly follow the instructions provided for your chosen authentication method. Your method.
Note: Your available MFA options may vary from the image below, as the wizard will load the MFA methods configured for your account.
Image RemovedImage Added
After choosing your preferred MFA method, our the wizard will walk walks you through the necessary steps. Please refer here for more detailed instructions on completing the MFA process. The screenshot below shows what you'll see
For example, if you select the
EID mobile authenticator as your preferred MFA option.
Image Removed
To complete the authenticator challenge, you must either approve the
EmpowerID Mobile Authenticator, you will be prompted to approve a push notification or enter the authentication code.
To reset their password, the user is
Image Added
Upon successful MFA, you are directed to the "Change Password" page , where they can then proceed to reset their your password.
Image Removed
FinallyAfter resetting your password, the wizard will provide you with provides a list of all the accounts for which the password has been changed.
Login
assistance
Assistance with
email/phone AnchorLoginAsisstanceWithoutMFALoginAsisstanceWithoutMFA Tip
Email / Phone
To receive assistance
with logging into their account
via email or phone
, users must ensure that their profile information includes their email address and phone number.In case the account does not have MFA registration, the system will find
:
The system locates the email and phone numbers registered for the user your account and attempt attempts to send a one-time password to either of themOne-Time Password (OTP).
If you have received the One-Time Password ( OTP), please choose "select Yes." and follow the instructions below. If you cannot receive the OTP, please choose “No,” and keep pressing No to retry. After some clicks, you should be able to see a screen asking you to create a request for someone to validate your identity manually. Follow the instructions here to create the request.
Enter the passcode and click Next.
Image Removed
To reset their password, the user is directed to the "change password" page, where they can then reset their password.
Image Removed
Finally, the wizard will provide you with proceed to enter the passcode.
Image Added
If you have not received the OTP:
Select No.
The system will retry sending the OTP.
After several attempts, you will be prompted to create a manual request for identity validation.
Follow the instructions in Login Assistance by Requesting Identity Validation.
Upon successful OTP verification, you are directed to the Change Password page to reset your password.
The wizard provides a list of all the accounts for which the password has been changed.
Login
assistance by requesting identity validation Anchormanualrequestmanualrequest
Tip
The person who can verify your identity depends on the approval policies set by the system administrator. Therefore, you can only select one from the available individuals.
Assistance by Requesting Identity Validation
If all other options fail, you can opt for manual identity verification by requesting assistance.
A screen will appear, giving you the option
When prompted, select Yes to create a request for manual identity verification. Click on yes to proceed further.
Provide details to raise your request,the following details:
Message: Write a compelling and detailed message to those whom you're seeking to the person who will vouch for your identity.
Share Email and Phone: Please provide the Provide an email or phone number that you currently have access to. If the person vouching for you confirms it, you will receive an OTP with the details provided. The phone or email doesn't This does not need to be the same as the one configured in your profile.
Select a Person to Vouch for You: Please choose Choose someone who can confirm your identity.
Once you have raised submitted the request, the :
The approver will receive the business request.
Once the approver approves your request
Upon approval, an OTP will be sent to the email or phone number you provided.
Login assistance by resetting MFA AnchorDeleteMFADeleteMFA
Follow the instructions to complete the login assistance process.
Login Assistance by Resetting MFA
If your MFA isn't functioning properly, our system will search for your account's :
The system locates the email and phone numbers registered for your account and
send
sends a
one-time password. This will allow you to reset your MFA and regain access to your account.
Click on Yes to continue if One-Time Password (OTP).
If you have received an OTP, and follow the instructions below. Otherwise, click No, which will trigger the Login assistance by requesting identity validation the OTP, select Yes, as shown below, and then enter your passcode.
Image Added
Note: If you don’t receive the OTP, click No to trigger the Login Assistance by Requesting Identity Validation flow to help you log in.
Image Removed
Enter the passcode and click Next.
Image Removed
Click on yes after reading the warning carefullyAfter OTP verification, you will receive a warning indicating that your existing MFA registrations will be deleted. Click Yes to continue.
On the next screen, you will receive instructions on how to open :
Open a browser in incognito mode
and navigate to https://myapps.microsoft.com/?whr=tbdir.net. Once you try logging in, you can register
.
Navigate to My Apps.
Register a new MFA for your account.

Image Removed
Register your new MFA and attempt to log in again through the EmpowerID portal.