Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The login assistance workflow in EID Login Assistance Workflow in EmpowerID is designed to help users resolve login issues. It offers provides step-by-step instructions for problems related to password recovery, account lockouts, and difficulties with multiMulti-factor authentication Factor Authentication (MFA) on Azure and Empower ID EmpowerID platforms. The possible outcome of the wizards are

Resetting passwords for individuals and accounts and unlocking

Capabilities of the Login Assistance Workflow

The Login Assistance Workflow helps users achieve the following:

  • Reset Passwords: Reset passwords and unlock locked accounts for both EID EmpowerID and Azure logins.

  • Sending Send Azure Temporary Access Pass (TAP) for : Provide temporary access to Azure accounts.

  • Resetting Reset Azure MFA: Unblock or unenroll users from Azure Multi-Factor Authentication (MFA) by unblocking or unenrolling from it.Resetting .

  • Reset EmpowerID MFA: Unblock or unenroll users from EmpowerID Multi-Factor Authentication (MFA) by unblocking or unenrolling from it and deleting and delete all MFA assets and preferences.

Authentication Methods

This The process employs a combination of both automated and manual methods to authenticate user identity. :

  • Automated Methods: For users enrolled in

Multi-Factor Authentication (

  • MFA

)

  • , the system utilizes MFA

is utilized

  • to assist in resolving

any

  • login issues. If a user is not enrolled in MFA but can access a personal email or mobile phone,

we attempt

  • the system attempts to send

them

  • a

one

  • One-

time password

  • Time Password (OTP) to resolve the issue.

  • Manual Methods: If the OTP is not received or the user does not have a suitable contact method, a business request or task is initiated as a fallback option. This requires an approval process where a designated individual vouches for the user's identity to resolve the login issue

for a user

  • .

Configuring the Login Assistance Workflow

Step 1: Configure

workflow parameters

Workflow Parameters

The Create Azure Application wizard Login Assistance Self Service Wizard workflow provides extensive customization options, enabling you administrators to modify the displayed fields for users utilizing the workflow. These customizable parameters are presented in the table below, allowing allow you to adapt the workflow according to your organization's specific requirements and preferences.

List of

parameters

Parameters

Name

Description

AzureADSCIMConnectorAssembly

Specifies the assembly information for the Azure AD SCIM connector.
Default: SCIMAzureConnector,Version=4.0.180.1,Culture=neutral,PublicKeyToken=2d2253f74d4496ef

AzureADSCIMConnectorType

TheDotNetFactory.Framework.ClassLibrary.AzureAuthenticationMethodsProvider

Defines the type of Azure AD SCIM connector.

CallBackURLDomain

Specifies the domain for the callback URL

,

(e.g., https://api.empoweriam.com

, https://self.empoweriam.com

).

DateTimeFormatForEmail

Specifies the date and time format used for TAP

(Third-Party Application)

expiration dates in

email.

emails (e.g., dddd, dd MMMM yyyy HH:mm:ss).

DefaultAccountStoreFQNForPersonLookup

Specifies the default account store fully qualified name (FQN) used for person lookup

.

(e.g., https://linux-scim-aad.azurewebsites.net).

EmailMessageNameForTAP

Specifies the email message template name used for TAP emails. The default

email

template is LoginAssistanceAzureTAPEmail.

IsAzureFirstTimeLoginIssueEnabled

Determines whether to show or hide Azure first-time login as a problem. If set to true

the

, users will see the

“Need

option "Need help logging into Azure for the first time (TAP)

" to help them resolve issues

to login

logging in for the first time with an Azure account.

IsCreateCollaborationTask

Determines whether to generate an old-style workflow task instead of a business request.

IsMFAIssueEnabled

This function decides

Decides whether the MFA

(Multi-Factor Authentication)

issue should be displayed

or not

. Enabling it will prompt the user to select the option "I recall my password, but I am unable to perform multi-factor authentication" in the wizard.

IsPasswordIssueEnabled

Determines whether to display the password issue option. If enabled, the user will be able to access the "I'm unable to remember my password or I've gotten locked out" option, which can assist them in resolving login issues caused by a forgotten password.

IsTestMode

When enabled, the wizard relaxes certain restrictions, such as the "hasAccess" check.

IsUnknownIssueEnabled

Determines whether to show or hide the unknown issue problem option in the wizard. If enabled, the wizard will show

“I

"I'm not sure what the problem is but I can't

login “

log in" option.

OAuthConsumerID

Specifies the OAuth consumer ID used for Twilio/Sendgrid.

OTPValidityDurationInMinutes

Specifies the validity duration of the OTP

(One-Time Password)

in minutes.

SendPasswordToEmail

When assisting with logging in through email and phone, this feature decides

Determines whether the system will send the OTP to the email linked to the account

.

SendPasswordToMobile

When

when assisting with logging in through email and phone

, this feature decides

.

SendPasswordToMobile

Determines whether the system will send the OTP to the mobile phone linked to the account

.

SendPasswordToPersonalEmail

When

when assisting with logging in through email and phone

, this feature decides

.

SendPasswordToPersonalEmail

Determines whether the system will send the OTP to the personal email provided by the user when assisting with logging in through email and phone.

SendPasswordToTwilioSMS

Determines whether to send the password

by

via Twilio SMS.

SendPasswordToTwilioVoiceCall

Determines whether to send the password

by

via Twilio Voice Call.

SendTAPForAzureMFAIssue

If set to true, a TAP will be sent instead of an MFA reset for Azure MFA

issue

issues.

SkipEmpowerIDMFA

Specifies whether to skip EmpowerID MFA

(Multi-Factor Authentication)

.

SMSOTPKeyEntryName

Specifies the SMS message template for OTP delivery. The default template is PasswordResetCenterOTPSMSMessage.

TwilioOTPVoiceMessageTemplateName

Specifies the Twilio voice call OTP delivery template.

WhichLoginIdP

The "WhichLoginIdP" parameter allows

Allows you to specify a specific Identity Provider (IdP) and hide the UI option to select. If the value is set to "all,"

indicating that

the UI option to select an IdP is not hidden, and users can choose from all available IdPs during the assistance.

If you want to

To hide the UI option and enforce a specific IdP,

you would need to

replace the value "all" with the desired IdP identifier or name.


To

configure workflow parameters, do the following:

Configure Workflow Parameters

  1. On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.

  2. Select the Workflow tab and search for Login Assistance Self Service Wizard

  3. Click the Display Name for the workflow to navigate to its View One page.

    Image RemovedOn image-20241122-210208.pngImage Added

  4. Expand the Request Workflow Parameters accordion on the View One page for the workflow , expand the Request Workflow Parameters accordion and search for the parameter you need to configure. In this example, we set the IsUnknownIssueEnabled parameter to false. This change , which means that the wizard will not show the "I'm not sure what the problem is, but I can't log in" option on the screen.

  5. Click the edit Edit button for the parameter, enter false for IsUnknownIssueEnabled in the Value field for IsUnknownIssueEnabled, and click Save.

    Image RemovedImage Added

  6. Please use the same instructions Repeat the above steps to adjust any parameter values as needed.

Step 2:

Configure the business request approval policy In case

Review the Business Request Approval Policy

If the automated validation of a user's request is unsuccessful, our the system proceeds with manual approval to establish a business request. This step involves human verification that can be customized to fulfill particular needs. In the next segment, we will The following steps guide you on how to view viewing and modifying the policies that regulate the manual identity verification process.

  1. On the navbar, expand Low Code/ No Code Workflow and click No Code Flows.

  2. Click on the Business Request Type tab and search for the Login Assistance Voucher. Clickon the edit icon to activate the edit mode of the business request type.

    Image RemovedImage Added

  3. While in the edit mode, you'll observe that the approval policy is presently configured to the Login Assistance Voucher Approval Policy. This is the standard policy used for handling business requests that demand require manual identity verification of identity.

    Image RemovedImage Added

  4. Click on the Login Assistance Voucher Approval Policy link , which will to navigate to the details page for the approval policy. Scroll and to find the Approval Steps in Policy accordion to view the specific steps configured for the policy.

    Image RemovedImage Added

  5. To modify the approval policy, refer to the comprehensive guide on handling user requests for resource access policies located here.

Step 3: Run the

Using the Login Assistance Workflow

  1. To receive help logging in to EmpowerID, click on the Login Assistance Workflow on the login screen.

    Image Removed

    First is the identification process. Please enter Image Added

  2. Enter either your EID EmpowerID login name or the Email email associated with your account.

    Image Removed

    Please select your identity provider based Image Added

  3. Select Your Identity Provider (IdP): Based on your authentication method. You can , choose between Microsoft Azure AD or EmpowerID.

    • If you choose

    • "I log in using EmpowerID",

    “please follow the instructions below or skip to step #4 if you use Azure login. I'm unable to remember my password, or I've gotten locked out: This option in the wizard allows users who are unable to

Login Assistance Options for EmpowerID

Option 1: I’m Unable to Remember My Password or I’ve Gotten Locked Out

This option allows users who cannot remember their password or have been locked out of their account to regain access.

  1. The system

    now finds

    identifies all registered MFA methods and

    will prompt

    prompts you to select

    an option to choose your multi-factor authentication. The wizard will guide

    one.

  2. The wizard guides you through the recovery process

    from

    using the Login Assistance

    With

    with MFA flow.

  3. In case

    If the account does not have MFA registration

    , the system will find

    :

    • The system locates the email and phone numbers registered for the user

    and attempt

    • .

    • Attempts to send a

    one-time password

    • One-Time Password (OTP) to either of them.

    • The wizard

    now

    • enters the Login

    assistance

    • Assistance with

    email

    • Email/

    phone

    • Phone flow and guides you through recovery.

  4. If you cannot receive an email or a voice call for the OTP

    , you

    :

    • You can create a manual request to have someone vouch for you.

    • The wizard

    will guide

    • guides you through the recovery process

    from

    • using the Login

    assistance by requesting identity validation

    • Assistance by Requesting Identity Validation flow.

    I remember my password

Option 2: I Remember My Password, but I

can

Can't

perform multi-factor authentication (lost or new phone or another issue): This wizard option comes in handy

Perform Multi-Factor Authentication

This option is useful for users who

recall

remember their

passwords

password but face obstacles

while undergoing multi-factor authentication. It provides a solution for situations where users lose their phone, acquire a new one, or encounter other issues. The system will find

with MFA, such as losing their phone or acquiring a new one.

  1. The system locates the email and phone numbers registered for the user and attempt .

  2. Attempts to send a one-time password One-Time Password (OTP) to either of them so that you can easily .

  3. You can reset the multi-factor authentication registered for your account. Please follow

  4. Follow the instructions in Login assistance Assistance by resetting Resetting MFA to troubleshoot your login issue.

Option 3: I'm

not sure what the problem is

Not Sure What the Problem Is, but I

can

Can't

log in:

Log In

If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide

you with

helpful troubleshooting steps and guidance.

  • The wizard

will now enter

  • enters the Login

assistance by requesting identity validation

  • Assistance by Requesting Identity Validation flow for

the

  • login recovery.

Please follow the instructions below if you choose “I log in using

Login Assistance Options for Microsoft Azure

Anchorstep4step4

Option 1: I'm

unable to remember my password,

Unable to Remember My Password or I've

gotten locked out:

Gotten Locked Out

This option

in the wizard

allows Azure users who

are unable to

cannot remember their password or have been locked out of their account to regain access.

  1. The system now finds

    Like EmpowerID, the system identifies all registered MFA methods and

    will prompt

    prompts you to select

    an option to choose your multi-factor authentication. The wizard will guide

    one.

  2. The wizard guides you through the recovery process

    from

    using the Login Assistance

    With

    with MFA flow.

  3. In case

    If the account does not have MFA registration

    , the system will find

    :

    • The system locates the email and phone numbers registered for the user

    and attempt

    • .

    • Attempts to send

    a one-time password

    • an OTP to either of them.

    • The wizard

    now

    • enters the Login

    assistance

    • Assistance with

    email

    • Email/

    phone

    • Phone flow

    and guides you through recovery

    • .

  4. If you cannot receive

    an email or a voice call for

    the OTP

    , you

    :

    • You can create a manual request

    to vouch

    • for

    you

    • identity validation.

    • The wizard

    will guide

    • guides you through the

    recovery process from the

    • Login

    assistance by requesting identity validation

    • Assistance by Requesting Identity Validation flow.

    I remember my password

Option 2: I Remember My Password, but I

can

Can't

perform multi-factor authentication (lost or new phone or another issue): This wizard option comes in handy for users who recall their passwords but face obstacles while undergoing multi-factor authentication. It provides a solution for situations where users lose their phone, acquire a new one, or encounter other issues. The system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them so that you can easily reset the multi-factor authentication registered for your account. Please follow the instructions in Login assistance by resetting MFA to troubleshoot your login issue.

I'm not sure what the problem is, but I can't log in: If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide you with helpful troubleshooting steps and guidance. The wizard will now enter the Login assistance by requesting identity validation flow for the login recovery

Login assistance with MFA AnchorLoginAssistanceWithMFALoginAssistanceWithMFA TipIn case

Perform Multi-Factor Authentication

This option assists Azure users who remember their password but cannot complete MFA.

  1. The system sends an OTP to your registered email or phone.

  2. You can reset your MFA settings after verifying the OTP.

  3. Follow the instructions in Login Assistance by Resetting MFA.

Option 3: I'm Not Sure What the Problem Is, but I Can't Log In

Select this option if you're unsure about the login issue.

  • The wizard initiates the Login Assistance by Requesting Identity Validation flow.

Login Assistance Flows

Login Assistance with MFA (h4)

If the administrator has established a password policy with more than 2 Level of Assurance (LOA) points,

the user

you might have to go through multiple rounds of

multifactor authentication (

MFA

)

.

  1. The system has identified identifies all registered MFA methods and will prompt prompts you to choose your preferred multi-factor authentication method. Kindly follow the instructions provided for your chosen authentication method. Your method.

    Note: Your available MFA options may vary from the image below, as the wizard will load the MFA that has been methods configured for your account.

    Image Removedimage-20241122-200111.pngImage Added

  2. After choosing your preferred MFA method, our the wizard will walk walks you through the necessary steps. Please refer here if you need more detailed instructions on completing the MFA process. The screenshot below shows what you'll see if you select the EID mobile authenticator as your preferred MFA option.

    Image Removed

    To successfully complete the authenticator challenge, you need to either approve the

    • For example, if you select the EmpowerID Mobile Authenticator, you will be prompted to approve a push notification or enter the authentication code.

    In order to reset their password, the user is


    • Image Added

  3. Upon successful MFA, you are directed to the "Change Password" page , where they can then proceed to reset their your password.

    Image Removed

  4. FinallyAfter you reset your password, the wizard will provide you with provides a list of all the accounts for which the password it has been changed.

Login

assistance

Assistance with

email

Email /

phone AnchorLoginAsisstanceWithoutMFALoginAsisstanceWithoutMFA Tip

Phone

To receive assistance

with logging into their account

via email or phone

, users must ensure that their profile information includes their email address and phone number.In case the account does not have MFA registration, the system will find the

:

Anchormanualrequestmanualrequest
Tip

The person who can verify your identity depends on the approval policies set by the system administrator. Therefore, you can only select one from the available individuals.

  1. The system locates your account's email and phone numbers registered for the user and attempt attempts to send a one-time password to either of them.

    Image Removed

    If you have received the One-Time Password (OTP), please choose "Yes." and follow the instructions below. If you cannot receive the OTP, please choose “No,” and keep pressing No to retry. After some clicks, you should be able to see a screen asking you to create a request for someone to validate your identity manually. Follow the instructions here to create the request.

    Enter the passcode and click Next.

    Image Removed

    In order to reset their password, the user is directed to the "change password" page, where they can then proceed to reset their password.

    Image Removed

    Finally, the wizard will provide you with a list of .

    Image Added

  2. If you received the OTP, select Yes and enter the passcode.

    Image Added

  3. Upon successful OTP verification, you are directed to the Change Password page to reset your password.

  4. The wizard lists all the accounts for which the password has been changed.

Login assistance by requesting identity validation

  1. If you have not received the OTP:

    1. Select No.

    2. The system will retry sending the OTP.

    3. After several attempts, you will be prompted to create a manual request for identity validation.

    4. Follow the instructions in Login Assistance by Requesting Identity Validation.

Login Assistance by Requesting Identity Validation

If all other options fail, you can

opt

request assistance for manual identity verification

by requesting assistance. A screen will appear, giving you the option

.

  1. When prompted, select Yes to create a request for manual identity verification. Click on yes to proceed further.

    Image RemovedImage Added

  2. Provide details to raise your request,the following details:

    • Message: Write a compelling and detailed message to those whom you're seeking to the person who will vouch for your identity.

    • Share Email and Phone: Please provide the Provide an email or phone number that you currently have access to. If the person vouching for you confirms it, you will receive an OTP with the details provided. It is not necessary for the phone or email This does not need to be the same that is as the one configured in your profile.

    • Select a Person to Vouch for You: Please choose Choose someone who can confirm your identity.

      Image RemovedImage Added

  3. Once you have raised submitted the request, the :

    • The approver will receive the business request.

    Once the approver approves your request

    • Upon approval, an OTP will be sent to the email or phone number you provided.

    • Follow the instructions to complete the login assistance process.

Login

assistance

Assistance by

resetting MFA AnchorDeleteMFADeleteMFA

Resetting MFA

If your MFA isn't functioning properly, our system will search for your account's :

  1. The system locates the email and phone numbers registered for your account and

send

  1. sends a

one-time password. This will allow you to reset your MFA and regain access to your account.

  1. Click on Yes to continue if One-Time Password (OTP).

  2. If you have received an the OTP, and follow the instructions below. Otherwise, click No, which will trigger the Login assistance by requesting identity validation select Yes, as shown below, and then enter your passcode.

    Image Added

    Note: If you don’t receive the OTP, click No to trigger the Login Assistance by Requesting Identity Validation flow to help you log in.

    Image Removed

  3. Enter the passcode and click Next.

    Image Removed

  4. Click on yes after reading the warning carefully.

    Image Removed

    After OTP verification, you will receive a warning indicating that your existing MFA registrations will be deleted. Click Yes to continue.

    Image Added

  5. On the next screen, you will receive an instruction asking you to open instructions to:

    • Open a browser in incognito mode

    and navigate to https://myapps.microsoft.com/?whr=tbdir.net . Once you try logging in, you can register

    • .

    • Navigate to My Apps.

    • Register a new MFA for your account.

    Image Removed

  6. Now, please register your Register your new MFA and then attempt to log in again through the EmpowerID portal.

    Image Removed
Div
stylefloat:left; position:fixed;
idarticleNav

IN THIS ARTICLE

Table of Contents
minLevel2
maxLevel23
outlinefalse
stylenone
typelist
printablefalse