Password Reset Center Workflow Activities

/wiki/spaces/E2D/pages/29982926 / Workflow Studio / Workflow Studio / Using Workflow Components / Adding Activities to Workflows / Current: Password Reset Center Workflow Activities

When users enroll for Password Self-Service Reset, EmpowerID directs them to provide answers to a series of password challenge questions that they can use to identify themselves when resetting a forgotten password. Once enrolled, users can initiate self-service resetting their passwords by clicking the Password link on the login page of the Web application. Clicking the link initiates the PasswordResetCenter workflow, which is comprised of a number of activities that control the flow for the password reset process. We discuss these activities and their role in the workflow in greater detail below.

Many of these activities are customizations of common workflow activities. For a general discussion of these activities, see Common Workflow Activities.

Workflow-Specific Properties

In addition to the activities, the workflow itself has a number of properties, known as "Dependency Properties." Dependency Properties are a special type of properties that can be bound from the workflow to one or more of the workflow's activities and vice-versa. This ensures that the state of the workflow is maintained throughout its execution. For this workflow, a number of these Dependency Properties are workflow parameters that administrators can set in the EmpowerID Web application. These parameters or properties can then be used to direct the outcome of the workflow. These properties are as follows:

Property	Category	Type	Description

Property	Category	Type	Description
CheckLockoutLive	Boolean	Input	Specifies whether the workflow should make a live call to Active Directory Domain Controllers to check the lockout status of the person.
AskQuestions	Boolean	Input	Specifies whether the person attempting to reset their password is to be presented with their challenge questions. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application.
AskOTP	Boolean	Input	Specifies whether the person attempting to reset their password is to be sent a one-time password to be used to reset their password. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application. AskQuestions must be set to false as well.
SendPasswordToEmail	Boolean	Input	Specifies whether the one-time password can be delivered to the person via their primary email address. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application. Additionally, for the one-time password to be delivered in this manner, the person must have a primary email address registered in EmpowerID.
SendPasswordToMobile	Boolean	Input	Specifies whether the one-time password can be delivered to the person via their mobile phone. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application. Additionally, for the one-time password to be delivered in this manner, the person must have a mobile number set on their person as well as have a mobile phone provider selected.
SendPasswordToPersonalEmail	Boolean	Input	Specifies whether the one-time password can be delivered to the person via their personal email address. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application. Additionally, for the one-time password to be delivered in this manner, the person must have a personal email address registered in EmpowerID.
SendPasswordToTwilioSMS	Boolean	Input	Specifies whether the one-time password can be delivered to the person via an SMS sent by Twilio. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application. Additionally, for the one-time password to be delivered in this manner, the person must have a mobile number set on their person and the organization must have a Twilio account registered in EmpowerID.
SendPasswordToTwilioVoiceCall	Boolean	Input	Specifies whether the one-time password can be delivered to the person via an automated voice call from Twilio. The default value is true; however, the property can be changed on the Workflow Parameter management page of the Web application. Additionally, for the one-time password to be delivered in this manner, the person must have a mobile number set on their person and the organization must have a Twilio account registered in EmpowerID.
TwilioOTPVoiceMessageTemplateName	String	Input	Specifies the template to be used when sending the one-time password via the Twilio API. Unless a value is specified, the default EmpowerID template will be used.
OAuthConsumerID	String	Input	Specifies the OAuthConsumerID for the PasswordResetCenter request workflow. The default value is generated by EmpowerID; however, however, the property can be changed on the Workflow Parameter management page of the Web application.
UnlockOnly	String	Input	Specifies whether to just unlock the account or to both unlock the account and reset the password. Value is input by the user. Set to false by default, this property applies only when the organization is using one-time passwords rather than challenge questions.

Silent Errors with Twilio

There are silent errors in the event log in three scenarios:

The phone number field requires a country code and errors silently if one is not provided.
If the phone number is invalid the page fails silently.
If a person does not have a phone number, the page shows successful when it is not.

IdentifyYourself Activity

This activity presents users with the Credentials form, which contains fields for inputting their EmpowerID login or email, as well as a Captcha to ensure the workflow is being initiated by a real person.

When setting activity properties, the following properties are important:

Property	Type	Description

Property	Type	Description
Enabled	Boolean	Specifies whether the activity is enabled or not. If an activity is not enabled it will not participate in the execution of the workflow. Set to True by default, this value should not be changed.
FormDecision	Control	This places a control on the form, such as a button, and specifies the logic that should occur when the control is interacted with. In the case of this activity, the property must be set to Requested as it is used to validate the Captcha value.
ImpersonatePersonID	Int32	Specifies the person, if any, the activity is to execute under. In this case, the value is set to -1, which represents an anonymous identity. This value should not be changed.
ResourceTypeOperationID	Int32	Identifies the Resource Type Operation associated with the activity. Resource Type Operations are blocks of code that when executed perform one or more actions against a selected resource object. In this case, the value is set to -1 as no operations are being executed against any resources. This value should not be changed.
SucceedExecuteCode	String	Specifies the event handler for the activity. In general terms, event handlers contain code that is executed when the activity with the handler is encountered in a workflow. In this case the handler is an empty stub that simply allows the workflow logic to continue according to the line rules that connect it to the other activities.

AnswerQuestions Activity

This activity is executed if the AskQuestions workflow parameter is set to true and the AskOTP workflow parameter is set to false and the person initiating the workflow is successfully identified.

AnswerQuestions is a compiled activity, meaning that it is derived from another activity that has been previously developed, compiled and published into an assembly from Workflow Studio. To open or edit the original activity, right-click on AnswerQuestions and select Open/Edit Original Activity from the context menu.

Doing so opens AnswerEnrollmentQuestions activity in the Workflow Studio Activity Designer.

AnswerEnrollmentQuestions Activity

AnswerEnrollmentQuestions is a flowchart activity, which means the activity itself is comprised of a number of activities, properties and line rules that determine how the logic flows both within the activity itself and, ultimately, within the PasswordResetCenter workflow. A discussion of properties and activities follows.

The properties in the following table are properties that have been added to the activity when it was developed. Known as "Dependency Properties," these properties can be bound from activity to activity, as well as the workflow itself. This allows their values to remain consistent throughout the workflow execution. For example, the TargetPerson property is bound to the TargetPerson property in the IdentityYourself activity. You can view these properties by clicking the Properties tab located above the Activity Designer.

Property	Type	Category	Description

Property	Type	Category	Description
RecoveryResult	RecoveryResult		The value of this property is set dynamically during workflow execution, based on whether the person successfully answers the challenge questions. Possible values include: NotEnrolled Recovered Lockout DenyAccess NotLicensed FailRecovery Recovering EnrollmentExpired InvalidEnrollment UnableToRetrieveQuestions
TargetPerson	Person Component	Input	Specifies the person performing the Self-Service Password Reset. The value is set on the IdentifyYourself activity and passed to this activity.
recoveryManager	RecoveryManager	N/A	This is used to instantiate a new instance of the base RecoveryManager class for the TargetPerson. This class has methods, properties and enums used to help the person initiating the workflow (the TargetPerson) to reset their password.
recoveryAttempt	RecoveryAttempt	N/A	This is used to instantiate a new instance of the base RecoveryAttemp class for the TargetPerson. This class has methods and properties for presenting the challenge questions associated with the person attempting to reset their password, and evaluating the answers to those questions. The answers provided by the person are evaluated for their . and evaluate properties and enums used to help the person initiating the workflow (the TargetPerson) to reset their password.
BaseProperties	WorkflowActivationProperties	N/A	Gets and sets the base properties of the parent workflow. These properties are defined in the TheDotNetFactory.Framework.Workflow.Common.WorkflowActivationProperties class.

When the AnswerEnrollmentQuestions activity is encountered in the workflow, the logic flows to the GetPersonQuestions activity.

GetPersonQuestions

GetPersonQuestions is a SystemCodeActivity activity with a handler that checks whether the person associated with the EmpowerID Login or email address submitted by the TargetPerson is enrolled for Password Self-Service Reset. If the person is enrolled the logic flows to the AnswerQuestion activity; if the person is not enrolled, the logic flows to the InvalidEnrollmentMessage activity and exits.

The code for the GetPersonQuestions activity is as follows. Comments have been added for clarity.

//Instantiate a new instance of the RecoveryManager class, passing in TargetPerson
recoveryManager = new RecoveryManager(TargetPerson);

//Set the RecoveryResult property to the recoveryManager status
RecoveryResult = recoveryManager.Status;

//If person is not enrolled for Password Self-Service reset display the 
//invalid enrollment message and exit the activity; otherwise, begin the recovery process
//by executing the AnswerQuestion Form activity 

if (RecoveryResult != RecoveryStatus.Recovering)
     InvalidEnrollmentMessage.Message = this.GetRecoveryStatusMessage(RecoveryResult);
else
{
    this.InitializeRecoveryAttempt();
}

//Sets the Title and Description properties for the InvalidEnrollmentMessage Bubble activity
InvalidEnrollmentMessage.ControlTitle = "EmpowerIDApplicationGeneralMessages_MessageBoxRequestStatusTitle";
InvalidEnrollmentMessage.ControlDescription = "EmpowerIDApplicationGeneralMessages_MessageBoxRequestStatusDesc";

//Sets the Title and Description properties for the AnswerQuestion Form activity
AnswerQuestion.ControlTitle = "PasswordManagerQuestions_AnswerQuestionsTitle";
AnswerQuestion.ControlDescription = "PasswordManagerQuestions_AnswerQuestionsDesc";

AnswerQuestion

If the TargetPerson is enrolled the logic flows to the AnswerQuestion activity. Answer Question is a Form activity; thus when it executes it presents a form to the user that randomly selects one of that user's challenge questions, asking them to provide the answer.

The answer is submitted to the ValidateAnswer activity, which checks whether the answer is correct and then either routes back to the AnswerQuestion activity or the InvalidEnrollmentMessage activity. The process continues until either the user correctly answers all of the challenge questions required by the Password Manager Policy that is assigned to them or becomes locked out of the Recovery Center.

ValidateAnswer

This activity is a SystemCodeActivity activity with a handler that checks whether the answer to the challenge question submitted by the TargetPerson is correct, setting the Status property on the base AnswerRecoveryQuestionResult class accordingly.

The code for the GetPersonQuestions activity is as follows. Comments have been added for clarity.

//Instantiate a new instance of the AnswerRecoveryResult class, 
//passing in the answer to the challenge question provided by the person
AnswerRecoveryQuestionResult AnswerRecoveryQuestionResult = recoveryAttemp.AnswerQuestion(AnswerQuestion.Answer);

//Set the RecoveryResult property to the AnswerRecoveryQuestionResult status
//If the person answered the question correctly, the status is set to Recovering
RecoveryResult = AnswerRecoveryQuestionResult.Status; 

//Reset the answer to an empty string for the next iteration
AnswerQuestion.Answer = "";

//If the person answered the question correctly the status is set to recovering
//and the next question is presented
if (AnswerRecoveryQuestionResult.Status == RecoveryStatus.Recovering)
{
     AnswerQuestion.Question = AnswerRecoveryQuestionResult.NextQuestion;

}
else
{
    //If the RecoveryStatus for the person is not set to Recovered and they did not correctly answer the
    //the challenge question, call SetFailedAttempt(). If the status is set to Recovered, then exit the activity    
    if (AnswerRecoveryQuestionResult.Status != RecoveryStatus.Recovered)
      {
         recoveryManager.SetFailedAttempt();

         //If the person reaches the maximum number of failed attempts set the status to 
         //Lockout; otherwise, call the InitializeRecoveryAttempt() and present the next question
         if (recoveryManager.Status == RecoveryStatus.Lockout)
         {
                 RecoveryResult = recoveryManager.Status;
                 InvalidEnrollmentMessage.Message = this.GetRecoveryStatusMessage(RecoveryResult);
         }
         else
        {
             InitializeRecoveryAttempt();
        }
     }

}

UnableToIdentifyPersonManager is a Bubble activity that displays to the user the value of the Message property, which in this case is Unable to retrieve your account. This activity is only executed when the EmpowerID Login or email address submitted to the IdentifyYourself activity by the user does not belong to an EmpowerID Person.

For a general discussion of the properties associated with Bubble activities, see Bubble Activities.

This activity is a SystemCodeActivity activity with a handler that checks certain attributes on the person attempting to reset their password, as well as the corresponding workflow parameters to determine what Password Reset Options should be displayed to the user by the ResetOptions From activity. The code for the SetFormOptions activity is as follows. Comments have been added for clarity.

This activity only executes if the AskOTP workflow parameter is set to true and the AskQuestions workflow parameter is set to false. These parameters are Boolean properties of the PasswordResetCenter workflow that can be set by administrators in the Web application.

//Give the person the option to have their one-time password sent to their personal email if the
//SendPasswordToPersonalEmail parameter is true and the person has a personal email address set on their person
ResetOptions.ShowPersonalEmail = !string.IsNullOrEmpty(IdentifyYourself.TargetPerson.PersonalEmail) && (this.SendPasswordToPersonalEmail);

//Give the person the option to have their one-time password sent to their primary email address 
//if the SendPasswordToEmail parameter is true and the person has a primary email address set on their person
ResetOptions.ShowPrimaryEmail = !string.IsNullOrEmpty(IdentifyYourself.TargetPerson.Email) && (this.SendPasswordToEmail);

//Give the person the option to have their one-time password sent via a phone call if the SendPasswordToTwilioVoiceCall is set to true
//and the person has a mobile phone number set on their person and the organization has a Twilio account registered in EmpowerID  
ResetOptions.ShowVoiceCall = !string.IsNullOrEmpty(IdentifyYourself.TargetPerson.MobilePhone) && (this.OAuthConsumerID != null) && (this.SendPasswordToTwilioVoiceCall);

//Give the person the option to have their one-time password sent via a text message if the SendPasswordToTwilioSMS is set to true
//and the person has a mobile phone number set on their person and the organization has a Twilio account registered in EmpowerID  
ResetOptions.ShowSMSToMobile = !string.IsNullOrEmpty(IdentifyYourself.TargetPerson.MobilePhone) && (this.OAuthConsumerID != null) && (this.SendPasswordToTwilioSMS);

if(IdentifyYourself.TargetPerson.Email != null)
{
    ResetOptions.EmailFriendlyName = IdentifyYourself.TargetPerson.Email.Substring(0, Math.Min(4, IdentifyYourself.TargetPerson.Email.Length)) + "***********";
}
if(IdentifyYourself.TargetPerson.PersonalEmail != null)
{
    ResetOptions.PersonalEmailFriendlyName = IdentifyYourself.TargetPerson.PersonalEmail.Substring(0, Math.Min(4, IdentifyYourself.TargetPerson.PersonalEmail.Length))+ "***********";
}
string s = IdentifyYourself.TargetPerson.MobilePhone;

if(s != null)
{
     int ii = 4;
     string ss = "*";
       if (s.IndexOf("@") > 0)
            ii = s.IndexOf("@") - 1;

        for (int i = 0; i < s.Length - ii; i++)
        {
            ss = ss + "*";
        }

        s = ss + s.Substring(s.Length - ii);
            ResetOptions.MobilePhoneFriendlyName = s;
}

ResetOptions is a Form activity that is executed if the AskOTP workflow parameter is set to true and the AskQuestions workflow parameter is set to false.

The form displays to the user the reset options passed to it from the SetFormOptions activity. The below image shows what the form looks like for a user when the following conditions are true:

The AskOTP workflow parameter is set to true
The AskQuestions workflow parameter is set to false
The SendPasswordToEmai parameter is true and the person has a primary email address set on their person
The SendPasswordToPersonalEmail parameter is true and the person has a personal email address set on their person

For a general discussion of Form activities and the relevant properties associated with those activities, see Form Activities.

This activity is a SystemCodeActivity activity with a handler that syncs the value of the corresponding SendPersonOneTimePassword property of the ValidateTOTP activity (discussed below) with the option selected by the user on the SetFormActivity activity. It also sets the value of the UnlockOnly property on the workflow based on the input of the user.

The code for the SyncProperties activity is as follows.

ValidateTOTP.SendPersonOneTimePassword_SendPasswordToEmail = ResetOptions.PrimaryEmail;
ValidateTOTP.SendPersonOneTimePassword_SendPasswordToPersonalEmail = ResetOptions.PersonalEmail;
ValidateTOTP.SendPersonOneTimePassword_SendPasswordTwilioSMS = ResetOptions.SMSToMobile;
ValidateTOTP.SendPersonOneTimePassword_SendPasswordTwilioVoiceCall = ResetOptions.VoiceCall;

UnlockOnly = !ResetOptions.UnlockAndReset;

For a general discussion of SystemCodeActivity activities and the relevant properties associated with those activities, see SystemCodeActivity activities.

This activity is executed if the AskOTP workflow parameter is set to true and the AskQuestions workflow parameter is set to false and the person has selected a valid reset option from the ResetOptions Form activity.

ValidateTOTP is a compiled activity, meaning that it is derived from another activity that has been previously developed, compiled and published into an assembly from Workflow Studio. As such, it inherits the properties of the those activities, which you can change as needed.

Additionally, you can modify the underlaying original activities. However, if you do so, you will need to recompile and publish them to make the changes a part of the workflow.

The relevant properties for the ValidateTOTP activity are as follows:

Property	Type	Category	Description

Property	Type	Category	Description
Password	String	Input	Specifies the one-time password. The value of this property is dynamically generated at runtime by the activity or activities in the deriving assembly.
PersonID	Int32	Input	Specifies the PersonID of the of the person (TargetPerson) attempting to reset their password. The value of this property is set at runtime to the PersonID of the TargetPerson object.
MaxReTry	Int32	Input	Specifies the maximum number of times the person can attempt to retry entering the one-time password when prompted to do so. Set to 0 by default.
RetryCount	Int32	Input	Specifies the current number of retry attempts. Set to 0by default.
IsValid	Boolean	Output	Specifies whether the one-time password submitted by the user is correct. Set to false by default.
SendPersonOneTimePassword_NumberOfDigitsInOneTimePassword	Int32	Input	Specifies the number of digits to be included in the one-time password being sent to the person. The default value is 6.
SendPersonOneTimePassword_NumberOfLowerCaseLettersInOneTimePassword	Int32	Input	Specifies the number of lower case letters to be included in the one-time password being sent to the person. The default value is 0.
SendPersonOneTimePassword_NumberOfSpecialCharactersInOneTimePassword	Int32	Input	Specifies the number of special characters to be included in the one-time password being sent to the person. The default value is 0.
SendPersonOneTimePassword_NumberOfUpperCaseLettersInOneTimePassword	Int32	Input	Specifies the number of upper case letters to be included in the one-time password being sent to the person. The default value is 0.
SendPersonOneTimePassword_OAuthConsumerID	String	Input	Specifies the OAuthConsumerID for the PasswordResetCenter workflow. The value for this property is derived from the OAuthConsmerID workflow property, which is bound to the OAuthConsumerID workflow parameter.
SendPersonOneTimePassword_OneTimePasswordLength	Int32	Input	Specifies the number of digits, characters and letters in the one-time password being sent to the person. The default value is 6.
SendPersonOneTimePassword_OneTimePasswordValidationDurationInMinites	Int32	Input	Specifies the length of time in minutes that the one-time password remains valid. If the alloted time passes before the person uses the one-time password, a new password must be sent. The default value is 10.
SendPersonOneTimePassword_SendPasswordToEmail	Boolean	Input