Login Assistance Workflow
- Phillip Hanegan
The login assistance workflow in EID is designed to help users resolve login issues. It offers step-by-step instructions for problems related to password recovery, account lockouts, and difficulties with multi-factor authentication (MFA) on Azure and Empower ID platforms. The possible outcome of the wizards are
Resetting passwords for individuals and accounts and unlocking locked accounts for both EID and Azure logins.
Sending Azure Temporary Access Pass (TAP) for temporary access to Azure.
Resetting Azure Multi-Factor Authentication (MFA) by unblocking or unenrolling from it.
Resetting EmpowerID Multi-Factor Authentication (MFA) by unblocking or unenrolling from it and deleting all MFA assets and preferences.
This process employs automated and manual methods to authenticate user identity. For users enrolled in Multi-Factor Authentication (MFA), MFA is utilized to assist in resolving any issues. If a user is not enrolled in MFA but can access a personal email or mobile phone, we attempt to send them a one-time password (OTP) to resolve the issue. If the OTP is not received or the user does not have a suitable contact method, a business request or task is initiated as a fallback option. This requires an approval process where a designated individual vouches for the user's identity to resolve the login issue for a user.
Procedure
Step 1: Configure workflow parameters
The Create Azure Application wizard workflow provides extensive customization options, enabling you to modify the displayed fields for users utilizing the workflow. These customizable parameters are presented in the table below, allowing you to adapt the workflow according to your organization's specific requirements and preferences.
List of parameters
Name | Description |
|---|---|
AzureADSCIMConnectorAssembly | Specifies the assembly information for the Azure AD SCIM connector. SCIMAzureConnector,Version=4.0.180.1,Culture=neutral,PublicKeyToken=2d2253f74d4496ef |
AzureADSCIMConnectorType | TheDotNetFactory.Framework.ClassLibrary.AzureAuthenticationMethodsProvider Defines the type of Azure AD SCIM connector. |
CallBackURLDomain | Specifies the domain for the callback URL, e.g. |
DateTimeFormatForEmail | Specifies the date and time format used for TAP (Third-Party Application) expiration dates in email. e.g dddd, dd MMMM yyyy HH:mm:ss |
DefaultAccountStoreFQNForPersonLookup | Specifies the default account store fully qualified name (FQN) used for person lookup. e.g |
EmailMessageNameForTAP | Specifies the email message template name used for TAP emails. The default email template is LoginAssistanceAzureTAPEmail. |
IsAzureFirstTimeLoginIssueEnabled | Determines whether to show or hide Azure first-time login as a problem. If set true the users will see the “Need help logging into Azure for the first time (TAP) “ to help them resolve issues to login first time with an Azure account. |
IsCreateCollaborationTask | Determines whether to generate an old-style workflow task instead of a business request. |
IsMFAIssueEnabled | This function decides whether the MFA (Multi-Factor Authentication) issue should be displayed or not. Enabling it will prompt the user to select the option "I recall my password, but I am unable to perform multi-factor authentication" in the wizard. |
IsPasswordIssueEnabled | Determines whether to display the password issue option. If enabled, the user will be able to access the "I'm unable to remember my password or I've gotten locked out" option, which can assist them in resolving login issues caused by a forgotten password. |
IsTestMode | When enabled the wizard relaxes certain restrictions, such as the "hasAccess" check. |
IsUnknownIssueEnabled | Determines whether to show or hide the unknown issue problem option in the wizard. If enabled the wizard will show “I'm not sure what the problem is but I can't login “ option. |
OAuthConsumerID | Specifies the OAuth consumer ID used for Twilio/Sendgrid. |
OTPValidityDurationInMinutes | Specifies the validity duration of the OTP (One-Time Password) in minutes. |
SendPasswordToEmail | When assisting with logging in through email and phone, this feature decides whether the system will send the OTP to the email linked to the account. |
SendPasswordToMobile | When assisting with logging in through email and phone, this feature decides whether the system will send the OTP to the mobile linked to the account. |
SendPasswordToPersonalEmail | When assisting with logging in through email and phone, this feature decides whether the system will send the OTP to the personal email provided by the user. |
SendPasswordToTwilioSMS | Determines whether to send the password by Twilio SMS. |
SendPasswordToTwilioVoiceCall | Determines whether to send the password by Twilio Voice Call. |
SendTAPForAzureMFAIssue | If set to true, TAP will be sent instead of MFA reset for Azure MFA issue. |
SkipEmpowerIDMFA | Specifies whether to skip EmpowerID MFA (Multi-Factor Authentication). |
SMSOTPKeyEntryName | Specifies the SMS message template for OTP delivery. The default template is PasswordResetCenterOTPSMSMessage |
TwilioOTPVoiceMessageTemplateName | Specifies the Twilio voice call OTP delivery template. |
WhichLoginIdP | The "WhichLoginIdP" parameter allows you to specify a specific Identity Provider (IdP) and hide the UI option to select. If the value is set to "all," indicating that the UI option to select an IdP is not hidden, and users can choose from all available IdPs during the assistance. If you want to hide the UI option and enforce a specific IdP, you would need to replace the value "all" with the desired IdP identifier or name. |
To configure workflow parameters, do the following:
On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.
Select the Workflow tab and search for Login Assistance Self Service Wizard
Click the Display Name for the workflow.
On the View One page for the workflow, expand the Request Workflow Parameters accordion and search for the parameter you need to configure. In this example, we set the IsUnknownIssueEnabled parameter to false. This change means that the wizard will not show the “I'm not sure what the problem is, but I can't log in“ option on the screen.
Click the edit button for the parameter, enter false for IsUnknownIssueEnabled in the Value field, and click Save.
Please use the same instructions to adjust any parameter values.
Step 2: Configure the business request approval policy
If the automated validation of a user's request is unsuccessful, our system proceeds with manual approval to establish a business request. This step involves human verification that can be customized to fulfill particular needs. In the next segment, we will guide you on how to view the policies that regulate the manual identity verification process.
On the navbar, expand Low Code/ No Code Workflow and click No Code Flows.
Click the Business Request Type tab and search for the Login Assistance Voucher. Click on the edit icon to activate the edit mode of the business request type.
While in the edit mode, you'll observe that the approval policy is configured to the Login Assistance Voucher Approval Policy. This is the standard policy used for handling business requests that demand manual verification of identity.
Click on the Login Assistance Voucher Approval Policy link, which will help you navigate to the details page for the approval policy. Scroll and find the Approval Steps in Policy accordion to view the specific steps configured for the policy.
To modify the approval policy, refer to the comprehensive guide on handling user requests for resource access policies located here.
Step 3: Run the Workflow
To receive help logging in to EmpowerID, click on the Login Assistance Workflow on the login screen.
First is the identification process. Please enter either your EID login name or the Email associated with your account.
Please select your identity provider based on your authentication method. You can choose between Azure AD or EmpowerID. If you choose “I log in using EmpowerID, “please follow the instructions below or skip to step #4 if you use Azure login.
I'm unable to remember my password, or I've gotten locked out: This option in the wizard allows users who cannot remember their password or have been locked out of their account to regain access.
The system now finds all registered MFA and will prompt you to select an option to choose your multi-factor authentication. The wizard will guide you through the recovery process from Login Assistance With MFA flow.
In case the account does not have MFA registration, the system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them. The wizard now enters Login assistance with email/phone flow and guides you through recovery.
If you cannot receive an email or a voice call for the OTP, you can create a manual request to vouch for you. The wizard will guide you through the recovery process from the Login assistance by requesting identity validation flow.
I remember my password, but I can't perform multi-factor authentication (lost or new phone or another issue): This wizard option is handy for users who recall their passwords but face obstacles while undergoing multi-factor authentication. It provides a solution for users who lose their phone, acquire a new one, or encounter other issues. The system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them so that you can easily reset the multi-factor authentication registered for your account. Please follow the instructions in Login assistance by resetting MFA to troubleshoot your login issue.
I'm not sure what the problem is, but I can't log in: If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide helpful troubleshooting steps and guidance. The wizard will now enter the Login assistance by requesting identity validation flow for the login recovery.
Please follow the instructions below if you choose “I log in using Microsoft Azure“
I'm unable to remember my password, or I've gotten locked out: This option in the wizard allows users who cannot remember their password or have been locked out of their account to regain access.
The system now finds all registered MFA and will prompt you to select an option to choose your multi-factor authentication. The wizard will guide you through the recovery process from Login Assistance With MFA flow.
In case the account does not have MFA registration, the system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them. The wizard now enters Login assistance with email/phone flow and guides you through recovery.
If you cannot receive an email or a voice call for the OTP, you can create a manual request to vouch for you. The wizard will guide you through the recovery process from the Login assistance by requesting identity validation flow.
I remember my password, but I can't perform multi-factor authentication (lost or new phone or another issue): This wizard option is handy for users who recall their passwords but face obstacles while undergoing multi-factor authentication. It provides a solution for users who lose their phone, acquire a new one, or encounter other issues. The system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them so that you can easily reset the multi-factor authentication registered for your account. Please follow the instructions in Login assistance by resetting MFA to troubleshoot your login issue.
I'm not sure what the problem is, but I can't log in: If you are facing login difficulties without a clear understanding of the underlying issue, selecting this option will provide helpful troubleshooting steps and guidance. The wizard will now enter the Login assistance by requesting identity validation flow for the login recovery
Login assistance with MFA
In case the administrator has established a password policy with more than 2 LOA points, the user might have to go through multiple rounds of multifactor authentication (MFA).
The system has identified all registered MFA and will prompt you to choose your preferred multi-factor authentication method. Kindly follow the instructions provided for your chosen authentication method. Your MFA options may vary from the image below, as the wizard will load the MFA configured for your account.
After choosing your preferred MFA, our wizard will walk you through the necessary steps. Please refer here for more detailed instructions on completing the MFA process. The screenshot below shows what you'll see if you select the EID mobile authenticator as your preferred MFA option.
To complete the authenticator challenge, you must either approve the push notification or enter the authentication code.
To reset their password, the user is directed to the "Change Password" page, where they can then proceed to reset their password.
Finally, the wizard will provide you with a list of all the accounts for which the password has been changed.
Login assistance with email/phone
To receive assistance with logging into their account via email or phone, users must ensure that their profile information includes their email address and phone number.
In case the account does not have MFA registration, the system will find the email and phone numbers registered for the user and attempt to send a one-time password to either of them.
If you have received the One-Time Password (OTP), please choose "Yes." and follow the instructions below. If you cannot receive the OTP, please choose “No,” and keep pressing No to retry. After some clicks, you should be able to see a screen asking you to create a request for someone to validate your identity manually. Follow the instructions here to create the request.
Enter the passcode and click Next.
To reset their password, the user is directed to the "change password" page, where they can then reset their password.
Finally, the wizard will provide you with a list of all the accounts for which the password has been changed.
Login assistance by requesting identity validation
The person who can verify your identity depends on the approval policies set by the system administrator. Therefore, you can only select one from the available individuals.
If all other options fail, you can opt for manual identity verification by requesting assistance. A screen will appear, giving you the option to create a request for manual identity verification. Click on yes to proceed further.
Provide details to raise your request,
Message: Write a compelling and detailed message to those whom you're seeking to vouch for your identity.
Share Email and Phone: Please provide the email or phone number that you currently have access to. If the person vouching for you confirms it, you will receive an OTP with the details provided. The phone or email doesn't need to be the same as the one configured in your profile.
Select a Person to Vouch for You: Please choose someone who can confirm your identity.
Once you have raised the request, the approver will receive the business request.
Once the approver approves your request, an OTP will be sent to the email or phone number you provided.
Login assistance by resetting MFA
If your MFA isn't functioning properly, our system will search for your account's email and phone numbers and send a one-time password. This will allow you to reset your MFA and regain access to your account.
Click on Yes to continue if you have received an OTP, and follow the instructions below. Otherwise, click No, which will trigger the Login assistance by requesting identity validation flow to help you log in.
Enter the passcode and click Next.
Click on yes after reading the warning carefully.
On the next screen, you will receive instructions on how to open a browser in incognito mode and navigate to https://myapps.microsoft.com/?whr=tbdir.net. Once you try logging in, you can register a new MFA for your account.
Register your MFA and attempt to log in again through the EmpowerID portal.