Managed User Enrollment - Hitachi ID Password Manager
User Enrollment Overview
Hitachi ID Password Manager includes built-in infrastructure to securely and automatically
manage the user enrollment process:
- By monitoring one or more systems of record, Password Manager automatically
creates new and removes old profile IDs.
- New users and existing users with incomplete profiles are
automatically invited to complete their profiles (e.g., by answering
- Invitations to enroll may be e-mailed to users.
- Users may be more forcefully reminded to enroll by having a
web browser automatically open to the enrollment page when
they log into the network.
- Users may be forced to enroll, by opening a kiosk-mode web
browser to the enrollment page when they sign into the network,
and blocking access to the Windows desktop until users complete
their profile. This process is typically controlled by placing
users into a "mandatory enrollment" AD group and attaching
a suitable GPO to that group.
- To enroll, users must first authenticate. This is normally done
by leveraging an existing strong authenticator -- such as a network
password or a token.
- A single, integrated enrollment system supports collecting answers
to security questions, mapping different login IDs, on different
systems back to their owners and collecting biometric
voice print samples.
The enrollment system in Password Manager includes schedule controls.
For example, the maximum number of invitations to send daily can be
limited, as can the frequency of invitations per user. Days-of-week
during which to send invitations are identified as are holidays during
which no invitations should be sent.
Figure [link] shows a dashboard that tracks
Screen shot: Enrollment Statistics
Security Question Enrollment in Detail
Enrollment of of security questions and answers using the
Password Manager web form works as follows:
- Password Manager server: extracts a user list from one or more
target systems nightly.
- Password Manager server: compares the total list of users to those
that are fully registered.
- Password Manager server: e-mails unregistered users (up to a
certain number of users per run) a request to register, with an
- User: receives notification in e-mail, clicks on URL.
- Password Manager web server: asks the user to type his network login ID.
- User: types his network login ID.
- Password Manager web server: asks the user to type his current NOS password.
- User: types his current password.
- Password Manager web server: validates the password against the
... repeat if authentication failed, lockout if too often.
- Password Manager web server: asks the user to answer a set of
- User: fills in the blanks.
- Password Manager web server: validates completeness, adequacy of
- Password Manager web server: notifies the user of success.
Watch a Movie
Enrollment of security questions
- A user has been invited to fill in a form with
security questions and answers.
- This animation starts after:
- The user has clicked a link in an e-mail, or
- a browser window was automatically launched at PC login.
- The user has already authenticated to Password Manager with
a password, token or smart card.
- Policy is used to combine user-chosen and standardized questions.
- Some questions may be accessible to the help desk.
- Some questions may be suitable for telephone authentication.
- Usually only a random subset of enrolled questions is used to
authenticate a user.
Notes - Other Profile Data
Password Manager can be used to collect other information from users, such as
demographic data that is not used in authentication processes (e.g.,
home phone number, application preferences, etc.), and biometric
voice print samples. All registration is handled through the same,
integrated enrollment system.