The Identity Claiming feature allows organizations to provide a central location for on boarding new Identities. This feature provides a predictable approach for organizations to control their global on boarding process to ensure all users follow the same process. By solidifying the on boarding process it provides for a decrease in help desk related calls as well. The feature provides end users all they need to on board, easily and efficiently.
The following functions are available within the Identity Claiming feature:
Attribute-based Verification | |
Fischer provides for attribute-based Identity verification. This allows IGA Administrators to display the attributes that create their unique Identity. The end user must enter correct attribute values to proceed. Note that the values are stored within Fischer's Identity Registry. | |
AUP Acceptance | |
Organizations can enforce acceptance of their specific terms of use during the on boarding process | |
Username Presentation | |
The Identity Claim feature is unique from other on boarding methods available from Fischer in that it will provide the user with their Identity ID, on screen. This creates a more elegant user experience. While some may say display such information can be considered a security issue, Fischer contends that leveraging attribute-based identity verification in conjunction with Fischer's Authenticator is a sufficient amount of Identity verification to be as certain as possible that the end user attempting to on board is in fact the correct user. | |
Setting the Identity ID Password | |
The ultimate goal of the Identity Claim feature is to sufficiently validate the Identity as well as provide for the ability to set a unique password only known to the end user.
Fischer will initially scramble all passwords, this is the best practice security control you should employ:
It is important to note that Fischer will generate a random password within the provisioning engine at run time that is not known to anyone. When the end user successfully verifies their Identity and sets the password, he or she will be the only individual that knows it. This is an important security feature that can protect organizations from potential hijacking of new accounts since it is Fischer and Fischer alone that controls the initial building of the password and stores it into the secured Identity System.
|
Below is the user experience when using the Identity Claiming feature
In the first step, the end user must provide the attribute values associated with the displayed fields. The goal is to uniquely identify the Identity profile provisioned within Fischer. Organizations can determine which attributes to display for attribute verification and can easily modify the screen leveraging Fischer's Dynamic UI feature. Refer to Dynamic Configuration UI Guide for more details.
The second step enables organizations to provide multi-factor authenticationThis is an added security step that provides for the least risk averse scenario for on boarding new Identities by offering two layers of verification prior to continuing with the on boarding process.
Organizations can force on boarding Identities to accept the terms of use for accessing their Identity ecosystem. This is something that all organizations should employ. This protects the organization from a liability and regulatory standpoint by forcing the user to digitally review and commit to the terms of use before they are able to view any personally identifiable information as well as provide end users with the ease of use to review and accept the terms. This oversight and governance mechanism, captured in a digital format also provides for a key portion of the audit trail which will prove the organization presented the terms of use, as well as any ramifications for breach of the terms.
Once the user has entered the required attributes, and Fischer has validated those attributes to be correct, initiated a verification request to the Identities mobile device, and required the user to accept the acceptable terms of use, the organization should feel comfortable that the on boarding Identity is in fact the person stored inside Fischer's Identity Registry. Within the Identity Claim feature, this is the step where the user will see their Fischer Identity ID.
The Identity System
Note that the User ID displayed within the Identity Claim feature is the username stored within Fischer's IdentitySystem (LDAP). This is not customizable and is the most secure way to on board a user (with Fischer's Identity Registry information).
The final step in the Identity Claim process will provide the Identity with the ability to set their password for the fist time.