Automated User Enrollment
To facilitate automated user enrollment, P-Synch® includes a self-service profile builder, self-service login ID reconciliation and an auto-discovery engine. The features which minimize both initial setup efforts and ongoing administration are:
- Auto-discovery
(1) P-Synch includes an auto-discovery engine, which typically extracts information about users and groups from target systems nightly.
- An auto-discovery engine extracts a full inventory of login IDs
from each target system, nightly.
- The auto-discovery engine extracts a list of all available groups from each target system, nightly.
- For groups that have been designated as "managed," the
auto-discovery engine also extracts full group membership
from the target systems.
- The auto-discovery engine automatically creates, updates and removes
user profiles in the P-Synch identity cache, based on the appearance
of user accounts on systems that are considered
authoritative sources of P-Synch IDs.
- Information such as last-login-date is used to identify dormant
accounts, globally.
- User attributes tagged configured as "managed" in P-Synch are read from the target system, into the P-Synch identity cache.
- An auto-discovery engine extracts a full inventory of login IDs
from each target system, nightly.
- Auto-reconciliation
- User objects on different systems are correlated automatically,
by matching login IDs or other attributes to create and update
user profiles.
- Login IDs on systems where it is impossible to reliably provide automatic reconciliation are stored in an "inventory" table.
- User objects on different systems are correlated automatically,
by matching login IDs or other attributes to create and update
user profiles.
- User enrollment and self-service reconciliation
- Users who must register supplementary information, such as
personal authentication question-and-answer profiles or login ID
reconciliation with systems that use non-standard login IDs, are
automatically prompted to register and receive automatic reminders
until they do. Invitations are sent by e-mail, web popups, etc.
- User enrollment and administration is carried out on a secure web form. Users are authenticated and user-entered data is encrypted using HTTPS. Users prove possession of accounts by typing ID/password pairs, which are validated against target systems.
- Users who must register supplementary information, such as
personal authentication question-and-answer profiles or login ID
reconciliation with systems that use non-standard login IDs, are
automatically prompted to register and receive automatic reminders
until they do. Invitations are sent by e-mail, web popups, etc.
Process - self-service Q&A profile registration
Registration of Q-A (Question-and-Answer) data using the P-Synch web form works as follows:
- P-Synch server: extracts a user list from one or more
target systems nightly.
- P-Synch server: compares the total list of users to those
that are fully registered.
- P-Synch server: e-mails unregistered users (up to a
certain number of users per run) a request to register, with an
embedded URL.
- User: receives notification in e-mail, clicks on URL.
- P-Synch web server: prompts the user to type his network login ID.
- User: types his network login ID.
- P-Synch web server: prompts the user to type his current NOS password.
- User: types his current password.
- P-Synch web server: validates the password against the
indicated system.
... repeat if authentication failed, lockout if too often.
- P-Synch web server: prompts the user to answer a set of
personal questions.
- User: fills in the blanks.
- P-Synch web server: validates completeness, adequacy of
data.
- P-Synch web server: notifies the user of success.
Process - self-service login ID reconciliation
Registration of aliases (non-standard login IDs) using the P-Synch web form, works as follows:
- P-Synch server: extracts a user list from every
target system nightly.
- P-Synch server: compares the total list of users on one or more
master systems to those that are fully registered. Registration
status is calculated using heuristics.
- P-Synch server: e-mails unregistered users (up to a
certain number of users per run, limited frequency per user)
a request to register, with an embedded URL.
- User: receives notification in e-mail, clicks on URL.
- P-Synch web server: prompts the user to type his network login ID.
- User: types his network login ID.
- P-Synch web server: prompts the user to type his current NOS password.
- User: types his current password.
- P-Synch web server: validates the password against the
indicated system.
... repeat if authentication failed, lockout if too often.
- P-Synch web server: display a profile of already-attached
login IDs / accounts. Prompts for an additional ID / password.
- User: types his login ID and current password for a system
that does not yet appear on the list.
Note: the user does not explicitly specify which system the login ID is for.
- P-Synch server: finds instances of this ID on the
network, from the previous night's list. Eliminates already-assigned
IDs. Tries to connect to each remaining system with the ID/password
entered by the user. For systems where the login worked, adds the
ID to the user's profile. Discards the password.
- P-Synch web server: notifies the user of success / failure.
... repeat as necessary.
Notes - other profile data
P-Synch can be used to collect other information from users, such as demographic data that is not used in authentication processes (e.g., home phone number, application preferences, etc.), and biometric voice print samples. All registration is handled through the same, unified registration system.