Skip to main content
Skip table of contents

Correlate mandatory policies with enrollment process

Context

In order to prepare the field for the future improvements on enrolment subjects, this release aims to enhance the enrolment process for new identities by ensuring compliance with policy-mandated authenticators. This improvement will enforce the requirement that new users complete all mandatory steps in the enrolment process, thereby ensuring compliance with established policies.

With this enhancement pin enrolment can be enforced even with FIDO authenticators, because the policy mechanism can now guide the new user to complete all the steps required.

Key Objectives:

  1. Policy Compliance:

    • New users must complete all enrolment steps mandated by the policy. This ensures that every user meets the necessary security and verification requirements.

  2. User Autonomy:

    • Users have the freedom to exit the enrolment process at any point. This necessitates robust tracking to record their progress and ensure they can resume from where they left off.

  3. Progress Tracking:

    • An enrolment tracker will be implemented to monitor and record the completion of each mandatory step in the enrolment process.

  4. Seamless User Experience:

    • The enrolment tracker will offer a user-friendly interface to guide users through each step, providing clear instructions and feedback.

  5. Security and Compliance:

    • The enhanced process will strengthen security by ensuring that all users complete necessary authentication steps.

    • Compliance with organizational policies will be strictly enforced, reducing the risk of security breaches.

 

Flow

For the enrollment methods that comes together with PIN we set a privatiztion in the enrolment context.
So if any of this methods 'SMS', 'TOTP', 'YUBICO_OTP', 'HW_OTP', 'SW_OTP', 'TOTP_DESKTOP' and PIN are on mandatory in the policy, then on the enrolment after the user will have the username typed in, if the PIN is not enrolled, it will directly enforce to enroll PIN with one of those methods (alphabetically order).

PIN can be enrolled alone in the first phase if only PIN is required

With this change, we can ensure that PIN is always enrolled as will be the first step in the enrollment process.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close