Enhancement - New User Invite/Registration Flow

As part of our efforts to deprecate non-public APIs, we are simplifying the new user invite and registration process.

The original flow required user to enter a password, as well as additional information required for password reset before being able to enter the product. We’ve heard from many customers, however, that they are not able to require employees to use a personal email or phone number due to unions/labor laws.

Beginning in June 24, the old user registration UI will be retired, and all new users will instead be prompted to create a new password with the existing Password Reset UI upon clicking the link from email. They will only be required to create a new password before entering Identity Security Cloud.

Upon entering ISC, the user will see a notification letting them know that they are missing information required for password reset. A user can dismiss this prompt from the X, or it will disappear after 30 seconds. However, this notification will appear each time a user logs into the system and still has missing information.

By clicking on “Learn More” in the notification, they will be redirected to the preferences page to enter the missing information for whichever method they choose.

If you have any questions or run into any issues, please reach out to your CSM. Thank you!

Rollout Schedule

Sandbox Release - Week of June 17

Production Release - UPDATE Week of July 15

FAQ: SailPoint User Invite Email, Registration, and Password Reset

Q1: What is new/changing? Sustain User Invite Email, Registration, and Password Reset provides a refreshed approach to sending user invites and resetting passwords that no longer leverages non-public APIs and enables a simplified user experience. With this change, the password reset options are shifted from registration to post-login.

Q2: Why are we introducing this new capability?

SailPoint is currently underway on a larger deprecation effort of decommissioning several non-public APIs (also known as CC decommissioning). The existing user invite, registration, and password reset functionalities within Identity Security Cloud leverage components of those non-public APIs, and SailPoint is updating the business logic for these processes to no longer leverage those non-public APIs to assist in the deprecation effort.

Q3: What are common use cases?

With existing functionality today, new users who are sent registration emails are prompted to register personal information that will aid in password resets. However, they are not granted access to ISC until they add in their personal information for password resets.

With the updated functionality, users are only required to register a new password before entering the product. They are then notified on the Home page that they are missing important personal information required for password resets and are given a link redirecting them to the Preferences page to enter that information.

Users can dismiss this prompt with the X option. Or they can wait, and the prompt will disappear after 30 seconds. However, this notification will appear each time a user logs into the system until they enter their personal details needed for password resets, as specified by their administrators.

Q4: What is the value to customers?

Customers will have an updated User Invite and Password Reset experience that is more forgiving in granting access to the product, enables continued business operations, and leverages non-deprecated components. Also, the new functionality will continue to enforce and strongly recommend best practices around ensuring appropriate information is entered to enable password resets for end users.

Also, customers who cannot require users to use a personal phone or email to register now can grant access to the product without being forced to enter additional details. Instead, users can choose which information to add post-login.

Q5: what happens if a user needs to reset a password, but has not registered alternate forms of information?

In this case, a user will need to contact the helpdesk to reset their password.

Q6: Where can I find more information?

For additional information on the non-public API deprecation, please see the Developer Community post Non-Public API Deprecation.

Great Enhancement

@Tyler_Harman For organizations using PTA, will this bypass MFA?

Yes @austin_alexander It is bypassing MFA. I was able to validate it. User can set the password using the URL.

This is not an “Enhancement” in our environment of 70,000 plus users.
This Warning is vague and dismissible, thus creating a lot of tickets and calls into our helpdesk. I will be reaching out to our CSM to opt out.

Cody

Unfortunately, there is no “opting out” of this. Also, are you stating that this is already causing users to create tickets to helpdesk for you? I understand that you are concerned with that happening, but this has only been released to sandbox thus far, so I’m not sure how that could already be the case.

We can look at tweaking the language some to make it clearer. Perhaps we could even default them to the preferences page to enter the information. Would that help your situation at all?

Tyler

Hello Tyler,

Yes we are already getting calls and tickets.
For some reason this was already pushed to our production environment.

Something along the lines of “You will not be able to reset your password without configuring your security questions. Click here to complete setup” would be nice. Is it possible to pop up center screen?

Defaulting to the preference page would also definitely help if it’s only for the first login.

Thank you,
Cody

Thanks for the reply, Cody!

Yeah, I think that we should be able to target the center of the screen with the notification and make it bigger, plus change the language. I’ll look into this with the team and hopefully have more information soon.

Tyler

Cody

I also just thought that you could edit the user invite email template to change the default URL to be the preferences page. Might be worth a try in the interim.

Tyler

Hi! Good morning.

I read in the schedule that the new registration flow should have been pushed on the following dates:

Sandbox Release - Week of June 17
Production Release - Week of June 24

In our sandbox environments we already observe the new flow but in production we still observe the old method.

Is it already pushed in production environments? if not when it will be pushed?

Thanks

@Tyler_Harman well this caused us a bad demo with the client, because this behavior literally changed in between our testing and the demo. But that is not the point. I am not understanding why the enforcement of setting of the security questions before anything else could be done is deprecated. If the org requires security questions as part of their password reset process, then they should be able to enforce the setting of those questions before they log in for the first time. I would advocate that it needs to happen even before the initial password set.

Please reconsider this. We have one very unhappy client, and I am sure there will be more. You don’t want to force setting of the personal information, like e-mails and phone numbers - fine, but let us force the security questions. In the least, it should be configurable.

Thank you,
Ilya

Thanks for your comments. This is something that we can look into. We also have customers who don’t want to use security questions at all because they don’t feel they are secure. We’ve tried to find the right balance between everyone, but I’ll see if there’s a way to make it configurable. To be clear, this isn’t something that I think will be resolved right away

Hi Juan

The team is delaying the release to prod until July 15-18 to give customers more time. I’ll be updating the post, and we’ll also have an in-product message about it soon.

Thank you, Tyler. Understood and agree that auth questions are becoming an outdated form of authentication for most organizations.

@Tyler_Harman Why create a link that bypasses MFA? The authentication requirements used to ensure only a “true” user could get reset their password. Now service desk will have to validate users another way. Is there a way to turn off the reset password link?

This is a very dangerous update. If a link is sent to a user mistakenly, you essentially just gave a malicious user keys to the kingdom. No authentication required. This should have been optional. I think this downgrades the safety of the onboarding process and applies more burden on service desk teams. You may as well send them a temporary password while you are at it. Thats essentially what this is.

Austin

I’m not following what you’re referring to by the previous authentication requirements. Everything is staying the same besides moving registration of alternate forms of MFA to after login. There never was an authentication check on registration for ISC except for the link going to their work email, which they should have to authenticate in some way to access.

They still will be prompted every time upon login to include alternate forms of MFA, if they haven’t yet done so. Can you help me to understand if there’s something I’m missing? I’m also happy to hop on a call if that would help. Thanks.

Tyler

Sure, I am open to hoping on a call. @Tyler_Harman

Hi @Tyler_Harman, how can the warning be deactivated?
The customer has a SSO/SAML integration, and users are not expected to set passwords (or personal information) in SailPoint.

The popup notification will only trigger if an admin has required password reset options in the UI. Can you try unselecting all of the password reset options and see if that changes things?