Wednesday, August 7, 2013

Stagger your FIM SSPR end user roll out

Lots of people are now using FIM for their end user self-service password reset requirements.  One of the challenges to rolling this out to the user population is how can you roll this out in phases.  Because what you don't want is come Monday morning have all your users be guided to the registration page and have the FIM server fall over.

So here's some options:
1. Stagger out the roll out of the client extensions.  Depending on how well you can roll this out by department or section, this might be a challenge for you.  Typically once the end user has the client extensions installed then during next logon the client will talk to the FIM Service to see if they need to register.  If you roll out the extensions to your entire user population then you could have a headache that morning.

2. If you opt not to roll the client out then it should be easy enough to send emails to user segments with the Registration link in there.

3. Though not documented after testing it a bit I found another option to stagger out your roll out.  You can deploy the client extensions to all your users at an earlier time.  Then when you're ready, you can just add users to the Password Reset Users set in the FIM Portal.  If the user is not part of the set they won't be directed to the registration page.  Another thing to keep in mind, if users that aren't in the set try to register they'll get a 'Not Authorized' error.

You may decide just to create an AD group to keep it simple then synchronize that group to the above set.  That way your admins continue to deal with what's typically familiar with them.