EmpowerID 2016 Release Notes

EmpowerID has released EmpowerID 2016. This release includes many new features, as well as numerous enhancements and multiple fixed issues to make the EmpowerID user experience better than ever.


New Features

More tools for greater Identity Intelligence


  • Stats - Through the use of stats, you can now capture data that is important to you and present it to your users as "Top Ten" lists, pie charts or bar charts. EmpowerID includes a number of stats out of the box, such as the top ten lists on the Identity Admin dashboard, but you can create your own for use in custom pages and elsewhere.
  • Dashboards - EmpowerID has increased the number of dashboards to provide users with a visual representation of their most important data. Each user has a home dashboard that encapsulates their tasks and request, number of login during the last 24 hours and their top SSO Apps by number of logins.
  • Web reports with email results - User with access to information displayed in the Web application can have EmpowerID email them that information by clicking the Email icon.

Browser Extension


EmpowerID now provides a browser extension, the EmpowerID SSO Client, that organizations can use to provide their end users with single sign-on (SSO) capabilities to applications that require authentication, but do not support federated identity transactions, such as TripIt and Evernote. These types of applications are known in EmpowerID as "Forms SSO" or "browser extension" applications. To experience SSO with these types of applications, users install the EmpowerID SSO Client as an add-on to their favorite browser and claim accounts in any one of the numerous Forms SSO applications that EmpowerID provides out of the box. Users who have claimed application accounts see icons for those applications on their Personal Applications page. Clicking the icon opens a new browser tab and initiates the SSO experience.

Password Vaulting with client side encryption


EmpowerID now generates a root CA on installation that is used to issue public/private key pair certificates for each person who either claims an account in a Forms SSO application or saves a "secret." Secrets are pieces of data that users can encrypt and store in EmpowerID to include credit card information, passwords and notes. When users do so, EmpowerID prompts them to enter a new password to encrypt/decrypt their secrets.

Once users enter a password, it becomes their master password. EmpowerID uses each person's master password to issue to them the above mentioned certificates, encrypting the private key with the master password using the latest AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. The master password is then discarded. EmpowerID keeps no record of it to ensure that only the user can decrypt their credentials and secrets. Administrators, and the EmpowerID system itself, have no way to do so. Thus, users must remember their master password. If they lose their master password, they can create a new one; however, they will need to redo all their credentials and other secrets using the new password.

New Global Search and Navigation Sidebar


  • Global Search - You can now search for any object from any page of the Web application using the new Global Search feature. Searches can be filtered by object with the default filter being the Person object. All Self-Service users have access to Person search. Other filters appear according to the access of the current user.
  • Navigation Sidebar - Navigating the Web application is now quicker with the addition of the Navigation Sidebar. The Sidebar is divided by logical, collapsible sections with each section containing nodes that link to a particular page. Users see only those sections and nodes for which they have been granted access.

Inventory Local Windows Users and Groups


If you have Windows servers with local users and groups, you can add those servers to EmpowerID as managed account stores. This allows you to inventory local users and groups and manage those objects from EmpowerID, providing you with automated role-based access control, delegated permissions administration, provisioning policy capabilities with a full audit trail of any actions involving those objects. For more information see, Adding Local Windows Users.

More connectors out of the box


EmpowerID has developed several new connectors to allow organizations with repositories of user information in identity stores outside of on-premise directories like Active Directory to take full advantage of all the Identity and Access Management capabilities of EmpowerID.

  • Amazon Web Services - The Amazon Web Services connector allows organizations to bring the data (user accounts, groups, roles and computers) in their AWS domain to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories.

  • In addition to the connector, you can set up SSO with Role passing to AWS. For more information, sees Connecting to Amazon Web Services and Setting up SSO with Role Passing for Amazon Web Services.

  • Microsoft Azure Subscription Services - Organizations with virtual machines hosted by Azure can bring those instances to EmpowerID, where they can be fully managed as computer objects. For more information on connecting EmpowerID to Azure, see Connecting to Azure.
  • Salesforce - The Salesforce connector allows organizations to bring the user data (user accounts, profiles and roles) in their Salesforce domain to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. For more information on connecting EmpowerID to Salesforce, see Connecting to Salesforce.
  • Microsoft Dynamics - The Microsoft Dynamics connector allows organizations to bring the user data in their Dynamics AX system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. For more information on connecting EmpowerID to Microsoft Dynamics, see Connecting to Microsoft Dynamics AX.

Email Approvals


When EmpowerID is configured for email approvals, resource owners and other delegated approvers can respond to Access Requests from their email clients, apart from interacting directly with the request in the EmpowerID Request Center or being in an authenticated EmpowerID session. This allows users to respond to requests when away from their desks. To do so, they simply reply to the email with "Approve" or "Reject". EmpowerID reads the response and submits the decision.

New systems and resource-specific pages


A number of new pages have been added for easier administration of resources.

  • AWS Manager - The AWS Manager page provides a central location for viewing and managing AWS resources.
  • Office 365 Manager - The Office 365 Manager page provides a central location for viewing and managing Office 365 resources.
  • Salesforce Management Page - The Salesforce Manager page provides a central location for viewing and managing Salesforce resources.
  • Person Terminations - The Person Terminations page provides views of all people who have either been terminated or are pending termination.

New Devops Installer


Organizations who wish to install EmpowerID apart from an MSI can now do so using the EmpowerID Configurator. The Configurator is a utility application that when executed opens a settings dialog for inputting the same configuration settings during an MSI installation, saving those settings to a batch file. The batch file can then be executed at any point in time to silently install EmpowerID on any network-reachable dedicated EmpowerID Web server.

Performance enhancements


The Web application has been rewritten using the latest in responsive design principles. This includes CSS and scripting minification, enhanced support for mobile devices and a new CDN (Content Delivery Network) application that allows you to deploy EmpowerID's CSS, image and script files to a separate, resolvable server (with a different DNS), or you can deliver the content to a true CDN with replication and geographical load-balancing, such as those offered by AWS or Azure. Using another server to host the CDN in this way improves response times as the browser caches the CDN content and EmpowerID refrains from sending cookies on each call (as it does in the default configuration).

Virtual Machine management


You can now start, stop and reset Virtual machines from EmpowerID with the Identity Manager dashboard. To do so, navigate to the dashboard, select the machine you want to manage and specify the action you want EmpowerID to take.

Example Rest API Pages


The EmpowerID Web application now includes several example Rest API pages—the Authorization API page, the Twilio Voice API page, and the Send Email API page—that developers can use to make API calls against organizational data. Each page shows how an API call should be formatted and demonstrates the response returned by EmpowerID. These calls are real, however, they make no changes to data so developers can feel free to use them as needed to familiarize themselves with the API. The only prerequisite is that your developers be assigned the SSO Application Developer Management Role. Among other things, this role gives them access to the example pages.

Enhanced Password Management


  • Delivery of OTP via Twilio - Users who have enrolled for password self-service and have forgotten their passwords can now request one-time passwords be delivered to their mobile phones as voice messages. Other than enrolling for password self-service, to take advantage of this feature users must have a mobile phone on record and the organization must have a Twilio account registered in EmpowerID.
  • Updated Help Desk Password Reset Workflow - Users and their managers are now notified via email each time the help desk resets the user's password.

New Permanent Workflows


  • AD Account Expirations - When enabled, this workflow runs once every 10 minutes (can be configured differently), looking for AD accounts that are set to expire within a user-specified period of time. If the workflow finds any AD accounts meeting the criteria, it sends an email notification to the account manager, as well as the manager of the person who owns the account.
  • Person Expiration Notification - When enabled, this workflow runs once every 10 minutes (can be configured differently), looking for expired EmpowerID Person accounts that are set to expire within a user-specified period of time. If the workflow finds any Person accounts meeting the criteria, it sends an email notification to the managers of each person.
  • Submit Person Expirations - When enabled, this workflow runs once every 10 minutes (can be configured differently), looking for expired EmpowerID Person accounts that have reached a user-defined grace period before final termination. If the grace period has been reached and the accounts are still marked as as terminated, EmpowerID runs the Terminate Person Advanced workflow, which permanently deletes the account, pending final approval.
  • Scheduled Computer Shutdown - When enabled, this workflow starts and stops all computers that have Shutdown and Start tags applied according to the values set for those tags.
  • Update IP Addresses for Computers - When enabled, this workflow updates the IP addresses of each computer in the system to its current address.
  • Certificate Expiration Notification - When enabled, this workflow runs once every 1440 minutes (can be configured differently), looking for certificates that are set to expire within a user specified period of time. If the workflow finds any certificates meeting the criteria, EmpowerID sends email notifications of the pending expirations to all people who have the Management Role specified in the workflow .

Easier to set personal Language preferences


Users can set their language preference from any page by clicking the flag icon located in the navbar. Doing so opens an option for each language in which the application is localized.

After the language is selected, EmpowerID updates the all localized strings accordingly.

New "Feature Set" and "Alert" Management Roles


We have added new Management Roles for more precision in access assignments.

  • Audit Full Access - This Management Role grants full access to the audit workflows and user interfaces to allow people with the role to review their audit tasks, as well as those of others. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Audit Full Access drop-down.
  • Audit Participant - This Management Role grants limited access to the audit workflows and user interfaces to allow a user to review their audit tasks. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Audit Participant drop-down.
  • Customer - This Management Role grant limited self-service access, allowing users with the role to see themselves only.For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Customer drop-down.
  • EmpowerID Configuration Administrator - This Management Role grants access to the EmpowerID administration configuration screens and settings, giving people with the role the ability to manage those settings. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the EmpowerID Configuration Administrator drop-down.
  • EmpowerID Security Alerts - This Management Role allows admin users to receive security event related alerts. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the EmpowerID Security Alerts drop-down.
  • EmpowerID System Notifications - This Management Role allows users to receive alerts concerning EmpowerID system events such as failed jobs. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the EmpowerID System Notifications drop-down.
  • Group Membership Changes - This Management Role allows admin users to receive notifications of group membership changes.. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Group Membership Changes drop-down.
  • IT Shop Full Access - This Management Role grants full access to the IT Shop workflows and user interface to allow access requests and resource management. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the IT Shop Full Access drop-down.
  • IT Shop Limited Access - This Management Role grants limited access to the IT Shop workflows and user interface to allow people with the role the ability to request access to resources. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the IT Shop Limited Access drop-down.
  • Partner Admin - This Management Role gives users with the role the ability to perform delegated administration of people, users, and groups within partner organization. Visibility is restricted to the resources in the partner organization. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Partner Admin drop-down.
  • Partner User - This Management Role provides limited access for partners users, which is typically limited to password self-service and access to SSO applications. Visibility is restricted to the resources in the partner organization. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Partner User drop-down.
  • Provisioning Requestor - This Management Role grants access to the provisioning/joiner, mover, and deprovisioning/leaver request workflows. This role is often assigned to HR personnel. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Provisioning Requestor drop-down.
  • SSO Application Developer - This Management Role grants people with the role the ability to create and manage their own Apps and SSO connections. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the SSO Application Developer drop-down.
  • SSO Apps Full Access - This Management Role grants full access to the SSO and vaulted credential workflows and user interfaces to allow people with the role to sign in to SSO applications and manage their vaulted credentials. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the PSSO Apps Full Access drop-down.
  • SSO Apps Limited Access - This Management Role grants limited access to the SSO and vaulted credential workflows and user interfaces to allow people with the role the ability to sign in to their SSO applications. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the SSO Apps Limited Access drop-down.
  • Workflow Task Participant Full Access - This Management Role provides users with the ability to fully interact with the tasks and requests in the Request Center. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Workflow Task Participant Full Access drop-down.
  • Workflow Task Participant Limited Access - This Management Role provides users with the role the ability to see the status of their tasks and requests in the Request Center. For a complete list of the delegations associated with this role, see Shipping Management Roles and expand the Workflow Task Participant Limited Access drop-down.

Other new features and enhancements


  • The EmpowerID Virtual Directory Server can now be installed on Linux machines. For more information, see Installing the EmpowerID Virtual Directory Server on Linux.
  • The EmpowerID Reverse Proxy Server can now be installed on Linux machines. For more information, see Installing the EmpowerID Reverse Proxy Server on Linux.
  • Microsoft SQL Server 2014 is now supported.
  • Exchange Web Services can now be used for sending and receiving emails.
  • You can now integrate Twilio voice and SMS messaging with EmpowerID
  • Multiple Office 365 tenants are now supported in a single EmpowerID instance
  • OAuth Connections now have their own View One and Edit One pages
  • There is a new, easier-to-configure installer for SSRS 2014
  • Certificates can now be mapped to people in the Web application
  • Time constraints can now be added to access requests in the IT Shop
  • When a person is terminated, EmpowerID now deletes any accounts that person owned in "tracking-only" account stores
  • The visibility of SSO application tiles is now limited to users who have access to the applications represented by those tiles
  • Non-technical users can now request shared folders
  • Users with multiple personas now pick their desired persona immediately after logging in
  • Support has been added for RADIUS group membership requests
  • User home pages can now be set in the Password Policy applied to those users.
  • Auditors and other administrative users can now see attestations and their decisions from one location
  • Account Store attribute flow can now be edited in the Web
  • EmpowerID now sends email alerts to designated users when mailbox permissions change
  • EmpowerID configuration settings can now viewed and edited from the Web
  • You can now view the net resultant access a person has on their View One pages
  • EmpowerID now sends email alerts to designated users when someone becomes locked out of an account
  • You can now configure Relying Party Trusts for WS-Fed connections in the Web
  • You can set the maximum number of members for groups
  • Users can now request computers in the IT Shop
  • EmpowerID now sends email alerts to designated users each time an EmpowerID Job fails
  • Workflow Studio source control objects can now be searched for and viewed in the Web
  • You can view and edit Exchange servers in the Web
  • The Nations/Countries list now appears in the Web
  • Administrators and other designated users can now see the Management Role membership granted by Business Roles and Locations
  • Request Workflow parameters can now be edited in the Web
  • Custom operations can now be deleted in the Web
  • You can now delete SMS Email gateways in the Web
  • RADIUS connections can now be created, edited and deleted in the Web
  • Object Attributes and Security Boundary Attributes can now be created, edited and deleted in the Web
  • You can now create and edit OAuth Service Providers and OAuth Consumers in the Web
  • Addresses can now be created, edited and deleted in the Web
  • You can now create, edit and delete Account Store Trusts in the Web
  • Security Boundary Types and Resource System Types can now be created and edited in the Web
  • The Login screen image can be replaced in CSS
  • Execution Runtime Jobs can now be edited in the Web
  • EmpowerID now supports licensing shared Office 365 mailboxes
  • The schema for the Universal Connector has been updated
  • EmpowerID now sends email alerts to owners and other delegated users each time the membership of high security groups changes
  • OAuth connections how have their own dedicated view and edit pages
  • Inbound and outbound attribute changes for people can now be viewed and sorted by date on person view pages
  • Users can request membership in any requestable groups linked to a Local Windows User resource system
  • Access assignments for resources can now be made on each resource's VieOne page
  • You can now add time constraints to Business Role and Location assignments
  • EmpowerID has added a new relative Access Level for computers, the "Computers where I'm a local admin" Access Level
  • You can now prioritize Password Manager policy assignments
  • You can now produce revoke reports for Audits ad Audit Attestation policies
  • The Computer Manager page now shows local users, groups and computers.
  • Users can now be mandated to accept or deny a versioned usage agreement on their first login
  • Users who do not own a global admin account in Office 365 can enter the service account credential in EmpowerID for administrative access
  • The net resultant access granted to each person can now be viewed on their View One pages
  • Set Groups can now be edited from Edit One pages
  • You can now upload, edit and delete certificates in the Web
  • You can now view the Management Role memberships granted by Business Role and Locations
  • Changes to Default Attribute policies can now be previewed before being applied.

Removed Features

The following features and/or support options have been removed from EmpowerID:

  • The use of Query String Parameters for localizing the Login page.
  • The registry keys for Exchange have been removed from the TheDotNetFactory hive. These settings are now maintained in the EmpowerID metadirectory and can be accessed from the EmpowerID System Settings page in the Web application.
  • Microsoft SQL Server 2008 and 2008R2 are no longer supported
  • EmpowerID no longer supports IE 7, IE 8 and IE 9.
  • The Office365Issuer key has been removed from the TheDotNetFactory hive.



Upgrading to EmpowerID 2016


EmpowerID freely provides hotfixes to address known issues as well as offers upgrades with new functionality in the form of new builds. Each of these builds allows you to either perform a complete install or upgrade an existing implementation. When installing a hotfix or newer version of EmpowerID, the upgrade option allows you to add the enhancements to your environment without losing preexisting data and configuration models.

When upgrading EmpowerID, you must be logged in as a user with rights to alter the EmpowerID database on the target SQL server. Additionally, please make sure you have saved any customizations to EmpowerID workflows in a custom package to avoid having the restoration process overwrite your custom workflows.



As the schema for the Universal Connector has changed for EmpowerID 2016, if you were using the Universal Connector in an earlier version you must run the upgrade script to avoid any issues with your data. Please click the below button to download the script and then run it in your SQL Server.

Download the Upgrade Script

  1. From SQL Server, run any SQL upgrade scripts pertinent to your upgrade build.
  2. Back up the TheDotNetFactory registry hive.
  3. Stop all EmpowerID Windows services
  4. Uninstall EmpowerID. For step-by-step guidance, see Uninstalling EmpowerID.
  5. Run the installer for the new build. When the EmpowerID Server Setup wizard appears, do the following:
    1. Click Next.
    2. Accept the license agreement and click Next to continue.
    3. .

    4. Review the path where EmpowerID will be installed and click Next. If you want to install EmpowerID in a different directory, click the Change button to choose a new path and then click Next.
    5. Click Install to begin the installation.
    6. Wait for the Server Setup to complete the installation and then click Finish.
    7. This opens the EmpowerID Settings tool. You use this to connect EmpowerID to your SQL server, license your copy of EmpowerID as well as to configure default email settings, certificates, IIS Web Sites, and the EmpowerID Windows services.

    8. From the SQL Connection pane of the EmpowerID Settings tool, do the following:
      1. Type the name or IP address of the SQL server you are using for EmpowerID in the Server field.
      2. Select the EmpowerID database from the Database drop-down.
      3. Select Windows Authentication.
      4. Test the connection by clicking Test Connection.
      5. Click OK to close the connection message.
      6. Now that the SQL connection has been configured, click Next to configure the general settings.
    9. In the Import License pane of the General Settings tab, do the following:
      1. Type the licensing key you received from EmpowerID in the License Key field and then click the Add License File button (...).
      2. In the Open File dialog that appears, locate and select the EmpowerID License File (.eidlic) you received from EmpowerID and then click Open.
    10. In the Notification Settings pane of the General Settings tab, do the following:
      1. In the URL field, type the FQDN of your EmpowerID Web server in the URLfield. Be sure to use the https scheme.
      2. In the From Address field, type the default email address EmpowerID should use for sending any automated emails generated by the system.
      3. In the SMTP Server field, type the FQDN of the Exchange server EmpowerID should use for sending any automated emails generated by the system.
      4. When completed, the General Settings should look similar to the below image.

      5. Now that the general settings have been configured, click Next to configure the Web Site settings.
    11. In the Web Settings pane of the Web Site tab, do the following:
      1. In the Select Web Site drop-down, select an existing Web site to host the EmpowerID Web application or enter a name to create a new site. By default, EmpowerID selects the default Web site.
      2. Click the Select Cert button and in the Windows Security window that appears, select the SSL certificate you want to use to encrypt/decrypt EmpowerID communications.
      3. Click OK to close the Windows Security window.
      4. In the Application Pool Settings pane, type the user name and password for the account running the application pools in the Username and Password fields, respectively. This account must have the appropriate access levels to read from and write to the EmpowerID metadirectory.
      5. When completed, the Web Site settings should look similar to the below image.

      6. Now that the Web settings have been configured, click Next to configure the Web applications settings.
    12. In the Web Applications pane of the Web Applications tab, select each EmpowerID Web application you want to install on the Web server. By default, all applications are selected. If you do not want to install an application, deselect it. These applications include the following:

      • Service Provider - This application provides EmpowerID services to authenticated users.
      • Identity Providers - This application provides authentication services for users.
      • Click Once - This application allows users to use their browsers to install the EmpowerID Management Console (fat client) on their desktops.
      • Web Services - This application host the EmpowerID Web services.
      • Web CDN - This application contains the CSS, Image and script files used by the EmpowerID Web application.
      • API - This application provides the functionality for making Web API calls to EmpowerID.

      EmpowerID gives you the option of using a separate CDN (Content Delivery Network) in place of your default EmpowerID Web server to deliver the CSS, image and script files used by the EmpowerID Web application. To implement a CDN, you can deploy EmpowerID's static content to a separate, resolvable server (with a different DNS), or you can deliver the content to a true CDN with replication and geographical load-balancing, such as those offered by AWS or Azure. Because the content is stored on another server with a separate DNS response times improve as your browser caches the content and EmpowerID refrains from sending cookies on each call (as it does in the default configuration).

      To use a separate CDN, type the URL to the CDN in the CDN Server URL field and deselect the Web CDN Web application.


    13. Leave the Serviced Provider Name set to EmpowerID.
    14. Under Federation Settings, click the Browse button to the right of the Certificate Pfx Path field and select the STS certificate EmpowerID should use for signing SAML assertions. The format for the certificate is PFX.
    15. Type the password for the certificate in the Certificate Password field.
    16. When completed, the Web Applications settings should look similar to the below image.

    17. Now that the Web Applications settings have been configured, click Next to configure the EmpowerID Windows services.
    18. In the Services pane, select each EmpowerID Windows service you want to install on the server, providing the user name and password for the identity that is to run each.
    19. When completed, click Next.
    20. Optionally, use the browse and export buttons to download your configuration file to a specific location and then click Export. This is useful if you need to import those settings when re-installing EmpowerID.
    21. Click Next.
    22. Read through the summary information and when ready click Finish.
    23. Click OK to close the Settings Saved message.


  6. Verify that the EmpowerID Web Role Windows service is running. Start it if it is not.

  7. Wait for approximately 10 minutes before proceeding to the next step. This ensures that all GAC references are downloaded to the server.

  8. After waiting 10 minutes, start the EmpowerID Worker Role Windows service.
  9. Start the EmpowerID Radius Server Windows service, if applicable.
  10. Navigate to "C:\Program Files\TheDotNetFactory\EmpowerID\Programs" and open the RbacOjectDatabaseUtility application.
  11. In the Command window that appears, type ALL and then press ENTER to refresh all Rbac objects.
  12. Recompile and publish any custom forms, lookups and workflows.
  13. Next, configure the following registry keys for your environment. These keys were created to support features in EmpowerID 2014 MU4 and are applicable to clients running EmpowerID 2016.

    Key Description

    HKEY_LOCAL_MACHINE\Software\TheDotNetFactory\EmpowerID\WebSettings\EidRenderMinifiedFiles

    Controls minification. Set to true by default. The only time you should change this is when testing or troubleshooting related issues. When set to false, EmpowerID pulls all JS and CSS files, not just the minified ones.

    HKEY_LOCAL_MACHINE\Software\TheDotNetFactory\EmpowerID\WebSettings\EidEnableLogging

    Controls logging. Set to false by default. If set to true, EmpowerID writes all IDP events to the Event Log. If set to true, performance degradation occurs.

    HKEY_LOCAL_MACHINE\Software\TheDotNetFactory\EmpowerID\WebSettings\EnableSAMLEventLogging

    Controls SAML event logging. Set to false by default. If set to true, EmpowerID writes SAML events to the SAMLTransaction table in the EmpowerID metadirectory.

    HKEY_LOCAL_MACHINE\SOFTWARE\TheDotNetFactory\EmpowerID\Federation\EmpowerIDServerFQDN

    Used for SharePoint Web Services. Set to blank by default. Set the EmpowerIDServerFQDN to the EmpowerID server hostname for your environment, such as sso.empowerID.com

    HKEY_LOCAL_MACHINE\SOFTWARE\TheDotNetFactory\EmpowerID\Federation\ClientAuthCertificate

    Used for SharePoint Web Services. Set to blank by default. Set the ClientAuthCertificate to the thumbprint of the client certificate. This certificate should be added to the EmpowerID certificate store and mapped to an EmpowerID Person that has the All Access Management Role for authentication purposes.

    The Federation Certificate should not be used for this purpose. The private key of this certificate is required on the SharePoint server.

    HKEY_LOCAL_MACHINE\SOFTWARE\TheDotNetFactory\EmpowerID\Federation\FederationCertificate

    Used for SharePoint Web Services. Set to blank by default. Set the FederationCertificate to the public key certificate of the federation certificate. This is used to identify the endpoint identity of the web service.



  14. Upgrade the SharePoint Web Services as appropriate.
    • SharePoint 2010: SharePoint Web Services 2010 4.9.40.0
    • SharePoint 2013: SharePoint Web Services 2013 4.9.66.0

    SharePoint Web Services can be found on our download page.


  15. As SHA-256 support for XML signatures has been added to EmpowerID, you should request a SHA-256 certificate and then enable EmpowerID to sign a SAML request or response using SHA-256.


  16. Please see the following articles for more information on how to request a SHA-256 certificate:


    Please see the following article for more information on how to enable EmpowerID to sign a SAML request or response using SHA-256:


  17. If you have federated EmpowerID with Office 365 in a previous release, you need to update the Office 365 WS-Fed Connection in EmpowerID, adding your home realm to it as it is now necessary for SSO.

    • To add the Home Realm
      1. Log in to the EmpowerID Web application as an administrator.
      2. From the Navigation Sidebar, navigate to the Find page for WS-Fed Connections by expanding Admin > SSO Connections and clicking WS-Fed.
      3. Search for your Office 365 WS-Fed Connection and from the grid click the drop-down for it and then click Edit.
      4. From the Info tab of the Connection Details edit form that appears, type your home realm in the Home Realm field. The value should be your domain.
      5. Click Save.

Product Support

EmpowerID provides support to all customers who have a trial version of an EmpowerID product or who have purchased a commercial version with a valid Software and Maintenance support contract. By purchasing Software Maintenance and Support, you have access to any upgrades that are released within a 12-month period and have email access to our product team to resolve any issues that may arise.

For further information on Software Maintenance and Support, please contact us by email at sales@empowerID.com .

Online Support

Registered users may submit cases online and track their status. If you are a registered user, you may submit and view the status of cases at any time. For more information, please visit us at http://www.empowerid.com.

Contacting Support

To contact a support representative, you may send an email to support@empowerID.com  or contact us by phone by calling +1 (877) 996-4276 .

As stated in section 13.1 of the customer agreement, EmpowerID offers supports for the most recently released version of the Software Program and the next prior version only. This means that with the release of EmpowerID 2016, support is only extended for EmpowerID 2014 and EmpowerID 2016.