Users registration module [reg]
Reg module serves as a registration point for new users to access CzechIdM. To be a registered user, one has to go through several validation steps before he can log in to CzechIdM.
How to register to CzechIdM?
There is a registration link on the login dialogue page, which you can use to access the registration page.
New user fills following fields:
First name (mandatory)
Surname (mandatory)
Login (mandatory) – this choice is only available, if the own login option is turned ON in application setting. If the choice is not available, CzechIdM automatically generates the login.
Email (mandatory) – if the user validation via email is turned ON in application settings, then the validation link (token) is sent to this email address.
Telephone – user attribute. Depending on application settings, the telephone can be used for SMS notification, or administrator can contact the user via phone.
Organization – description attribute. It usually serves for the administrators for consequent users cataloging.
New Password (mandatory) – new CzechIdM password. There is also a password strength utility visible. If the new password box is not available, then it is turned off in application setting. In that case, password is generated by other means depending on other settings. Usually when the user gets account on some managed system which CzechIdM uses as an authentication point.
New Password again (mandatory)
When the form is filled, we pass the captcha (if ON) and continue with following steps: :
Registration process background
After the registration form is filled, following steps are done in the application.
In CzechIdM, there is a new identity created and set as inactive. It has no roles and contracted positions. Login is generated if not set by the user.
A new contracted position is created for the identity. The contracted position is placed in the organization tree. To be able to place the contracted position into organization tree, one has to set application setting option: idm.sec.reg.defaultOrgId. More about reg setting options in following sections.
User gets automatic roles, when he is placed in the organization tree.
The contracted position gets manager user by the application settings option idm.sec.reg.defaultAuthorizer.
Email is sent to address that the user previously filled in the registration form. In the email, there is a link. When the user uses the link, he is forwarded to CzechIdM login page and the registration is confirmed. The registration link in the email has time limited validity.
User task is generated for the users with role registrationalApproval. Caution, if this step is allowed in configuration and no one has the role assigned, then the registration process always fails. Turn on this step only if the at least one user has the role assigned or assign the role to the admin user as a fallback.
When the task is resolved, identity is enabled (unblocked) and it gets the role defined in registration module configuration. Do not confuse those roles with
automatic roles.
All users with registrationNotification role assigned are notified about a new user creation.
Reg module configuration
idm.sec.reg.loginGenerator – step 1. If the key is not defined, the user can type its own login. In other words the registration form has input box for the user to specify the login. Otherwise if the key is defined then the value of the option is the name of the CzechIdM login generation component. One possible value is e.g. „basicLoginGenerator“ (login has the following form: firstname + 1. character of lastname).
idm.sec.reg.createEnabled – true, if the identity in step 1 and 2 should be created as enabled (unblocked)
idm.sec.reg.defaultOrgId –
step 2. The value of the option is entity
id of the organisation, in which we want to place registered users (via their contracted positions). We can find entityid of the organisation on organization detail in CzechIdM
GUI: Organizations → Structure elements → find org. e.g. by its name → organization detail (magnifying glass). Then we see the entity_id in
URL of our web browser after
TreeNode string. E.g. 767b8e11-122c-433a-9cde-2d686061aa3d.
idm.sec.reg.confirmationTtlSec – number of seconds, that the registration
URL in email is valid in
step 3.
idm.sec.reg.defaultRoles - step 5 – the value is a set of role names, that the users gets in registration process.
idm.sec.reg.passwordPolicy – the value is the name of the password policy.
idm.sec.reg.defaultAuthorizer – the value is the login of the identity, that is used as a
manager of registered users (their contracted position).
Steps 1-6 or their parts can be disabled by the following processors: request-confirm-processor, request-approve-processor, identity-finalize-processor, user-notification-processor, notification-processor, request-delete-processor.
More information about the module and its configuration can be found in its readme file available at source code git download page, the root directory of the project - /README.md