Users registration module [reg]

Reg module serves as a registration point for new users to access CzechIdM. To be a registered user, one has to go through several validation steps before he can log in to CzechIdM.

There is a registration link on the login dialogue page, which you can use to access the registration page.

New user fills following fields:

  • First name (mandatory)
  • Surname (mandatory)
  • Login (mandatory) – this choice is only available, if the own login option is turned ON in application setting. If the choice is not available, CzechIdM automatically generates the login.
  • Email (mandatory) – if the user validation via email is turned ON in application settings, then the validation link (token) is sent to this email address.
  • Telephone – user attribute. Depending on application settings, the telephone can be used for SMS notification, or administrator can contact the user via phone.
  • Organization – description attribute. It usually serves for the administrators for consequent users cataloging.
  • New Password (mandatory) – new CzechIdM password. There is also a password strength utility visible. If the new password box is not available, then it is turned off in application setting. In that case, password is generated by other means depending on other settings. Usually when the user gets account on some managed system which CzechIdM uses as an authentication point.
  • New Password again (mandatory)

When the form is filled, we pass the captcha (if ON) and continue with following steps: :

  • the new user gets the email with URL link to CzechIdM.
  • After he clicks on the link, the email address is validated.
  • Then the registration process makes an user task on responsible person. This step can be skipped if configured in application settings.
  • When the task is resolved, the newly registered user gets the email with the login, which he can use to access CzechIdM. If the CzechIdM is configured to authenticate against other system, the user has to have account on the system too, of course. If so, think about using automatic roles.

After the registration form is filled, following steps are done in the application.

  • In CzechIdM, there is a new identity created and set as inactive. It has no roles and contracted positions. Login is generated if not set by the user.
  • A new contracted position is created for the identity. The contracted position is placed in the organization tree. To be able to place the contracted position into organization tree, one has to set application setting option: idm.sec.reg.defaultOrgId. More about reg setting options in following sections.
    • User gets automatic roles, when he is placed in the organization tree.
    • The contracted position gets manager user by the application settings option idm.sec.reg.defaultAuthorizer.
  • Email is sent to address that the user previously filled in the registration form. In the email, there is a link. When the user uses the link, he is forwarded to CzechIdM login page and the registration is confirmed. The registration link in the email has time limited validity.
  • User task is generated for the users with role registrationalApproval. Caution, if this step is allowed in configuration and no one has the role assigned, then the registration process always fails. Turn on this step only if the at least one user has the role assigned or assign the role to the admin user as a fallback.
  • When the task is resolved, identity is enabled (unblocked) and it gets the role defined in registration module configuration. Do not confuse those roles with automatic roles.
  • All users with registrationNotification role assigned are notified about a new user creation.

Reg module configuration

  • idm.sec.reg.loginGenerator – step 1. If the key is not defined, the user can type its own login. In other words the registration form has input box for the user to specify the login. Otherwise if the key is defined then the value of the option is the name of the CzechIdM login generation component. One possible value is e.g. „basicLoginGenerator“ (login has the following form: firstname + 1. character of lastname).
  • idm.sec.reg.createEnabled – true, if the identity in step 1 and 2 should be created as enabled (unblocked)
  • idm.sec.reg.defaultOrgId – step 2. The value of the option is entityid of the organisation, in which we want to place registered users (via their contracted positions). We can find entityid of the organisation on organization detail in CzechIdM GUI: Organizations → Structure elements → find org. e.g. by its name → organization detail (magnifying glass). Then we see the entity_id in URL of our web browser after TreeNode string. E.g. 767b8e11-122c-433a-9cde-2d686061aa3d.
  • idm.sec.reg.confirmationTtlSec – number of seconds, that the registration URL in email is valid in step 3.
  • idm.sec.reg.defaultRoles - step 5 – the value is a set of role names, that the users gets in registration process.
  • idm.sec.reg.passwordPolicy – the value is the name of the password policy.
  • idm.sec.reg.defaultAuthorizer – the value is the login of the identity, that is used as a manager of registered users (their contracted position).

Steps 1-6 or their parts can be disabled by the following processors: request-confirm-processor, request-approve-processor, identity-finalize-processor, user-notification-processor, notification-processor, request-delete-processor.

More information about the module and its configuration can be found in its readme file available at source code git download page, the root directory of the project - /README.md