Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:modules_reg [2018/12/06 07:32] sourek [Table] |
devel:documentation:modules_reg [2023/02/27 13:23] kopro [Configuration] typo fix |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <- .:modules | Modules ^ .:start | Documentation ^ .: | ||
+ | ====== Modules - User registration [reg] ====== | ||
+ | |||
+ | Reg module serves as a registration point for new users to access CzechIdM. To be a registered user, one has to go through several validation steps before he can log in to CzechIdM. Validation steps are configurable in CzechIdM. Enabled module adds new GUI form available via CzechIdM login page and manages all the registration process: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ====== Obtaining set of registration attributes ====== | ||
+ | When user tries to access registration form, registration module needs to determine which attributes (or form fields) should be displayed in said form for user to fill out. These attributes are determined by reg form definition and attributes defined in it. The mechanism is same as standard EAV forms. | ||
+ | |||
+ | ===== Identifier attributes ===== | ||
+ | Registration module allows to specify set of attributes, which will be used for identity search, when looking up the identity (in ACTIVATION mode), or determining, | ||
+ | |||
+ | * Attribute with the same code must be defined in reg form definition | ||
+ | * Attribute must be either identity attribute, or EAV attribute in default form definition for IdMIdentity | ||
+ | * If EAV attribute is used, then it must be of SHORTTEXT type, otherwise search will not work as intended. | ||
+ | |||
+ | ==== Example ==== | ||
+ | |||
+ | * Attributes in default IdMIdentity form definition : birthNumber, | ||
+ | * Attributes in reg IdMIdentity form definition: username, email, firstName, lastName, birthNumber | ||
+ | * idm.pub.reg.attributes.identifier=username, | ||
+ | |||
+ | These settings will display attributes username, email, firstName, lastName, birthNumber in registration form. Attributes username, | ||
+ | |||
+ | ===== Validation of registration form ===== | ||
+ | Validation of registration attributes has two steps: basic fields validation and password validation. In the first phase, module checks, if all required attributes are filled. (Attribute is required if it has required field checked in its configuration in reg form definition, or if its defined as identifier attribute). After that, password is checked against default validation policy. | ||
+ | |||
+ | ===== Generating login ===== | ||
+ | Registration module supports various login generators. Name of the login generator can be configured in property idm.pub.reg.loginGenerator. This property should contain full className of login generator, which we want to use. This class must implement eu.bcvsolutions.idm.reg.login.LoginGenerator interface. | ||
+ | |||
+ | < | ||
+ | |||
+ | ==== BasicLoginGenerator ==== | ||
+ | |||
+ | Basic login generator is the only login generator shipped with registration module. It uses last name + first character or first name. If that is taken, appends a number. | ||
+ | |||
+ | ==== Example ==== | ||
+ | |||
+ | Following configuration shows how to configure BasicLoginGenerator (which is shipped with registration module) as a login generator. | ||
+ | |||
+ | * idm.pub.reg.loginGenerator=eu.bcvsolutions.idm.reg.login.BasicLoginGenerator | ||
+ | |||
+ | ===== Registration modes ===== | ||
+ | |||
+ | Registration module supports three registration modes - REGISTRATION, | ||
+ | |||
+ | ==== Setting registration mode ==== | ||
+ | |||
+ | Registration mode is set using idm.sec.reg.activationMode. This property can contain one of the following three values : REGISTRATION, | ||
+ | |||
+ | ===== Setting attributes and creating identity ===== | ||
+ | In order to understand how registration module works, we need to explain how and when are fields from registration form set to identity. Right after the validation of registration form, all fields are set to reg EAV form. At this point, you can see all attributes that given user filled in registration form. After registration approval, all attributes are copied from reg form to identity attributes, or default form definition for IdMIdentity. | ||
+ | |||
+ | ===== Registration confirmation ===== | ||
+ | |||
+ | By default, a confirmation is required for every user who registers. Registration approval process is displayed on the image bellow | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After approving, the registration process continues with finalization of identity (setting up state and adding roles). In case of denial of registration, | ||
+ | |||
+ | ====== Handling password ====== | ||
+ | |||
+ | There are many ways user can set their password when registering in CzechIdM. The most preferable way is to let user to set their password when filling out registration form. In order to do this, we must set up password attribute in reg EAV definition. In order to do so, we need to do the following: | ||
+ | |||
+ | * Create eav attribute in reg form definition, which has the same code, that is set in idm.pub.reg.attributes.password.attr property | ||
+ | * Set its type to SHORTTEXT | ||
+ | * Mark the attribute as confidential | ||
+ | * Set attributes renderer to Password field | ||
+ | |||
+ | Now, new users will be prompted to enter password when filling up registration form. This newly set password is validated against default validation policy. To change that behavior, you can set different policy in idm.sec.reg.passwordPolicy property. | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ===== Other ways to set user password after registration ===== | ||
+ | |||
+ | * Use pasword reset module | ||
+ | * Administrator manually sets users password after registration | ||
+ | * There is an endpoint, which supports setting user password when clicking on confirmation link. This however is not supported in FE, so clients would have to support their own FE page, which si handling this kind of logic. | ||
+ | |||
+ | ====== " | ||
+ | |||
+ | Registration module supports feature, which requires users who register to check that they accept terms and conditions. In order to set this up, you need to do the following: | ||
+ | |||
+ | * Create eav attribute in reg form definition | ||
+ | * Set attributes type to Boolean | ||
+ | * Set attributes renderer to " | ||
+ | |||
+ | New checkbox will now appear in registration form and users wont be able to submit registration form, unless they check this new checkbox. | ||
+ | |||
+ | |||
+ | ====== Configuration ====== | ||
+ | |||
+ | ^ Property | ||
+ | | idm.sec.reg.defaultRoles | ||
+ | | idm.sec.reg.passwordPolicy | ||
+ | | idm.sec.reg.identityStateAfterConfirmation | ||
+ | | idm.reg.sec.confirmationTtlSec | ||
+ | | idm.pub.reg.loginGenerator | ||
+ | | idm.sec.reg.defaultOrgId | ||
+ | | idm.sec.reg.defaultAuthorizer | ||
+ | | idm.pub.reg.passwordInputEnabled | ||
+ | | idm.pub.reg.attributes.password.attr | ||
+ | | idm.sec.reg.defaultAttributeType | ||
+ | | idm.pub.reg.attributes.identifier | ||
+ | | idm.sec.reg.activationMode | ||
+ | | idm.sec.reg.onlyActiveIdentities | ||
+ | | idm.sec.reg.changePasswordInIdM | ||
+ | | idm.sec.reg.changePasswordEveryWhere | ||
+ | | idm.sec.reg.createEnabledIdentity | ||
+ | | idm.sec.reg.createEnabledConract | ||
+ | | idm.sec.reg.enableContractAfterConfirmation | ||
+ | | idm.sec.reg.isUsernameInForm | ||
+ | | idm.sec.reg.confirmedContractExterne | ||
+ | |||
+ | ===== User registration ===== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Approve the registration ===== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ===== Admin tutorials ===== | ||
+ | * [[tutorial: |