PingAM 7.5.1

Configure user registration

User self-registration lets end users create their own accounts in AM. You can configure AM to perform user registration, or you can delegate user registration to IDM.

Configure AM for user self-registration

Although you can configure user self-registration without any additional security mechanisms, such as email verification or KBA security questions, we recommend configuring the email verification service with user self-registration at a minimum.

  1. In the AM admin UI, configure the email service.

  2. Go to Realms > Realm Name > Services and select User Self-Service.

  3. On the User Registration tab, enable User Registration.

  4. Enable Captcha to turn on the Google reCAPTCHA plugin. Make sure you have configured the plugin, as described in Configure the Google reCAPTCHA plugin.

  5. Enable Email Verification to turn on the email verification service. We recommend you leave Email Verification enabled, so users who self-register must perform email address verification.

  6. Enable Verify Email before User Detail to verify the user’s email address before requesting the user details.

    By default, the user self-registration flow validates the email address after the user has provided their details. Enable this setting for backwards-compatibility with self-registration flows configured in OpenAM 13 or 13.5.

  7. Enable Security Questions to display security questions during the self-registration process.

    If you enable security questions, the user is presented with the configured questions during the forgotten password and forgotten username flows. The user must answer these questions in order to reset their passwords or retrieve their usernames .

  8. In the Token LifeTime field, set an appropriate number of seconds for the token lifetime. If the token lifetime expires before the user self-registers, they will need to restart the registration process.

    Default: 300 seconds.

  9. To customize the user registration outgoing email, perform the following steps:

    • In the Outgoing Email Subject field, enter the subject line of the email.

      The syntax is lang|subject-text, where lang is the ISO-639 language code, such as en for English, or fr for French. For example, the subject line values could be: en|Registration Email and fr|E-mail d’inscription.

    • In the Outgoing Email Body field, enter the text of the email.

      The syntax is lang|email-text, where lang is the ISO-639 language code. The email body text must be all on one line, and can contain any HTML tags within the body of the text.

      For example:

      en|Thank you for registering with example.com! Click <a href="%link%">here</a> to register.`
  10. In the Valid Creation Attributes field, enter the attributes that the user can set during registration.

    These attributes are based on the AM identity repository.

  11. For Destination After Successful Registration, select one of the following options:

    • auto-login. User is automatically logged in and sent to the appropriate page within the system.

    • default. User is sent to a success page without being logged in. In this case, AM displays a "You have successfully registered" page. The user can then click the Login link to log in to AM. This is the default selection.

    • login. User is sent to the login page to authenticate.

  12. Save your changes.

  13. On the Advanced Configuration tab, configure the User Registration Confirmation Email URL for your deployment. The default is: https://openam.example.com:8443/openam/XUI/?realm=${realm}#register/.

  14. Save your changes.

Delegate user self-registration to IDM

Like AM, IDM offers user self-registration functionality. However, IDM provides additional onboarding and provisioning features.

You can delegate user registration to IDM after a user has authenticated to AM, using a social identity authentication module, for example.

For IDM to complete the registration process:

  • AM and IDM must be connected to the same user data store.

    For more information, refer to the shared identity store sample in the platform documentation.

  • AM and IDM must share the signing and encryption keys used for self-service.

    You can supply your own keys for both servers, or you can use the default IDM keys.

    To use the default IDM keys, follow the instructions in Copy key aliases to copy the following key aliases from the IDM keystore to the AM keystore:

    • openidm-selfservice-key—encrypts JWT self-service tokens using HS256 (HMAC with SHA-256) (SecretKeyEntry)

    • selfservice—Signs JWT session tokens using RSA (PrivateKeyEntry)

    When you have copied the keys, restart AM to apply the changes.

Configure AM to let IDM handle registration

  1. In the AM admin UI, go to Configure > Global Services > IdmIntegrationService and enable the service.

  2. Enter the URL of the IDM instance in the idmDeploymentUrl field, for example https://idm.example.com.

  3. Enter the signing and encryption key information:

    1. If you used the default IDM keys, enter the following key information:

      • In the provisioningSigningKeyAlias field, enter selfservice.

      • In the provisioningEncryptionKeyAlias field, openidm-selfservice-key.

      • In the provisioningSigningAlgorithm field, enter HS256.

      • In the provisioningEncryptionAlgorithm field, enter RSAES_PKCS1_V1_5.

      • In the provisioningEncryptionMethod field, enter A128CBC_HS256.

    2. If you created new signing or encryption keys, enter the details of these keys. The keys must be identical and available in the default keystores of both AM and IDM.

      For more information, see Security in the IDM documentation.

    3. If you are using IDM 6 or earlier, enable the jwtSigningCompatibilityMode property.

    For details of the configuration properties, see IDM provisioning.

  4. Save your changes.

  5. In the AM admin UI, go to Realms > Realm Name > Authentication > Modules, and create or select a social authentication module in which to enable IDM user registration.

  6. On the social authentication module page, perform the following actions on the Account Provisioning tab:

    • Select Use IDM as Registration Service.

    • Enable Create account if it does not exist.

  7. Save your changes.

    Successfully authenticating to a social authentication module that has IDM as the registration service redirects the user to IDM to complete the user registration.

    For basic information on integrating AM and IDM, refer to the sample platform setup documentation.

User management of passwords and security questions

Once the user has self-registered to your system, they can change their password and security questions at any time on the user profile page. The user profile page provides tabs to carry out these functions.

The User Profile page supports the ability to change the user’s password on the Password tab.
Figure 1. User Profile Page Password Tab
The User Profile page supports the ability to change the user’s security questions on the Security Questions tab.
Figure 2. User Profile Page Security Questions Tab