Setting up email invitations for a new user
About this task
To set up email invitations for a new user:
Steps
-
Set up PingFederate for local identity profile management.
For more information, see Configuring user self-service.
When you complete this task, the PingFederate configuration has a local identity profile.
-
Configure Delegated Admin profile management by users.
For more information, see Configuring user self-service.
When you complete this task, users whom the Delegated Admin creates have the
pf-connected-identities
auxiliary object class and apf-connected-identity
attribute value, which provide integration with PingFederate’s user self-service. -
Instruct users to copy the email template to PingDirectory Server.
For more information, see Editing and copying the email template to the PingDirectory server.
-
Create request criteria to match Delegated Admin user
ADD
requests.For more information, see Creating request criteria to match Delegated Admin user ADD requests.
-
Edit the provided email template and insert the URL to the PingFederate self-service profile management endpoint.
For more information, see Editing and copying the email template to the PingDirectory server.
-
Create an SMTP external server.
For more information, see Creating an SMTP external server.
-
Create a multi-part email account status notification handler for Delegated Admin user
ADD
requests.For more information, see Creating a multi-part Email Account Status notification handler for Delegated Admin user ADD requests.
Editing and copying the email template to the PingDirectory server
About this task
An example email template is provided in the Delegated Admin package at the top level in the file delegated-admin-account-created.template
. This template provides a multi-part text and HTML email to the user with their user name and initial password along with a self-service link they can use to sign on to PingFederate and change their password and profile information.
Steps
-
Edit the template:
-
Uncomment the line that sets the value for
profile_management_url
. -
Change the value of
profile_management_url
to the externally accessible URL of the profile management endpoint of your PingFederate local identity profile.
-
-
Copy the template file to the
config/account-status-notification-email-templates
folder of each instance of the PingDirectory server.By default, the email is sent to the address within the user’s LDAP
mail
attribute.You must provide a mail value for each user. For more information, see
common-header-fields.vm
in the email templates folder.
Next steps
For more information about the email format and further customization, see the README
file in the templates folder.
Creating request criteria to match Delegated Admin user ADD requests
Steps
-
For each user resource type for which new user email invites will be sent, create simple request criteria to match the parent DN and object classes for the resource type.
The setup script includes a request criteria for the user resource type that it creates.
Example:
$ dsconfig create-request-criteria --criteria-name \ "Delegated Admin User Creation Request Criteria" --type simple \ --set operation-type:add --set \ "included-target-entry-dn:ou=people,dc=example,dc=com" \ --set "any-included-target-entry-filter:(objectClass=inetOrgPerson)" \ --set "included-application-name:PingDirectory Delegated Admin"
The
included-application-name
property ensures that the criteria matches users whom the Delegated Admin created, but not users created through another interface, such as the Directory REST API. This application name value is visible in the LDAP access log for operations that the Delegated Admin HTTP servlet invokes.
Creating an SMTP external server
About this task
To send emails:
Steps
-
Configure a PingDirectory server with an SMTP server in the global configuration.
Example:
$ dsconfig create-external-server --server-name \ "SMTP Server" --type smtp --set server-host-name:smtp.example.com \ --set user-name:example-smtp-user --set password:example-smtp-password $ dsconfig set-global-configuration-prop --set \ "smtp-server:SMTP Server"
Creating a multi-part Email Account Status notification handler for Delegated Admin user ADD requests
You must set an Email Account Status notification handler in the password policy in force for new users. This handler is typically the default password policy.
About this task
The notification handler references the email template in the config/account-status-notification-email-templates
folder.
The setup script creates an example notification handler in a disabled state. This handler cannot be enabled until an SMTP server becomes available in the global configuration. |
Steps
-
Create or enable the handler:
Choose from:
-
To create the handler from scratch, use the
dsconfig create-account-status-notification-handler
command.$ dsconfig create-account-status-notification-handler \ --handler-name "Delegated Admin Email Account Status \ Notification Handler" --type multi-part-email --set \ enabled:true --set \ "account-creation-notification-request-criteria:Delegated \ Admin User Creation Request Criteria" --set \ account-created-message-template:config/account-status-\ notification-email-templates/delegated-admin-account-created.template
-
To enable the handler that is provided with the setup script, use the
dsconfig set-account-status-notification-handler-prop
command.$ dsconfig set-account-status-notification-handler-prop \ --handler-name "Delegated Admin Email Account Status Notification \ Handler" --set enabled:true
-
-
Set the handler in the password policy.
Example:
$ dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" --set \ "account-status-notification-handler:Delegated Admin Email Account \ Status Notification Handler"