PingFederate Server

Configuring email ownership verification options

Based on your customer IAM use cases, you can optionally offer users the opportunity to confirm the ownership of the email address associated with their accounts. This configuration can be configured on a per-local identity profile basis.

About this task

Using the administrative console, configure the email ownership verifications settings for a local identity profile.

If you enable email ownership verification, when a user submits a registration request, PingFederate sends an email ownership verification message to the email address. The message is valid for a configurable period. If the user cannot find the message, they can request another one by accessing the email ownership verification endpoint. Moreover, if you enable profile management, the profile management page displays a reminder until the user verifies the email address. Like other local identity fields, the email verification status is stored in the directory and can be relayed to the applicable target applications through identity provider (IdP) authentication policies.

Steps

  1. Go to Authentication → Policies → Local Identity Profiles.

  2. On the Email Verification tab, select the Enable Email Ownership Verification check box to offer users the opportunity to verify the email address associated with their accounts.

    The Email Verification tab appears only when you select the Enable Registration check box or the Enable Profile Management check box on the Profile Info tab.

    The Enable Email Ownership Verification check box is not selected by default.

    The rest of the steps apply only if you select to enable email ownership verification.

  3. In the Email Address Field list, select a field.

    The field value represents the recipient of the verification message.

    Only fields that use the Email or Text input control are eligible and shown.

  4. In the Ownership Status Field list, select a field.

    The field value represents the email ownership verification status. PingFederate sets the value to false in the directory when it receives a new or an updated email address from the user. After the user verifies the email ownership, PingFederate sets the value to true.

    Only fields that use the Hidden input control are eligible and shown.

  5. To verify emails with one-time passcodes, which is the default option:

    1. Set the Email Verification Type to One-Time Passcode.

    2. Optional: Change any of the values in the following fields:

      • One-Time Passcode Length

      • One-Time Passcode Retry Attempts

      • Allowed One-Time Passcode Character Set

      • One-Time Passcode Lifetime

      yti1637703930563

  6. To verify emails with one-time links:

    1. Set the Email Verification Type to One-Time Link.

    2. Optional: Change the length of the One-Time Link Lifetime.

    get1637703980711

  7. Optional: To use different template files, update the template fields.

    The template files are in the <pf_install>/pingfederate/server/default/conf/template directory and the <pf_install>/pingfederate/server/default/conf/template/mail-notifications directory.

    The email templates are only applicable when using an SMTP notification publisher to deliver email-verification messages.

  8. Select a Notification Publisher instance.

    If you haven’t yet configured the desired notification publisher instance, click Manage Notification Publishers, configure the instance, and then select it.

  9. Optional: To require users to verify their email address ownership before they can access any connected applications:

    1. Select the Require Verified Email check box.

    2. Optional: If the Email Verification Type is set to One-Time Link, you can specify a different template in the Require Verified Email Template field.

      The default template gives users options to Resend the verification email, Continue, or Cancel.

      The Require Verified Email Template field appears only after you select the Require Verified Email check box.

      If you select the Require Verified Email check box, users can sign on to their local identity profile and manage their account but PingFederate blocks them from accessing any connected applications until they have successfully verified their email address.

      To let users manage their accounts, select the Enable Profile Management check box on the Profile Info tab, as described in Configuring local identity profiles.

  10. Click Next.