This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Creating Users Using the Ask Password Option - Identity Server 5.0.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

This topic provides the configurations necessary to use the WSO2 Identity Server to enable users to create their own accounts by entering their own passwords. This process is typically initiated by an administrator when adding a user to the Identity Server using the management console.

This process is initiated by the administrator when selecting Ask password from user during the user creation process. This makes it easier for administrators as they do not have to remember and specify passwords when creating an account for a user. When selecting this option, the administrator must enter an Email Address. The Identity Server sends an email to this address that provides the users with a redirection URL. This directs the users to a screen where they can provide the password for the account newly created by the administrator.

In order to get the above to work as expected, do the following configurations.

Configuring the Identity Server

  1. Open the <IS_HOME>/repository/conf/carbon.xml file and make the following change. This is done so that the WSDL file can be accessed to perform this functionality.

  2. Open the <IS_HOME>/repository/conf/security/ file and configure the following properties.

    This enables the identity listener.
    This enables notifications to be sent via email when recovering an account or verifying user creation.
    Using this configuration, you can specify a time limit for the notification to expire.
    Enable the internal email sending module. If this is "false", the email sending data would be available to applications via a Web service. Then the application can send the email using its own email sender.
    Enable this property by setting it to true. It creates a temporary password for the user account until the user sets his/her own password.
    This enables verification of account creation. When self registration is done, the user would be verified by sending email (confirmation link) to user's email account.
  3. Open the <IS_HOME>/repository/conf/axis2/axis2.xml file and uncomment the following email transportSender configurations. This must be done as notification sending is internally managed. The configurations available are just a sample, so you must provide your email details as required.

    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
            <parameter name="mail.smtp.from">[email protected]</parameter>
            <parameter name="mail.smtp.user">wso2demomail</parameter>
            <parameter name="mail.smtp.password">mailpassword</parameter>
            <parameter name=""></parameter>
            <parameter name="mail.smtp.port">587</parameter>
            <parameter name="mail.smtp.starttls.enable">true</parameter>
            <parameter name="mail.smtp.auth">true</parameter>
  4. Make sure the following email template is defined in the <IS_HOME>/repository/conf/email/email-admin-config.xml file.

    <configuration type="askPassword">
      <subject>WSO2 Carbon - Password Change for New Account</subject>
    Hi {first-name},
    Please change your password for the newly created account: {user-name}. Please click the link below to create the password.
    If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window.
    Best Regards,
    WSO2 Carbon Team

    You can configure email templates for specific tenants.

  5. Restart the WSO2 Identity Server for the changes to take effect.
  6. Sign in to the management console by entering your username and password and click Configure to access the Configure menu.
  7. In the Configure menu, select Claim Management. See Claim Management for more information on this.
  8. Click on the dialect link, and then click on the Add New Claim Mapping link on the screen that appears. 
  9. Enter the following values in the form that appears.
    • Display Name: Identity Password timestamp
    • Description: Identity Password timestamp
    • Claim Uri:
    • Mapped Attribute: facsimileTelephoneNumber

    About usage in tenants

    If you wish to have a set of claims for all tenants, you must add those claims to the <PRODUCT_HOME>/repository/conf/claim-mgt.xml file prior to the first startup and then start the server. If you do not require these claims for all tenants, then it should be added via the UI of specific tenants as instructed here.

    About Mapped Attribute: facsimileTelephoneNumber

    In above claim configuration, the facsimileTelephoneNumber is used as the mapped attribute for passwordTimestamp claim. That is because the underlying LDAP that comes with Identity Server 5.0.0 does not have an attribute named passwordTimestamp in the LDAP schema. Therefore an attribute which is already defined is used in the schema. If you are using a JDBC userstore, you can give a proper mapped attribute name because in JDBC userstores, there is no schema definition for user attributes unlike in LDAP.

  10. Click Add. The claim is now added into the Identity Server.

Configuring the sample web app

The supporting Web service is hosted in the following WSDL by the Identity Server: https://<is_server>:9443/services/UserInformationRecoveryService?wsdl

The following operations have been used from the above API.

  • getCaptcha()
  • verifyConfirmationCode()
  • updatePassword()

You can find a sample implementation of this in the web application here.

The following are the configurations needed for this functionality to work.

  1. Once you have downloaded the sample, you can directly deploy the InfoRecoverySample.war file in the target directory or you can build it from source.
    1. If you are building from source, you need to give the following context configurations in the web.xml file.
      1. Provide the Identity Server URLs you have hosted as shown below.

      2. Provide the administrator username and password of the Identity Server.

      3. Also you need to enable the SSL configuration of your web application container. You can give the same keystore file as shown below for Apache Tomcat in the <TOMCAT_HOME>/conf/server.xml file. After this change restart Apache Tomcat.

        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                       maxThreads="150" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS"
                       keystoreFile="/home/chamath/apps/wso2is-4.5.0-7.18.2-SNAPSHOT/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" />
    2. If you are directly deploying the InfoRecoverySample.war file, first you need to deploy it in the target directory and then stop the server, do the above configurations and start the server again.

Testing the account creation

Do the following steps to test the account creation using the password option.

  1. Start the WSO2 Identity Server.
  2. On the Configure tab in the management console, click Users and Roles.
  3. Click Users. This link is only visible to users with the Admin role. 
  4. Click Add New User.
  5. In the screen that appears, do the following:
    1. In the Domain list, specify the user store where you want to create this user account. This includes the list of user stores you configured. See Working with User Stores for more information.
    2. Enter a unique user name that the person will use to log in.
    3. Allow users to enter their own password by selecting Ask password from user
    4. Enter a valid Email Address
  6. The Identity Server sends an email to the email address provided and sends the users a redirection URL. This directs the users to a screen where they must provide their user name and fill out the captcha test.
  7. Click Submit. This directs the users to a screen where they can provide the password for the account newly created by the administrator.
  8. Now you can test the new password by logging in to the Identity Server management console by giving the user name and new password.
  • No labels