This section is about the user creation flow which allows users to decide their own passwords. This process is initiated by the administrator when selecting Ask password from user during the user creation process which is different from the default flow, as in it Administrator decides the passwords for users. This is the standard method for user management as administrator do not have to remember and specify passwords when creating an account for a user. When selecting this option, the administrator must enter an Email Address. The Identity Server sends an email to this address that provides the users with a redirection URL. This directs the users to a screen where they can provide the password for the account newly created by the administrator.
In order to get the above to work as expected, do the following configurations.
Configuring the Identity Server
Enable the Identity Listener by setting the following property to
<IS_HOME>/repository/conf/identity/identity-mgt.propertiesfile and configure the following properties.
This enables notifications to be sent via email when recovering an account or verifying user creation.
Using this configuration, you can specify a time limit for the notification to expire.
Enable the internal email sending module. If this is "false", the email sending data would be available to applications via a Web service. Then the application can send the email using its own email sender.
Enable this property by setting it to
true. It creates a temporary password for the user account until the user sets his/her own password.
This enables verification of account creation. When self registration is done, the user would be verified by sending email (confirmation link) to user's email account.
<IS_HOME>/repository/conf/axis2/axis2.xmlfile and uncomment the following email
transportSenderconfigurations. This must be done as notification sending is internally managed. The configurations available are just a sample, so you must provide your email details as required.
Make sure the following email template is defined in the
When modifying the email-admin-config.xml file, to separate query parameters in the account confirmation link, add "&
"; instead of just "&
"because adding an "&
"will create a syntax error in XML. However if you define the email template from the management console UI, simply use "&"
redirectPathconfigurations are values added based on the sample web application used in this topic.
You can configure email templates for specific tenants.
You can also define the email template using the Management Console of Identity Server as well by clicking on Configure> Email Templates under the Configure section, without modifying the email-admin-config.xml file manually.
- Restart the WSO2 Identity Server for the changes to take effect.
- Sign in to the Management Console by entering your username and password.
- In the Main menu, click Add under Claims. See Claim Management for more information on this.
- Click Add New Claim and select the
http://wso2.org/claimsdialect link in the Dialect drop down.
- Enter the following values in the form that appears.
- Dialect: http://wso2.org/claims
- Display Name: Identity Password timestamp
- Description: Identity Password timestamp
- Claim Uri:
Mapped Attribute: facsimileTelephoneNumber
For the Mapped Attribute field, give a mapped attribute that the underlying user store supports.
For more information about claim mappings, please refer the Configuring Claim Mappings section.
About usage in tenants
If you wish to have a set of claims for all tenants, you must add those claims to the
<PRODUCT_HOME>/repository/conf/claim-mgt.xmlfile prior to the first startup and then start the server. If you do not require these claims for all tenants, then it should be added via the UI of specific tenants as instructed here.
- Click Add. The claim is now added into the Identity Server and you can view the details as seen below.
Configuring the sample web app
To configure the sample app, the supporting Web service is hosted in the following WSDL by the Identity Server:
The following operations have been used from the above API.
See Configuring Sample Application For Identity Management for a sample implementation and the necessary steps to configure and deploy this.
Testing the account creation
Do the following steps to test the account creation using the password option.
- On the Main tab in the Management Console, click Add under Users and Roles.
- Click Add New User.
- In the above screen, do the following:
- In the Domain list, specify the user store where you want to create this user account. This includes the list of user stores you configured. See Working with User Stores for more information.
- Enter a unique user name that the person will use to log in.
- Allow users to enter their own password by selecting Ask password from user.
- Enter a valid Email Address.
- The Identity Server sends an email to the email address provided and sends the users a redirection URL. This directs the users to a screen where they must provide their user name and fill out the captcha test.
- Click Submit. This directs the users to a screen where they can provide the password for the account newly created by the administrator.
- Now you can test the new password by logging in to the Identity Server management console by giving the user name and new password.