This documentation is for WSO2 Identity Server 5.4.0. View documentation for the latest release.
Creating Users using the Ask Password Option - Identity Server 5.4.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

This section is about the user creation flow which allows users to decide their own passwords. This process is initiated by the administrator when selecting Ask password from user during the user creation process. This is different from the default flow, in which the administrator decides the passwords for users. Using the Ask Password option is the standard method for user management as the administrator does not have to remember and specify passwords when creating an account for a user. When selecting this option, the administrator must enter an Email Address. The Identity Server sends an email to this address that provides the users with a redirection URL. This directs the users to a screen where they can provide the password for the account newly created by the administrator. 

Warning!

Note the following before you begin:

From 5.3.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implementation which is the recommended approach for creating users using the ask password option.
Alternatively, to see steps on how to enable this identity management feature using the old implementation, see Creating Users using the Ask Password Option documentation in WSO2 IS 5.2.0. The old implementation has been retained within the WSO2 IS pack for backward compatibility and can still be used if required.

Follow the instructions given below to configure this feature. 

Configuring the Identity Server

Before you begin

Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and that the Identity Listeners with orderId=95 and orderId=97 are set to true in the <IS_HOME>/repository/conf/identity/identity.xml file. 

<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/>
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityStoreEventListener" orderId="97" enable="true">

This is already configured this way by default. You can skip this step if you have not changed this configuration previously.

  1. Make sure the following configuration is set (uncommented) in the <IS_HOME>/repository/conf/identity/identity.xml file under <Server> element to set the redirection URL valid time period in minutes
    The redirection link that is provided to the user to set the password is invalid after the time specified here has elapsed. 

    <Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
    ...
       <AskPassword>
          <ExpiryTime>1440</ExpiryTime>
       </AskPassword>
    ...
    </Server>

    You can also configure the expiry time through the Management Console.

     Click to see how to configure this through the management console
    1. Start the Identity Server and login to the Management Console.

    2. Click Resident under Identity Providers on the Main tab and expand the Account Management Policies tab. 

    3. Expand the User Onboarding tab and configure the Ask password code expiry time field. Click Update to save changes. 

  2. Configure the email settings in the <IS_HOME>/repository/conf/output-event-adapters.xml file. 

    <adapterConfig type="email">
        <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
            based authentication rather username/password authentication -->
        <property key="mail.smtp.from">abcd@gmail.com</property>
        <property key="mail.smtp.user">abcd</property>
        <property key="mail.smtp.password">xxxx</property>
        <property key="mail.smtp.host">smtp.gmail.com</property>
        <property key="mail.smtp.port">587</property>
        <property key="mail.smtp.starttls.enable">true</property>
        <property key="mail.smtp.auth">true</property>
        <!-- Thread Pool Related Properties -->
        <property key="minThread">8</property>
        <property key="maxThread">100</property>
        <property key="keepAliveTimeInMillis">20000</property>
        <property key="jobQueueSize">10000</property>
    </adapterConfig>

    If you are using a Google mail account, note that Google has restricted third-party apps and less secure apps from sending emails by default. Therefore, you need to configure your account to disable this restriction, as WSO2 IS acts as a third-party application when sending emails to confirm user registrations or notification for password reset WSO2 IS.

     Click here for more information.

    Follow the steps given below to enable your Google mail account to provide access to third-party applications.

    1. Navigate to https://myaccount.google.com/security.
    2. Click Signing in to Google on the left menu and make sure that the 2-step Verification is disabled or off.
    3. Click Connected apps and sites on the left menu and enable Allow less secure apps.

    Tip: The email template used to send this email notification is the AskPassword template.

    You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

  3. Start the Identity Server and log in to the Management Console.

  4. Click Resident under Identity Providers on the Main tab and expand the Account Management Policies tab. 
  5. Expand the User Onboarding tab and select Enable User Email Verification. Click Update to save changes. 

    The EmailVerification property can be enabled for each tenant at tenant creation by adding the following configuration to the <IS_HOME>/repository/conf/identity/identity.xml file as seen below.

    <EmailVerification>
            <Enable>true</Enable>
            <LockOnCreation>true</LockOnCreation>
            <Notification>
                <InternallyManage>true</InternallyManage>
            </Notification>
        </EmailVerification>

Try it out

You can use one of the following methods to try out creating a user with the ask password option. 

Management console

Do the following steps to test the account creation using the password option.

The EnableAskPasswordAdminUI property value should be added in the identity.xml in order to use this feature from Management Console. (i.e.: <EnableAskPasswordAdminUI>true</EnableAskPasswordAdminUI>

  1. Start the WSO2 Identity Server.

  2. On the Main tab in the  Management Console , click  Add under Users and Roles.

  3. Click Add new User.

    In the above screen, do the following:

    1. In the Domain list, specify the user store where you want to create this user account. This includes the list of user stores you configured. See Configuring User Stores for more information.
    2. Enter a unique user name that the person will use to log in.

    3. Allow users to enter their own password by selecting Ask password from user.

    4. Enter a valid Email Address and click Finish.

  4. The Identity Server sends an email to the email address provided and sends the users a redirection URL. This directs the users to a screen where they must provide their own password.

SCIM 2.0

Before you begin!

Follow the steps given in the Configuring SCIM 2.0 Provisioning Connector Documentation to configure IS 5.4.0 with SCIM 2.0.

  1. Set the user-schema-extension-enabled property in the <IS_HOME>/repository/conf/identity/charon-config.xml file to 'true'.

    <Property name="user-schema-extension-enabled">true</Property>
  2. Now you should be able to use askPassword SCIM 2.0. A sample curl commands is given below: 

    curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Smith","givenName":"Paul"},"userName":"Paul","password":"password","emails":[{"primary":true,"value":"paul@abc.com","type":"home"},{"value":"paulSmith@abc.com","type":"work"}],"EnterpriseUser":{askPassword:"true"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users
Related Links
  • For information on how to edit an existing email template, see Email Templates.
  • By default, the claim values of the identity claims used in this feature are stored in the JDBC datasource configured in the identity.xml file. See Configuring Claims for more information on how to store the claim values in the user store.
  • No labels