Partially supported since midPoint 3.5.
Self registration in midPoint provides possibility for unauthenticated user to enroll to midPoint and request assignments. By default, self registration is disabled. Following text describes how to enable self registration in midPoint.
Enabling self registration
To enable this feature you'll need to configure security policy and reference this security policy from system configuration. After this, self registration process is enabled globally (in the multi-tenant environment it means that the configuration will be shared between tenants, the plan is to support self registration configuration per tenant in later midPoint versions).
In the example above, you can see globalSecurityPolicyRef which refers to the security policy which will be used and checked if the self registration is enabled. The above example also works with defaultHostname attribute. This value is used while generating confirmation link for self registration verification process.
Configuring security policy
Configuration for self registration is in Security Policy object and it is separated into three parts - registration, authentication and credentials. Using these three parts you can configure the self registration process, e.g how to confirm registered user, which roles should be assigned to the user after confirmation and more. Basically there are two major different scenarios:
- self-registration for the new users
- self post-registration (or invite) for existing users in midPoint
Self registration for the new users
In this scenario, users are allowed to register by them self. There is no policy and rules which force the existence of the user in the midPoint or anything like this. Self registration allows everyone to register to the midPoint. The configuration for self registration can look like following:
With the configuration above, after user submits the registration form, new entry in midPoint for the user is created. For this newly created user, lifecycle state is set to the draft. Until user doesn't confirm his/her registration it cannot do anything, it is disabled and no roles are assigned. After confirmation, specified default roles are assigned to the user.
Self post-registration (or invite) for existing users in midPoint
This scenario can be used for various scenarios, e.g:
- Imagine that you are deploying midPoint in the existing environment. In your environment you already have an existing LDAP server (and other applications). You imported users from LDAP to the midPoint and you want to let the users know, that there is an IDM solution which they will use for requesting access rights, reset password, etc. You want the users to change the password and confirm that they are still active and still want to use the provided services.
- There is time constraint policy. Users can be active for one year. After the year, they are marked as disabled and are requested to remake the registration process to be active again.
- You started to provide new service and you want to invite some users to use this service.
For such scenarios, the configuration can look like following:
Example above shows configuration for self post-registration where it is required that the user already exists in midPoint. The lifecycle state which is required to successfully register the user is specified with attribute requiredLifecyleState. This is to support situations, where all potential users are pre-created/pre-registered by administrators (but they are not active until they don't register and confirm the registration). After user fills in registration form and submits it, existing user is modified in midPoint with the configured lifecycle state (initialLifecycleState attribute). This newly created user is disabled and doesn't have any roles assigned until he/she confirms the registration. Confirmation of registration is configurable using additionalAuthenticationName attribute. After user successfully confirms the registration, default roles are assigned to him/her - default roles are configured using defaultRole attribute.
Authentication part contains configuration for the method used for registration confirmation. Example above uses mail authentication which means that the user receives the mail with the confirmation link. After clicking on the link in the mail midPoint tries to confirm the user, confirmation rules are configured using attribute mailNonce.
Credentials configuration can contain various rules for different types of credentials. In the example above there is a configuration for nonce credentials. It is used for generating and validating nonce by self registration. Max age is the time how long is the nonce valid and valuePolicyRef is reference to the policy used for generating the nonce - e.g. the length, unique characters etc.
Self-registration and custom form
It is (probably) more than welcome to support definition of custom form when talking about self-registration process. With introducing custom forms in midPoint they can be also used with the self-registration. All what is needed is to reference to the concrete form in the self-registration configuration as in the example below
To enable email confirmation notification shall be configured first. For the registration there is UserRegistrationNotifier. Configuration looks as follows:
default registration notifier
- custom registration notifier - while using custom expression for the body, don't forget to add call for
which will generate the confirmation link needed to finish the registration.
The important setting for the notifier is attribute <confirmationMethod>. According to the value for the confirmation method, confirmation link/pin is generated to verify user. Other parts of configuration are same as for other notifiers. Details for notification configuration are described here.
How it works
End user guide
- Open midPoint in browser. If the self registration is enabled, you will see the button "Sign up" on the login page
- Click on the Sign up button and you'll see following form
- Fill in all fields and click on the "Register" button.
- Mail with confirmation link will be send on the mail you entered.
- Click on the confirmation link in your email. If your registration is successful you can continue with login.
- In the case you got any error during registration process, please contact your system administrator.