Configuring User Registration

Although you can configure user self-registration without any additional security mechanisms, such as email verification or KBA security questions, we recommend configuring the email verification service with user self-registration at a minimum.

1. Log in to the AM console as the administrator.

2. Configure the Email Service as described in "Configuring the Email Service".

3. Navigate to Realms > Realm Name > Services and select the User Self-Service service.

4. Select the User Registration tab.

5. Enable User Registration.

6. Enable Captcha to turn on the Google reCAPTCHA plugin. Make sure you configured the plugin as described in "Configuring the Google reCAPTCHA Plugin".

7. Enable Email Verification to turn on the email verification service. We recommend you leave Email Verification enabled, so users who self-register must perform email address verification.

8. Enable Verify Email before User Detail to verify the user's email address before requesting the user details.

   By default, the user self-registration flow validates the email address after the user has provided their details. Enable this setting for backwards-compatibility with self-registration flows configured in OpenAM 13 or 13.5.

9. Enable Security Questions to display security questions to the user during the self-registration, after which the user must enter their answers to the questions. During the forgotten password or forgotten username services, the user will be presented with the security questions to be able to reset their passwords or retrieve their usernames if Security Questions is enabled.

10. In the Token LifeTime field, enter an appropriate number of seconds for the token lifetime. If the token lifetime expires before the user self-registers, then the user will need to restart the registration process over again.

    Default: 300 seconds.

11. To customize the User Registration outgoing email, perform the following steps:

    1. In the Outgoing Email Subject field, enter the Subject line of the email.

       The syntax is lang|subject-text, where lang is the ISO-639 language code, such as en for English, fr for French, and others. For example, the subject line values could be: en|Registration Email and fr|Inscription E-mail.

    2. In the Outgoing Email Body field, enter the text of the email.

       The syntax is lang|email-text, where lang is the ISO-639 language code. Note that email body text must be all on one line and can contain any HTML tags within the body of the text.

       For example, the email body text could be: en|Thank you for registration to our site! Click <a href="%link%">here</a> to register to the site.

12. In the Valid Creation Attributes field, enter the user attributes the user can be set during user registration. The attributes are based on the AM identity repository.

13. For Destination After Successful Registration, select one of the following options:

    • auto-login. User is automatically logged in and sent to the appropriate page within the system.

    • default. User is sent to a success page without being logged in. In this case, AM displays a "You have successfully registered" page. The user can then click the Login link to log in to AM. This is the default selection.

    • login. User is sent to the login page to authenticate.

14. Save your changes.

15. Under the Advanced Configuration tab, configure the User Registration Confirmation Email URL for your deployment. The default is: https://openam.example.com:8443/openam/XUI/?realm=${realm}#register/.

16. Save your changes.

IDM offers user self-registration functionality, much like AM, but provides additional onboarding and provisioning features.

You can configure the IDM Provisioning service to allow IDM to complete user registration after authenticating to AM using a social identity authentication module, for example.

1. Verify the following pre-requisites:

   1. The AM and IDM instances are connected to the same user data store.

      For more information, see the Platform Setup Guide.

   2. The AM instance has a copy of the signing and encryption keys from the IDM installation in its default keystore.

      Follow the instructions in "Copying Key Aliases" to copy the following key aliases to the AM default keystore:

      • openidm-selfservice-key

      • selfservice

      Restart AM when completed to apply the changes.

2. Log in to the AM console as the administrator, and navigate to Configure > Global Services > IDM Provisioning.

3. Perform the following actions on the IDM Provisioning page:

   1. Enable the IDM Provisioning service by selecting Enabled.

   2. Enter the URL of the IDM instance in the Deployment URL field, for example https://openidm.example.com.

   3. (Optional) If you created new signing or encryption keys, enter their details, ensuring the keys are identical and available in the default keystores of both AM and IDM.

      For more information on IDM security, see the ForgeRock Identity Management 7 Security Guide.

      If you have copied the openidm-selfservice-key and selfservice key alises from IDM, you can leave the default values for the key-related properties.

   4. If you are using IDM 6 or earlier, enable the Signing Compatibility Mode property.

   For more details of the available properties, see "IDM Provisioning".

4. Save your changes.

5. In the AM console, navigate to Realms > Realm Name > Authentication > Modules, and create or select a social authentication module in which to enable IDM user registration.

6. On the social authentication module page, perform the following actions on the Account Provisioning tab:

   1. Select Use IDM as Registration Service.

   2. Ensure Create account if it does not exist is enabled.

7. Save your changes.

   Successfully authenticating to a social authentication module that has IDM as the registration service redirects the user to IDM to complete the user registration.

   For information on integrating AM and IDM, see the Platform Setup Guide.