Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titleWarning!

Note the following before you begin:

From 5.53.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implementation, which is the recommended approach for creating users using the ask password option.

Alternatively, to see steps on how to enable this identity management feature using the old implementation, see Creating Users using the Ask Password Option documentation in WSO2 IS 5.2.0. The old implementation has been retained within the WSO2 IS pack for backward compatibility and can still be used if required.

...

Tip
titleBefore you begin

Ensure that the "IdentityMgtEventListener" with the orderId=50 is set to false and that the Identity false. This is the listener for the old implementation of identity management prior to 5.3.0.

Ensure thatthe new Identity Listeners with orderId=95 and orderId=97 are set to true in the <IS_HOME>/repository/conf/identity/identity.xml file.

By default, the properties are configured as shown below. Therefore, if you have not changed the default configurations, you can skip this step. 

Code Block
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/>
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" />
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityStoreEventListener" orderId="97" enable="true">

Follow the steps given below to configure WSO2 IS to enable the ask password feature:

  1. Add the configuration Make sure the following configuration is set (uncommented) in the <IS_HOME>/repository/conf/identity/identity.xml file under <Server> element to  file under <EmailVerification>element below <Server> element to set the redirection URL valid time period in minutes
    The redirection link that is provided to the user to set the password is invalid after the time specified here has elapsed. 

    Code Block
    <Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
...
	<EmailVerification>
        <Enable>false</Enable>
	    <ExpiryTime>1440</ExpiryTime>
        <LockOnCreation>true</LockOnCreation>
        <Notification>
            <InternallyManage>true</InternallyManage>
        </Notification>
        <AskPassword>
	        <ExpiryTime>1440</ExpiryTime>
	        <PasswordGenerator>org.wso2.carbon.user.mgt.common.DefaultPasswordGenerator</PasswordGenerator>
        </AskPassword>
    </EmailVerification>
...
</Server>
    Panel
    borderColorBlack
    bgColorWhite
    borderWidth1

    You can also configure the expiry time through the Management Console.

    Expand
    titleClick to see how to configure this through the management console

    1. Start the Identity Server and login log in to the Management Console.

    2. Click Resident under Identity Providers on the Main tab and expand the Account Management Policies tab. 

    3. Expand the User Onboarding tab and configure the Ask password code expiry time field. Click Update to save changes. 

  2. Optionally, if you are adding users via the management console, the EnableAskPasswordAdminUI property value needs to be added to the <IS_HOME>/repository/conf/identity/ identity.xml file.

    Code Block
    <EnableAskPasswordAdminUI>true</EnableAskPasswordAdminUI>

  3. Configure the email settings in the <IS_HOME>/repository/conf/output-event-adapters.xml file. 

    mail.smtp.fromProvide the email address of the SMTP account.
    Example: abcd@gmail.com
    mail.smtp.userProvide the username of the SMTP account.
    Example: abcd
    mail.smtp.passwordProvide the password of the SMTP account.
    Code Block
    languagexml
    <adapterConfig type="email">
    <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
        based authentication rather username/password authentication -->
    <property key="mail.smtp.from">{EMAIL_ID}</property>
    <property key="mail.smtp.user">{USERNAME}</property>
    <property key="mail.smtp.password">{PASSWORD}</property>
    <property key="mail.smtp.host">smtp.gmail.com</property>
    <property key="mail.smtp.port">587</property>
    <property key="mail.smtp.starttls.enable">true</property>
    <property key="mail.smtp.auth">true</property>
    <!-- Thread Pool Related Properties -->
    <property key="minThread">8</property>
    <property key="maxThread">100</property>
    <property key="keepAliveTimeInMillis">20000</property>
    <property key="jobQueueSize">10000</property>
</adapterConfig>
    Note

    If you are using a Google mail account, note that Google has restricted third-party apps and less secure apps from sending emails by default. Therefore, you need to configure your account to disable this restriction, as WSO2 IS acts as a third-party application when sending emails to confirm user registrations or notification for password reset WSO2 IS.

    Expand
    titleClick here for more information.

    Follow the steps given below to enable your Google mail account to provide access to third-party applications.

    1. Navigate to https://myaccount.google.com/security.
    2. Click Signing in to Google on the left menu and make sure that the 2-step Verification is disabled or off.
    3. Click Connected apps and sites on the left menu and enable Allow less secure apps.
    Tip

    Tip: The email template used to send this email notification is the AskPassword template.

    You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.

  4. Start the Identity Server and log in to the Management Console.

  5. In the Main tab, click, under Identity Providers, click Resident and expand the Account Management Policies tab. 

  6. Expand the User Onboarding tab and select Enable User Email Verification. Click Update to save changes. 

    Info

    The EmailVerification property can be enabled for each tenant at tenant creation by adding the following configuration to the <IS_HOME>/repository/conf/identity/identity.xml file as seen below.

    Code Block
    languagexml
    <EmailVerification>
        <Enable>true</Enable>
        <LockOnCreation>true</LockOnCreation>
        <Notification>
            <InternallyManage>true</InternallyManage>
        </Notification>
    </EmailVerification>

...

Table of Content Zone
maxLevel4
minLevel4
locationtop

Management console

Do the following steps to test the account creation using the password option.

  1. Start the WSO2 Identity Server.

  2. On the Main tab in the  Management Console, click  Add under Users and Roles.

  3. Click Add new User.

    Note

    If you are using the $ character in the email address, make sure to use appropriate escape characters, such as /.
    Example: abc\$def@gmail.com

  4. Fill in the form:

    1. Select the user store where you want to create this user account from the drop-down as the Domain.
      This includes the list of user stores you configured. See Configuring User Stores for more information.

    2. Enter a unique User Name that is used by the user to log in.

    3. Allow users to enter their own password by selecting the Ask password from user option.

    4. Enter a valid Email Address and click Finish.

  5. The Identity Server sends an email to the email address provided. The email contains a redirect URL that directs the users to a screen where they must provide their own password.

SCIM 2.0

Tip
titleBefore you begin!

Follow the steps given in the Configuring SCIM 2.0 Provisioning Connector Documentation to configure WSO2 IS 5.5.0 with SCIM 2.0.

  1. Set the user-schema-extension-enabled property in the <IS_HOME>/repository/conf/identity/charon-config.xml file to true.

    Code Block
    <Property name="user-schema-extension-enabled">true</Property>

  2. Now you can use the ask password features using SCIM 2.0. A sample curl commands is given below: 

    Code Block
    curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Smith","givenName":"Paul"},"userName":"Paul","password":"password","emails":[{"primary":true,"value":"paul@abc.com","type":"home"},{"value":"paulSmith@abc.com","type":"workdewmi123455@gmail.com"}],"EnterpriseUser":{askPassword:"true"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users

...