The WSO2 Identity Server (WSO2 IS) supports self-registration and allows users to register themselves and receive email confirmations when the account is created.
The self-sign-up process creates the user account and locks the user account until the user confirms the account by clicking on the account confirmation mail that is sent by WSO2 IS.
If the user does not confirm the account before the expiry period, the user account is locked because it is assumed that the expired accounts are not used by the creator. Later on the system administrator can delete these accounts if needed making it a better way to manage resources.
The following instructions guide you through setting up this feature.
From WSO2 IS 5.3.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implementation, which is the recommended approach for self registration.
Alternatively, to see the steps on how to enable this identity management feature using the old implementation, see Self Sign Up and Account Confirmation documentation in WSO2 IS 5.2.0. The old implementation has been retained within the WSO2 IS pack for backward compatibility and can still be used if required.
Before you begin
Ensure that the "IdentityMgtEventListener
" with the orderId=50
is set to false and that the Identity Listeners with orderId=95
and orderId=97
are set to true in the <IS_HOME>/repository/conf/identity/identity.xml
file.
<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="false"/> <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" enable="true" /> <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.governance.listener.IdentityStoreEventListener" orderId="97" enable="true">
Self sign up for super tenant users
Follow the steps given below to register users for the super tenant, which is carbon.super
.
Configure the following email settings in the <
IS_HOME>/repository/conf/output-event-adapters.xml
file.mail.smtp.from
Provide the email address of the SMTP account. mail.smtp.user
Provide the username of the SMTP account. mail.smtp.password
Provide the password of the SMTP account. <adapterConfig type="email"> <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust based authentication rather username/password authentication --> <property key="mail.smtp.from">abcd@gmail.com</property> <property key="mail.smtp.user">abcd</property> <property key="mail.smtp.password">xxxx</property> <property key="mail.smtp.host">smtp.gmail.com</property> <property key="mail.smtp.port">587</property> <property key="mail.smtp.starttls.enable">true</property> <property key="mail.smtp.auth">true</property> <!-- Thread Pool Related Properties --> <property key="minThread">8</property> <property key="maxThread">100</property> <property key="keepAliveTimeInMillis">20000</property> <property key="jobQueueSize">10000</property> </adapterConfig>
Tip: The email template used to send this email notification is the AccountConfirmation template.
You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.
- Start the WSO2 IS and log in to the management console:
https://<IS_HOST>:<IS_PORT>/carbon
If you started WSO2 IS previously, make sure to stop it and start it again for the email settings to get updated in the pack. - Click Resident under Identity Providers on the Main tab and expand the Account Management Policies tab.
Expand the User Self Registration tab and configure the following properties as required.
Field Description Enable Self User Registration Select to enable self registration. Enable Account Lock On Creation Enabled Select to enable account locking during self registration. Enable Notification Internally Management Select if you want the notification handling to be managed by the WSO2 Identity Server. If the client application handles notification sending already, unselect it. This check only applies if Security Question Based Password Recovery is enabled. Enable reCaptcha Select to enable reCaptcha for the self sign up flow. See Configuring reCaptcha for Password Recovery Flow for more information. User self registration code expiry time Set the number of minutes for which the verification code should be valid. The verification code that is provided to the user to initiate the self sign-up flow will be invalid after the time specified here has elapsed.
Alternatively, you can configure the expiry time in the
identity.xml
configuration file.<SelfRegistration> <VerificationCode> <ExpiryTime>1440</ExpiryTime> </VerificationCode> </SelfRegistration>
Expand the Login Policies tab, then the Account Locking tab and select Account Lock Enabled.
This allows the account to be locked until the user confirms the account. Once the user activates the account through the email received, the account is unlocked. For more information about account locking, see Configuring WSO2 IS for User Account Locking and Account Disabling.
Now, you can move on to try out self sign up.
For information on the REST APIs for self sign-up, see Self Sign Up Using REST APIs.
Self sign up for tenant users
Follow the steps given below to register a user for a specific tenant domain.
Before you begin!
Make sure you have one or more tenants. For more information, see Creating and Managing Tenants
Configure the following email settings in the <
IS_HOME>/repository/conf/output-event-adapters.xml
file.mail.smtp.from
Provide the email address of the SMTP account. mail.smtp.user
Provide the username of the SMTP account. mail.smtp.password
Provide the password of the SMTP account. <adapterConfig type="email"> <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust based authentication rather username/password authentication --> <property key="mail.smtp.from">abcd@gmail.com</property> <property key="mail.smtp.user">abcd</property> <property key="mail.smtp.password">xxxx</property> <property key="mail.smtp.host">smtp.gmail.com</property> <property key="mail.smtp.port">587</property> <property key="mail.smtp.starttls.enable">true</property> <property key="mail.smtp.auth">true</property> <!-- Thread Pool Related Properties --> <property key="minThread">8</property> <property key="maxThread">100</property> <property key="keepAliveTimeInMillis">20000</property> <property key="jobQueueSize">10000</property> </adapterConfig>
Tip: The email template used to send this email notification is the AccountConfirmation template.
You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.
Start the WSO2 IS server and log in to the tenant domain from the management console:
https://<IS_HOST>:<IS_PORT>/carbon
If you started WSO2 IS previously, make sure to stop it and start it again for the email settings to get updated in the pack.For more information on creating a tenant, see Creating and Managing Tenants
- Click Resident under Identity Providers on the Main tab and expand the Account Management Policies tab.
Expand the User Self Registration tab and configure the following properties as required.
Field Description Enable Self User Registration Select to enable self registration. Enable Account Lock On Creation Enabled Select to enable account locking during self registration. Enable Notification Internally Management Select if you want the notification handling to be managed by the WSO2 Identity Server. If the client application handles notification sending already, unselect it. This check only applies if Security Question Based Password Recovery is enabled. Enable reCaptcha Select to enable reCaptcha for the self sign up flow. See Configuring reCaptcha for Password Recovery Flow for more information. User self registration code expiry time Set the number of minutes for which the verification code should be valid. The verification code that is provided to the user to initiate the self sign-up flow will be invalid after the time specified here has elapsed.
Alternatively, you can configure the expiry time in the
identity.xml
configuration file.<SelfRegistration> <VerificationCode> <ExpiryTime>1440</ExpiryTime> </VerificationCode> </SelfRegistration>
Expand the Login Policies tab, then the Account Locking tab and select Account Lock Enabled.
This allows the account to be locked until the user confirms the account. Once the user activates the account through the email received, the account is unlocked. For more information about account locking, see Configuring WSO2 IS for User Account Locking and Account Disabling.
Try out self sign up
- Access the WSO2 Identity Server dashboard.
Click the Register Now? link.
Once the user has registered, first you receive an account lock email because the account is locked until you confirm the account and then you receive an account confirmation email.Register Users for a Tenant
If you want to self sign up a user for a specific tenant, you need to provide the Username in the following format:
For example, if you have a tenant domain as<USERNAME>@<TENAND_DOMAIN>
foo.com
, the username needs to bekim@foo.com
Click Confirm Registration in the email or copy the link in the email to your browser to confirm the account.
Once you confirm the account, the account is unlocked and an email is sent.
Follow the steps given below to resend the confirmation email.
Access the WSO2 Identity Server dashboard and try to login with the user you just registered.
The user account should not be activated for the user, which means you should not have confirmed the account.Click on the Re-send link to resend the email.
Tip: The email template used to resend the confirmation email notification is the ResendAccountConfirmation template.
You can edit and customize the email template. For more information on how to do this, see Customizing Automated Emails.
Related Links
By default, the claim values of the identity claims used in this feature are stored in the JDBC datasource configured in the identity.xml
file. See Configuring Claims for more information on how to store the claim values in the user store.