Creating Users using the Ask Password Option

This section is about the user creation flow which allows users to decide their own passwords. This process is initiated by the administrator when selecting Ask password from user during the user creation process which is different from the default flow, as in it Administrator decides the passwords for users. This is the standard method for user management as administrator do not have to remember and specify passwords when creating an account for a user. When selecting this option, the administrator must enter an Email Address. The Identity Server sends an email to this address that provides the users with a redirection URL. This directs the users to a screen where they can provide the password for the account newly created by the administrator.

In order to get the above to work as expected, do the following configurations.

Configuring the Identity Server

Enable the Identity Listener by setting the following property to true in the <IS_HOME>/repository/conf/identity/identity.xml file.

<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>

Open the <IS_HOME>/repository/conf/identity/identity-mgt.properties file and configure the following properties.

Notification.Sending.Enable=true
Notification.Expire.Time=7200
Notification.Sending.Internally.Managed=true
Temporary.Password.Enable=true
UserAccount.Verification.Enable=true

Property	Description
Notification.Sending.Enable=true	This enables notifications to be sent via email when recovering an account or verifying user creation.
Notification.Expire.Time=7200	Using this configuration, you can specify a time limit for the notification to expire.
Notification.Sending.Internally.Managed=true	Enable the internal email sending module. If this is "false", the email sending data would be available to applications via a Web service. Then the application can send the email using its own email sender.
Temporary.Password.Enable=true	Enable this property by setting it to `true`. It creates a temporary password for the user account until the user sets his/her own password.
UserAccount.Verification.Enable=true	This enables verification of account creation. When self registration is done, the user would be verified by sending email (confirmation link) to user's email account.

Open the <IS_HOME>/repository/conf/axis2/axis2.xml file and uncomment the following email transportSender configurations. This must be done as notification sending is internally managed. The configurations available are just a sample, so you must provide your email details as required.

<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
        <parameter name="mail.smtp.from">wso2demomail@gmail.com</parameter>
        <parameter name="mail.smtp.user">wso2demomail</parameter>
        <parameter name="mail.smtp.password">mailpassword</parameter>
        <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
        <parameter name="mail.smtp.port">587</parameter>
        <parameter name="mail.smtp.starttls.enable">true</parameter>
        <parameter name="mail.smtp.auth">true</parameter>
</transportSender>

Make sure the following email template is defined in the <IS_HOME>/repository/conf/email/email-admin-config.xml file.

When modifying the email-admin-config.xml file, to separate query parameters in the account confirmation link, add "&amp"; instead of just "&" because adding an "&" will create a syntax error in XML. However if you define the email template from the management console UI, simply use "&" for separating the query parameters in the link.
```
<configuration type="askPassword">
  <targetEpr>http://localhost:8080/InfoRecoverySample/infoRecover/verify</targetEpr>
  <subject>WSO2 Carbon - Password Change for New Account</subject>
  <body>
Hi {first-name},


Please change your password for the newly created account: {user-name}. Please click the link below to create the password.
 
http://localhost:8443/InfoRecoverySample/infoRecover/verify?confirmation={confirmation-code}


If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window.
  </body>
  <footer>
Best Regards,
WSO2 Carbon Team
http://www.wso2.com
  </footer>
  <redirectPath>../admin-mgt/update_verifier_redirector_ajaxprocessor.jsp</redirectPath>
</configuration>
```
The targetEpr and redirectPath configurations are values added based on the sample web application used in this topic.

You can configure email templates for specific tenants.
You can also define the email template using the Management Console of Identity Server as well by clicking on Configure> Email Templates under the Configure section, without modifying the email-admin-config.xml file manually.
Restart the WSO2 Identity Server for the changes to take effect.
Sign in to the Management Console by entering your username and password.
In the Main menu, click Add under Claims. See Claim Management for more information on this.
Click Add New Claim and select the http://wso2.org/claims dialect link in the Dialect drop down.
Enter the following values in the form that appears.
- Dialect: http://wso2.org/claims
- Display Name: Identity Password timestamp
- Description: Identity Password timestamp
- Claim Uri: http://wso2.org/claims/identity/passwordTimestamp
- Mapped Attribute: facsimileTelephoneNumber
  
  For the Mapped Attribute field, give a mapped attribute that the underlying user store supports.
  For more information about claim mappings, please refer the Configuring Claim Mappings section.
About usage in tenants

If you wish to have a set of claims for all tenants, you must add those claims to the <PRODUCT_HOME>/repository/conf/claim-mgt.xml file prior to the first startup and then start the server. If you do not require these claims for all tenants, then it should be added via the UI of specific tenants as instructed here.
Click Add. The claim is now added into the Identity Server and you can view the details as seen below.

Configuring the sample web app

To configure the sample app, the supporting Web service is hosted in the following WSDL by the Identity Server: https://<is_server>:9443/services/UserInformationRecoveryService?wsdl

The following operations have been used from the above API.

getCaptcha()
verifyConfirmationCode()
updatePassword()

See Configuring Sample Application For Identity Management for a sample implementation and the necessary steps to configure and deploy this.

Testing the account creation

Do the following steps to test the account creation using the password option.

Start the WSO2 Identity Server.
On the Main tab in the Management Console, click Add under Users and Roles.
Click Add New User.
In the above screen, do the following:
1. In the Domain list, specify the user store where you want to create this user account. This includes the list of user stores you configured. See Working with User Stores for more information.
2. Enter a unique user name that the person will use to log in.
3. Allow users to enter their own password by selecting Ask password from user.
4. Enter a valid Email Address.
The Identity Server sends an email to the email address provided and sends the users a redirection URL. This directs the users to a screen where they must provide their user name and fill out the captcha test.
Click Submit. This directs the users to a screen where they can provide the password for the account newly created by the administrator.
Now you can test the new password by logging in to the Identity Server management console by giving the user name and new password.