- Manage features
- Processes
- Login enabled
- Sign-up enabled
- Just-in-time external IdP sign-up enabled ~ LDAP has following configuration requirements: ~ Facebook has following configuration requirements: ~ Couple multiple LDAP-accounts with one CIM-account
- Activation enabled
- Birthday validation enabled
~ Show
Allow Mobile-login for this device
checkbox enabled
- Attribute verification
- Person attributes
- Migration
- Security
- Usability
- APIs
- Processes
Manage features
Onegini IDP has several optional features which can be enabled or disabled to adapt the product to the specific customer needs. Enabling and disabling of features can be achieved through the admin console. This section describes each individual feature which can be managed in this way.
Processes
Login enabled
When enabled it is possible to login using Onegini IDP.
Sign-up enabled
When enabled it is possible to sign up for a new account at Onegini IDP.
Just-in-time external IdP sign-up enabled
When enabled the Onegini IDP will try to automatically sign-up a user who logged in with an external IdP. The just-in-time sing-up functionality
requires email property to be returned by the external IdP, the property identifier can be set via an application property (IDP_LDAP_ATTRIBUTE_EMAIL
for LDAP
IdP). Please note that the functionality currently only works with LDAP and Facebook identity providers.
LDAP has following configuration requirements:
IDP_LDAP_ATTRIBUTE_EMAIL
application property must be setVerification via birthdate enabled
must be disabled as Onegini IDP expects and maps only email property from attributes returned by LDAPAttributes mandatory on person creation
onlyEmail
must be selected as as Onegini IDP expects and maps solely email property from attributes returned by LDAPFacebook has following configuration requirements:
Verification via birthdate enabled
must be disabled as Onegini IDP expects and maps only email property from attributes returned by FacebookAttributes mandatory on person creation
onlyEmail
must be selected as as Onegini IDP expects and maps solely email property from attributes returned by Facebook
Couple multiple LDAP-accounts with one CIM-account
When enabled the Onegini IDP will couple LDAP account with the existing CIM account based on email address.
The Just-in-time external IdP sign-up
functionality should be enabled, because account coupling occurs during
the sign-up process.
Activation enabled
When enabled it is possible to activate an account after an invitation is received.
Birthday validation enabled
When enabled a user should validate their identity by entering its birthday in the activation flow.
Show Allow Mobile-login for this device
checkbox enabled
When enabled the end user will be given an option to decide whether the Mobile-login functionality should be enabled or disabled for the client that is used.
Attribute verification
Email verification enabled
When enabled the user can trigger an email address verification and mark their email address as verified. For newly registered users the email verification email will be send automatically when this feature is enabled.
Email verification required
When enabled users without a verified email address will not be able to login until they verified their email address.
Mobile number verification enabled
When enabled the user can trigger a mobile number verification and mark their mobile number as verified.
Person attributes
First and last name mandatory
When enabled it is mandatory for user to have a name attribute in their profile. When the feature is disabled it is not required to provide a name when creating a person via the person api. In the sign up forms the name fields are only displayed when the first and last name mandatory feature is enabled.
Mobile number present on sign-up forms
When enabled the field to provide mobile number is present on sign-up forms. Unless Mobile number mandatory is enabled, filling in this field is optional. In case mobile number is not filled in, the attribute is not set and it cannot be used as step-up method.
Mobile number mandatory
When enabled it is mandatory for users to have a mobile number in their profile. If the pin feature is enabled the mobile number is only mandatory if the user has no pin code configured. In the sign up forms the mobile number fields are only displayed when the mobile number mandatory feature is enabled or if a mobile number is required by the attribute contract. Option Mobile number present on sign-up forms should be checked in order to enable this option.
Password reset via SMS enabled
In case the user forgot their password they can decide whether page to provide new password will be reached by link sent by email or by providing SMS code. This may be useful in case the user has no access to the email account. In case user requested to receive SMS code and phone number is not attached to the account, email link will be sent. If the feature is disabled the page to provide new password can be reached through link sent by email only.
Mobile number validation enabled
Determines whether the Onegini IDP should validate the mobile number provided by the end user. The functionality may be especially usefaul in case users are being migrated from external service and the mobile number values do not pass the Onegini IDP's validation process.
Custom email validation
When enabled a regular expression can be provided for email validation. By using a custom email validation non standard top level domains can be used in email addresses.
Migration
Migration enabled
When enabled it is possible to migrate a user from an existing user base to Onegini IDP. A customer specific implementation is a prerequisite.
Unauthenticated migration enabled
When enabled it is possible to migrate a user from an existing user base to Onegini IDP without validating the user's current password. This can be done through password reset form. A customer specific implementation is a prerequisite.
Person identifier from extension enabled
When enabled IDP will use person identifier provided by extension on migration process instead of auto generated one. In the absence of an identifier, the migration process will be aborted.
Security
Pin enabled
When enabled users can define a pin which can be used for step up.
SMS enabled
When enabled Onegini IDP can send SMS messages for step up and pin code reset.
Google Authenticator StepUp enabled
When enabled users can attach a Google authenticator or other app implementing the time based one time password algorithm and use it as a step up method.
Mobile Authentication enabled
When enabled users can use their mobile apps connected via the Onegini Token Server for mobile authentication. Apps will be listed in the device list of the user.
ID Check enabled
When enabled users can verify their name using their ID (passport, driving license, ..) via the ID checker service.
Cookie Based Saml Authentication
When enabled, service provider can request for user authenticated in the past. Even if user's session expired the information will be returned thanks to cookie with user's session token.
Usability
Email confirmation enabled
When enabled users should confirm their email address in all forms where the email address can be managed.
Mobile number confirmation enabled
When enabled users should confirm their mobile number on all places where the mobile number can be managed.
APIs
Person API enabled
When enabled the person api, which is used to manage persons in Onegini IDP, can be used.
Credentials API enabled
When enabled the credentials api, which is used to validate credentials of persons in Onegini IDP, can be used.
Events API enabled
When enabled the events api, which is used to list events of persons in Onegini IDP, can be used.