Person activation
Person Activation feature add additional verification step which must be performed in order to allow the end-user to actually start using his account. When enabled, every person's
account will enter INACTIVE
state after right after finishing sign-up. Every person who's account is in INACTIVE
state is unable to successfully finish the login flow.
This chapter will guide you though all steps that are required to fully configure and use an Person Activation feature with the Onegini IDP.
What is required?
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IDP instance must be running, for the sake of this guide we assume it's available under
http://idp-core.dev.onegini.me
address - Onegini IDP extension instance must be running, for the sake of this guide we assume it's available under
http://idp-extension.dev.onegini.me
address - Onegini IDP ui-extension instance must be running, for the sake of this guide we assume it's available under
http://idp-core.dev.onegini.me/ui
address (required only for activation via externally delivered code) - Onegini IDP must have the
Username & password
identity provider configured
Introduction
Before continuing with the topic guide please familiarize with below assumptions first.
Technical description
To get better understanding of the Person Activation feature please consider the following diagram. It illustrates the flow for the account created via an API call but it also applies for all the other use cases.
Person account can enter INACTIVE
state only in case the Person Activation feature is enabled.
NOTE Please note that enabling the feature affects how person API works - person status will follow the flow of the diagram above also for all api calls.
Supported flows
Person activation is supported in the following flows:
- Person Sign Up via sign up page served by the Onegini IDP web interface
- API endpoints
- Create account and automatically sign up: POST /api/persons/activated
- Create account firstly with POST /api/persons and then activate it via API:
Configuration
Person activation feature is disabled by default. Configuration option is available under Configuration
-> Feature management
-> Person activation
section.
Currently the following flavours of person account activation are supported:
Activation via email
It allows to activate an account by visiting link delivered to the end-user via email. To enable it select the Activate via email
option and define the link's TTL
(time to live) / expiration time.
Activation via externally delivered code
Allows to activate an account by entering code sent to user's address. To enable it please select Activate via externally delivered code
checkbox and provide few
configuration properties:
- allow to resend code after period: time after which user is allowed to resend the code, the resend operation is triggered from the web interface
- unavailability time: initial time during which the activation code is not allowed to be used
- activation code expiration: time after which code is marked as invalid / expired
Additionally it requires the UI Extension service to be configured under Configuration
-> UI-Extension
-> UI-Extension login configuration
section. Please fill
in the UI Extension address in base url field, for the sake of this instruction we assume it's available under http://idp-core.dev.onegini.me/ui
address.
Beside of the configuration changes there are also Having the configuration done in the Onegini IDP it is also required to implementation additional changes in the actual customer specific Extension and UI Extension applications.
Extension It is responsible to process generated code and provide it to the user. To be able to do it extension needs to have
DeliverExternalCodeExtension
bean available.UI-extension Provides view shown to the user where code is provided under
GET /activation
path.
Activation via API
Onegini IDP gives additional flexibility to activate the user via an API call thanks to which it can be easily integrated with external services. The Onegini IDP exposes two endpoints which are realising this functionality:
POST /api/persons/{person_id}/activate/email
POST /api/persons/{person_id}/activate/code
Both activation types (email, code) are described in the API reference.
Testing
Both flavours of Person Activation feature can be tested in the same way. Please sign up by entering http://idp-core.dev.onegini.me
page. In case the activation via email has
been selected you will be prompted to visit the activation link sent via email. In case activation via code is configured you will be prompted to enter the actual code value
which was delivered to you via different channel (can be SMS, letter or other). Once activation is completed successfully you will be redirected to the dashboard page or back to
the SAML Service Provider.