Manage features

Onegini IDP has several optional features which can be enabled or disabled to adapt the product to the specific customer needs. Enabling and disabling of features can be achieved through the admin console. This section describes each individual feature which can be managed in this way.

Processes

Login enabled

When enabled it is possible to login using Onegini IDP.

Sign-up enabled

When enabled it is possible to sign up for a new account at Onegini IDP.

Just-in-time external IdP sign-up enabled

When enabled the Onegini IDP will try to automatically sign-up a user who logged in with an external IdP. The just-in-time sing-up functionality requires email property to be returned by the external IdP, the property identifier can be set via an application property (IDP_LDAP_ATTRIBUTE_EMAIL for LDAP IdP). Please note that the functionality currently only works with LDAP and Facebook identity providers.

LDAP has following configuration requirements:

  • IDP_LDAP_ATTRIBUTE_EMAIL application property must be set
  • Verification via birthdate enabled must be disabled as Onegini IDP expects and maps only email property from attributes returned by LDAP
  • Attributes mandatory on person creation only Email must be selected as as Onegini IDP expects and maps solely email property from attributes returned by LDAP

    Facebook has following configuration requirements:

    • Verification via birthdate enabled must be disabled as Onegini IDP expects and maps only email property from attributes returned by Facebook
    • Attributes mandatory on person creation only Email must be selected as as Onegini IDP expects and maps solely email property from attributes returned by Facebook

Couple multiple LDAP-accounts with one CIM-account

When enabled the Onegini IDP will couple LDAP account with the existing CIM account based on email address. The Just-in-time external IdP sign-up functionality should be enabled, because account coupling occurs during the sign-up process.

Activation enabled

When enabled it is possible to activate an account after an invitation is received.

Birthday validation enabled

When enabled a user should validate their identity by entering its birthday in the activation flow.

Attribute verification

Email verification enabled

When enabled the user can trigger an email address verification and mark their email address as verified. For newly registered users the email verification email will be send automatically when this feature is enabled.

Email verification required

When enabled users without a verified email address will not be able to login until they verified their email address.

Mobile number verification enabled

When enabled the user can trigger a mobile number verification and mark their mobile number as verified.

Person attributes

First and last name mandatory

When enabled it is mandatory for user to have a name attribute in their profile. When the feature is disabled it is not required to provide a name when creating a person via the person api. In the sign up forms the name fields are only displayed when the first and last name mandatory feature is enabled.

Mobile number present on sign-up forms

When enabled the field to provide mobile number is present on sign-up forms. Unless Mobile number mandatory is enabled, filling in this field is optional. In case mobile number is not filled in, the attribute is not set and it cannot be used as step-up method.

Mobile number mandatory

When enabled it is mandatory for users to have a mobile number in their profile. If the pin feature is enabled the mobile number is only mandatory if the user has no pin code configured. In the sign up forms the mobile number fields are only displayed when the mobile number mandatory feature is enabled or if a mobile number is required by the attribute contract. Option Mobile number present on sign-up forms should be checked in order to enable this option.

Password reset via SMS enabled

In case the user forgot their password they can decide whether page to provide new password will be reached by link sent by email or by providing SMS code. This may be useful in case the user has no access to the email account. In case user requested to receive SMS code and phone number is not attached to the account, email link will be sent. If the feature is disabled the page to provide new password can be reached through link sent by email only.

Mobile number validation enabled

Determines whether the Onegini IDP should validate the mobile number provided by the end user. The functionality may be especially usefaul in case users are being migrated from external service and the mobile number values do not pass the Onegini IDP's validation process.

Custom email validation

When enabled a regular expression can be provided for email validation. By using a custom email validation non standard top level domains can be used in email addresses.

Migration

Migration enabled

When enabled it is possible to migrate a user from an existing user base to Onegini IDP. A customer specific implementation is a prerequisite.

Unauthenticated migration enabled

When enabled it is possible to migrate a user from an existing user base to Onegini IDP without validating the user's current password. This can be done through password reset form. A customer specific implementation is a prerequisite.

Person identifier from extension enabled

When enabled IDP will use person identifier provided by extension on migration process instead of auto generated one. In the absence of an identifier, the migration process will be aborted.

Security

Pin enabled

When enabled users can define a pin which can be used for step-up authentication.

SMS enabled

When enabled Onegini IDP can send SMS messages for step-up authentication and pin code reset.

Google Authenticator step-up enabled

When enabled users can attach a Google authenticator or other app implementing the time based one time password algorithm and use it as a step-up authentication method.

Mobile Authentication enabled

When enabled users can use their mobile apps connected via the Onegini Token Server for mobile authentication. Apps will be listed in the device list of the user.

ID Check enabled

When enabled users can verify their name using their ID (passport, driving license, ..) via the ID checker service.

When enabled, service provider can request for user authenticated in the past. Even if user's session expired the information will be returned thanks to cookie with user's session token.

Usability

Email confirmation enabled

When enabled users should confirm their email address in all forms where the email address can be managed.

Mobile number confirmation enabled

When enabled users should confirm their mobile number on all places where the mobile number can be managed.

APIs

Person API enabled

When enabled the person api, which is used to manage persons in Onegini IDP, can be used.

Credentials API enabled

When enabled the credentials api, which is used to validate credentials of persons in Onegini IDP, can be used.

Events API enabled

When enabled the events api, which is used to list events of persons in Onegini IDP, can be used.