Person activation

Person Activation feature add additional verification step which must be performed in order to allow the end-user to actually start using his account. When enabled, every person's account will enter INACTIVE state after right after finishing sign-up. Every person who's account is in INACTIVE state is unable to successfully finish the login flow. This chapter will guide you though all steps that are required to fully configure and use an Person Activation feature with the Onegini IDP.

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IDP instance must be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
  • Onegini IDP extension instance must be running, for the sake of this guide we assume it's available under http://idp-extension.dev.onegini.me address
  • Onegini IDP ui-extension instance must be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me/ui address (required only for activation via externally delivered code)
  • Onegini IDP must have the Username & password identity provider configured

Introduction

Before continuing with the topic guide please familiarize with below assumptions first.

Technical description

To get better understanding of the Person Activation feature please consider the following diagram. It illustrates the flow for the account created via an API call but it also applies for all the other use cases.

Person status lifecycle

Person account can enter INACTIVE state only in case the Person Activation feature is enabled.

NOTE Please note that enabling the feature affects how person API works - person status will follow the flow of the diagram above also for all api calls.

Supported flows

Person activation is supported in the following flows:

Configuration

Person activation feature is disabled by default. Configuration option is available under Configuration -> Feature management -> Person activation section. Currently the following flavours of person account activation are supported:

Activation via email

It allows to activate an account by visiting link delivered to the end-user via email. To enable it select the Activate via email option and define the link's TTL (time to live) / expiration time.

Activation via externally delivered code

Allows to activate an account by entering code sent to user's address. To enable it please select Activate via externally delivered code checkbox and provide few configuration properties:

  • allow to resend code after period: time after which user is allowed to resend the code, the resend operation is triggered from the web interface
  • unavailability time: initial time during which the activation code is not allowed to be used
  • activation code expiration: time after which code is marked as invalid / expired

Additionally it requires the UI Extension service to be configured under Configuration -> UI-Extension -> UI-Extension login configuration section. Please fill in the UI Extension address in base url field, for the sake of this instruction we assume it's available under http://idp-core.dev.onegini.me/ui address.

Beside of the configuration changes there are also Having the configuration done in the Onegini IDP it is also required to implementation additional changes in the actual customer specific Extension and UI Extension applications.

  1. Extension It is responsible to process generated code and provide it to the user. To be able to do it extension needs to have DeliverExternalCodeExtension bean available.

  2. UI-extension Provides view shown to the user where code is provided under GET /activation path.

Activation via API

Onegini IDP gives additional flexibility to activate the user via an API call thanks to which it can be easily integrated with external services. The Onegini IDP exposes two endpoints which are realising this functionality:

  • POST /api/persons/{person_id}/activate/email
  • POST /api/persons/{person_id}/activate/code

Both activation types (email, code) are described in the API reference.

Testing

Both flavours of Person Activation feature can be tested in the same way. Please sign up by entering http://idp-core.dev.onegini.me page. In case the activation via email has been selected you will be prompted to visit the activation link sent via email. In case activation via code is configured you will be prompted to enter the actual code value which was delivered to you via different channel (can be SMS, letter or other). Once activation is completed successfully you will be redirected to the dashboard page or back to the SAML Service Provider.