Feature management

What is Feature management?

The Onegini IdP has several features that can be enabled or disabled. E.g. features to enable a end-user to log in or sign-up in a specific way. The settings can be managed on the Feature management tab in the Onegini Consumer Identity Access Manager.

How do I manage features in the Onegini IDP?

  1. Login to the Onegini Consumer Identity Access Manager -> go to Configuration -> click the tab Feature Management.
  2. The window Feature Management opens:

Feature Management

In the Feature Management window features can be configured for:

  • Processes: Features for logging in and signing up processes.
  • Action Tokens: Manage features for Action Tokens, e.g. options to set the validity of an Action Token.
  • Person Activation: Manage features for person activation, e.g. the account activation.
  • Person attributes: Manage features for person attributes, e.g. enable password reset.
  • Migration: Manage features for migration, e.g. enable the migration of an existing user to the Onegini IdP.
  • Invitation verification: Features for invitation verification, e.g. enabling verification through SMS.
  • Security: Features for security, e.g. enabling mobile authentication for end-users.
  • APIs: Enables APIs, e.g. for configuration, sessions or persons.
  • Experimental features: Enable the experimental features here.

The options in each section are described below.

Processes

The following options are available:

Option Description
Login enabled When enabled, the user is allowed to login.
Sign-up enabled When enabled, it is possible to sign up for a new account at the Onegini IdP.
Automated external identity coupling enabled When enabled, the Onegini IdP will try to automatically sign-up a user who logged in using an external identity provider, e.g. Facebook or a LDAP IdP. Automated coupling is only possible when all mandatory attributes are available.
Bind multiple social accounts with one CIM account This option is connected to the 'Automated external identity coupling enabled' option. When enabled, person data will be merged that uses different identity providers but the same e-mail address.
Accepting invitation enabled When enabled, an end-user can use the link in the e-mail invitation to activate his or her account. When disabled, the link will not work.
Post-login extra registration after second login When enabled, the end-user needs to provide additional data when logging in for a second time.

Action Tokens

The following options are available:

Option Description
Login via Action Token enabled When and end-user logs in, this option allows the user to use an action token when logging in.
- Action Token Validity (seconds) Action Token validity in seconds.
- Authentication Level Select the Authentication Level, 1 to 4.
- Enable generating Action Token Login Link via UI If enabled, an Action Token Login Link can be presented to the end-user via a user interface.
App to Web via Action Token enabled When enabled, a connection from App to Web via an Action Token can be made.
- Action Token Validity (seconds) Action Token validity in seconds.
- Authentication level Select the Authentication Level, 1 to 4.
Coupling via Action Token enabled When enabled coupling via an Action Token is possible.
- Action Token Validity (seconds) Action Token validity in seconds.
Redirect URL whitelist Defines a list of URLs that can be used optionally when defining an Action Token.

Person activation

The following options are available:

Option Description
Activation enabled This option enables the end-user to activate his or her account.
Activate via email This option enables account activation through e-mail.
- Expiration time The amount of time activation link in the received email remains valid before expiring.
Activate via externally delivered code This option enables account activation through a delivered code.
- Allow to resend code after period (seconds) Defines the time period after which it is allowed to resend an activation code.
- Unavailability time (seconds) Defines the time in which a generated code can be kept before it is used.
- Activation code expiration time (seconds) The amount of time the activation code remains valid before expiring.
- Force activation after accepting invitation When enabled, account activation will be mandatory for an end-user as soon as he or she accepted the invitation (that has been sent through an externally delivered code).

Person attributes

The following options are available:

Option Description
Password reset enabled When enabled, the end-user can decide to receive a password reset through a link sent by e-mail or by receiving a SMS code. When there is no phone number available, the end-user receives an e-mail. When disabled, password reset is only possible through an e-mail link.
Username reminder via SMS enabled This option enables that the end-user can receive a username reminder through SMS.
Mobile number validation for back-end services enabled Determines whether the Onegini IdP should validate the mobile number provided by the end-user. The functionality may be especially useful in case users are being migrated from an external service and the mobile number values do not pass the Onegini IdP's validation process.
Custom email validation enabled This option enables custom email validation.

Migration

The following options are available:

Option Description
Migration enabled When enabled, it is possible to migrate a user from an existing user database to the Onegini IdP. A customer specific implementation is a prerequisite.
Unauthenticated migration When enabled, it is possible to migrate a user from an existing user base to the Onegini IdP without validating the user's current password, through the password reset form. A customer specific implementation is a prerequisite.
Person identifier in external profile required for migration When enabled, the Onegini IdP will use the person identifier provided by the extension in the migration process instead of an auto generated one. In the absence of an identifier, the migration process will be aborted.

Invitation verification

The following options are available:

Option Description
Invitation verification required When enabled, the end-user needs to verify his or her identity through an invitation.
Verification via birth date enabled When enabled, the end-user can choose to verify through date of birth.
Verification via SMS enabled When enabled, the end-user can choose to verify through SMS.
Verification via externally delivered code enabled When enabled, the end-user gets a verification code via some external means, e,g. a letter.
Allow sign-up without invitation validation When, enabled the end-user will be able to activate his or her account even if an invitation of an earlier date has been ignored.

Security

The following options are available:

Option Description
Pin enabled When enabled, users have to define a pin which can be used for step-up authentication.
SMS enabled When enabled, the Onegini IdP can send SMS messages for step-up authentication as well as pin code reset.
Google Authenticator step-up authentication enabled When enabled, users can attach a Google authenticator or other app implementing the time based one time password algorithm and use it as a step-up authentication method.
Mobile Authentication enabled When enabled, users can use their mobile apps connected via the Onegini Token Server for mobile authentication. Apps will be listed in the device list of the user.
Step-up authentication method externally delivered code enabled When enabled, the end-user gets a verification code via some external means, e.g. a letter.
Cookie Based SamL Authentication When enabled, the service provider can request for the data which a user authenticated himself or herself in the past. Even if user's session expired the information will be returned by a cookie with user's session token.

APIs

The following options are available:

Option Description
Person API enabled The person API can be used to manage persons in the Onegini IdP.
Credentials API enabled The credentials API can be used to validate credentials of persons in the Onegini IdP. This API can also be used to process action tokens.
Events API enabled The events API can be used to list events of persons in the Onegini IdP
Statistics API enabled The statistics API can be used to generate usage statistics of Onegini Consumer Identity Access Manager.
Configuration API enabled The Configuration API can be used to fetch and update the Onegini IdP configuration.
Session API enabled The Session API can be used to retrieve session data of the end-user.
Storage API enabled The Storage API can be used to store generic data needed in some authentication flows (currently only sign in with Apple).

Experimental features

The following option is available:

Option Description
Experimental features enabled When enabled, all the experimental features that are currently available are activated. Experimental features might not be fully implemented. Use this option for test purposes only.