Child pages
  • Selfservices in IDM6
Skip to end of metadata
Go to start of metadata

Stash repo with source to test: https://stash.forgerock.org/users/hanns.nolan/repos/idm6-selfservice-examples/browse

Prerequisites

  • SMTP port 1125 (running mailcatcher in docker)
  • Grafana/Prometheus/nodeexporter running on default ports in docker (if you want to test this as well!)
  • IDM can be startet with ./startup.sh -p projectdir -w workingdir

Overview of the functions in IDM6

User Self Registration

  • Flexible data schema
  • Social registration
  • Options (can be switched on requirements)
    • Google ReCAPTCHA
    • Email validation
    • Security Questions
    • Terms & Conditions (including Versioning/audit in internal objects)
    • Privacy & Consent (including consent trail in user managed objects)
  • Available also per REST API (see example below)
  • Multiple self-registration endpoints possible (see note from Jake)

Password Rest Self Service

  • Options (can be switched on requirements)
    • Google ReCAPTCHA
    • User Query Form
    • Email Validation
    • Security Questions
    • Password reset form (pwd attribute)

Forgotten Username Retrieval

  • Options (can be switched on requirements)
    • Google ReCAPTCHA
    • User Query Form
    • Email Username
    • Display Username

Progressive Profile Compilation

  • free form definition with user display Options
  • Display conditions
    • Basic Conditions on login counts/property value/time since reg/profile completion
    • Advanced Conditions query filter/script
  • Attributes property not required/required

Terms & Conditions

  • Versioning of T&C with language support
  • Require acceptance for new and existing users

Docs

Self-Service REST API Reference

user registration flow

example flow

The config can be found here

Rest call flow

1. user registration with payload

curl -X POST \
  'https://localhost:8443/openidm/selfservice/registration?_action=submitRequirements' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -H 'X-OpenIDM-Password: anonymous' \
  -H 'X-OpenIDM-Username: anonymous' \
  -d '{
  "input": {
    "user": {
      "userName": "hnolan",
      "givenName": "Hanns",
      "sn": "Nolan",
      "mail": "hanns.nolan@forgerock.com",
      "password": "Passw0rd",
      "preferences": {
        "updates": true,
        "marketing": false
      }
    },
    "accept": "true",
    "kba": [
      {
        "answer": "color",
        "questionId": "1"
      }
    ]
  }
}'

Respond:

{
    "type": "emailValidation",
    "tag": "validateCode",
    "requirements": {
        "$schema": "http://json-schema.org/draft-04/schema#",
        "description": "Verify emailed code",
        "type": "object",
        "required": [
            "code"
        ],
        "properties": {
            "code": {
                "description": "Enter code emailed",
                "type": "string"
            }
        }
    },
    "token": "eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ZXlKMGVYQWlPaUpLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2lVbE5CTVY4MUluMC5OSm8zTTYyNTdoazJPUDNIYmRUMzNtT0VOc1p0a0xmaHAwazBZc2dZVEdSUVFrZzFQYjZYUEdITlBQdE1sU1FZTGxoQkEyZkJ0V3Y3WEIwUzhCTWlQMHFoN3NBT1p6U0JSSGgtczFEeWhENE5oSU45NzU4dmNyeFp2bjFMTUxHYi1EenFnR1FKRXFvcHR6SU1FcGFWTElvLTdJR1BxMjd0bFRGVDBWQTZsMi1mSVZTaVptT1pVZkNKM1Z6c1kzWk9VczcwLWlNdDZLcWZCZF8zOGVUV1RzQ0ZNZGRrT3dsNmRpOUlJSXRLTmt4RDFzaDZPSUthbDVPVFc1RFY5LXhDRUJxYVhrUFMwWV9JTGpFMFdsWDdPaWxFVm0xRG5CeUp1aDBfZkQxd1hERHExYWZJTVhNSWdTYTVNaEpGNnNtMFRiblJnWUo0NkhZczhScmRkZ1REWkEuYkxEdDZjb0JKWERScXJTWFJCemx0dy5QS2c3NGlhU1RQYnJfOXR2Y3BYTWoyVXMwUTJjR0JseW41X252NnFYYVpTb3hPOGV2aGkyLTZiT25wRXBsenAzQUY0MkZ1U0NYdHlYSmE2cmpJMjZIUXRwYzJMZGh6cGx0NGxvUXlfTmgxdFJWcTJuaWc2bDBjNEdiYVpsLVU5cVVCYkUxT09ac3dKbzhzNzlzSC0xMTlxZnVWZWxMUHNsVDhaTDcwZHhMNTdZal8wMlRUeUlNU3ZQT19uamxUdWFSUlJ0NDBYVHktX0FYTFphTzJkdXhaSWUyX1pWRDFxdGdKQ2ZOTTlKX1FZdU1MdklCRHZxSkZjSWxJbDVtcU5lSWpaZEVlOHp2c0F4VmFqcVhZNWtaZVdhVUVpamctZmZPT3E1ZV91eEZuV3ZYY2F3ZWRRZFFpVTBGcXJwRXpqcFY4R0JwdkUtQWd4Um5hSnl6Ry1wcXlKZnhYekp0ZzZlUkZaejVVUDVnNHZMTmhNWWN1Uko3WW1OYk1kRlB5RldwZlZ5Mmx2cWxvTTBaS0pKWVFLWU9Xc1hQR2x6UzFxSEFBTF9MWmFXbTVJQnozbmtVa2I3NHdLc18zWWlDZlJqREVMZVNIYlNENEdkR0h3cHlFMkFjNjVFdXpJQ1hNQVliRmRldXB2T3BFZHo3dTZTcWZqRkhCSC1BakRRdm5iellqY25Gdk81NmZDeHNfQTdwZzJWZXJEOFcyNWJfVC1MZHFXeVA3X09ZM2pQY3ZzdVd5aUlkVkRCOXlWWFg5TTAxRElFeWRzZkF0SjUzUElOYjZldUk0cnRnZWIwRXhVUTFqMWw1NkFUVS1iUkwzTU1WNWE5RVlCOEJsa1hoQWgzaWNiLTNSNVgyUU5qdzF6Z1lteFpIVFhLY1VabUxQNW1UblFkNHZRVGFvb2h1T2NxN3FvOGZBLUxtc2YwcU82NEM2OGNJb3FfUXFvck1WSFpPaHQ2ZXAyakxyaFlRbFVTOHNuVkw4dVgxQlVhNGFBRmY2by0xdjBJMkJ1QUhJYzhUU1hTRTdaaXp1bWhLcmtqa1R2M1h3UnItdFJTVk9FZ3NkRXFhbnpkbVZwOHFaU2lSM1RUMlRYYWkzbzNZZld0OFNwR0FvYlhvbjZjWXlxTXlVM0g5cVFLSTAyY2JKTHpLeHF1SHhsR0kyaWRUY3hBMm5KSHBTQmVMVDV3TGtWdmdYR05GUGZ1YmpBRG5xRW9KMkFsRXNqamFwalQ1d0gtWEtVVlU3WVV3TlcybkFNODhKOFBYd1AxTkZ3dmxsZjRSR3QwMlJIc0h1U005Rm5UaHJqLWs0di16SlVOZ2pBLTA1THo0SlV1V3ljaExSczJuVnBJc2p3NmprcnRvR0Z4cWtWS2tjelJrOTZTWjhSWUNxWUJVNTVWUl80T1RQNVZJUHNCekpVdWtzUXltemx5QjlFUWVYZXJiejJiUXdoZXhaLWRmRzc1aHRpMmszNFZON1lGUGcuWEdob2RkNWdGR2FQV0N4bXB4V3pLdw.NJAZW1WLq7rsF9zoiKlseyV0xNejNM6Iq0GyhvBr1JU"
}

2. email validation code flow

curl -X POST \
  'https://localhost:8443/openidm/selfservice/registration?_action=submitRequirements' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -H 'X-OpenIDM-Password: anonymous' \
  -H 'X-OpenIDM-Username: anonymous' \
  -d '{
  "token": "eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ZXlKMGVYQWlPaUpLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2lVbE5CTVY4MUluMC5OSm8zTTYyNTdoazJPUDNIYmRUMzNtT0VOc1p0a0xmaHAwazBZc2dZVEdSUVFrZzFQYjZYUEdITlBQdE1sU1FZTGxoQkEyZkJ0V3Y3WEIwUzhCTWlQMHFoN3NBT1p6U0JSSGgtczFEeWhENE5oSU45NzU4dmNyeFp2bjFMTUxHYi1EenFnR1FKRXFvcHR6SU1FcGFWTElvLTdJR1BxMjd0bFRGVDBWQTZsMi1mSVZTaVptT1pVZkNKM1Z6c1kzWk9VczcwLWlNdDZLcWZCZF8zOGVUV1RzQ0ZNZGRrT3dsNmRpOUlJSXRLTmt4RDFzaDZPSUthbDVPVFc1RFY5LXhDRUJxYVhrUFMwWV9JTGpFMFdsWDdPaWxFVm0xRG5CeUp1aDBfZkQxd1hERHExYWZJTVhNSWdTYTVNaEpGNnNtMFRiblJnWUo0NkhZczhScmRkZ1REWkEuYkxEdDZjb0JKWERScXJTWFJCemx0dy5QS2c3NGlhU1RQYnJfOXR2Y3BYTWoyVXMwUTJjR0JseW41X252NnFYYVpTb3hPOGV2aGkyLTZiT25wRXBsenAzQUY0MkZ1U0NYdHlYSmE2cmpJMjZIUXRwYzJMZGh6cGx0NGxvUXlfTmgxdFJWcTJuaWc2bDBjNEdiYVpsLVU5cVVCYkUxT09ac3dKbzhzNzlzSC0xMTlxZnVWZWxMUHNsVDhaTDcwZHhMNTdZal8wMlRUeUlNU3ZQT19uamxUdWFSUlJ0NDBYVHktX0FYTFphTzJkdXhaSWUyX1pWRDFxdGdKQ2ZOTTlKX1FZdU1MdklCRHZxSkZjSWxJbDVtcU5lSWpaZEVlOHp2c0F4VmFqcVhZNWtaZVdhVUVpamctZmZPT3E1ZV91eEZuV3ZYY2F3ZWRRZFFpVTBGcXJwRXpqcFY4R0JwdkUtQWd4Um5hSnl6Ry1wcXlKZnhYekp0ZzZlUkZaejVVUDVnNHZMTmhNWWN1Uko3WW1OYk1kRlB5RldwZlZ5Mmx2cWxvTTBaS0pKWVFLWU9Xc1hQR2x6UzFxSEFBTF9MWmFXbTVJQnozbmtVa2I3NHdLc18zWWlDZlJqREVMZVNIYlNENEdkR0h3cHlFMkFjNjVFdXpJQ1hNQVliRmRldXB2T3BFZHo3dTZTcWZqRkhCSC1BakRRdm5iellqY25Gdk81NmZDeHNfQTdwZzJWZXJEOFcyNWJfVC1MZHFXeVA3X09ZM2pQY3ZzdVd5aUlkVkRCOXlWWFg5TTAxRElFeWRzZkF0SjUzUElOYjZldUk0cnRnZWIwRXhVUTFqMWw1NkFUVS1iUkwzTU1WNWE5RVlCOEJsa1hoQWgzaWNiLTNSNVgyUU5qdzF6Z1lteFpIVFhLY1VabUxQNW1UblFkNHZRVGFvb2h1T2NxN3FvOGZBLUxtc2YwcU82NEM2OGNJb3FfUXFvck1WSFpPaHQ2ZXAyakxyaFlRbFVTOHNuVkw4dVgxQlVhNGFBRmY2by0xdjBJMkJ1QUhJYzhUU1hTRTdaaXp1bWhLcmtqa1R2M1h3UnItdFJTVk9FZ3NkRXFhbnpkbVZwOHFaU2lSM1RUMlRYYWkzbzNZZld0OFNwR0FvYlhvbjZjWXlxTXlVM0g5cVFLSTAyY2JKTHpLeHF1SHhsR0kyaWRUY3hBMm5KSHBTQmVMVDV3TGtWdmdYR05GUGZ1YmpBRG5xRW9KMkFsRXNqamFwalQ1d0gtWEtVVlU3WVV3TlcybkFNODhKOFBYd1AxTkZ3dmxsZjRSR3QwMlJIc0h1U005Rm5UaHJqLWs0di16SlVOZ2pBLTA1THo0SlV1V3ljaExSczJuVnBJc2p3NmprcnRvR0Z4cWtWS2tjelJrOTZTWjhSWUNxWUJVNTVWUl80T1RQNVZJUHNCekpVdWtzUXltemx5QjlFUWVYZXJiejJiUXdoZXhaLWRmRzc1aHRpMmszNFZON1lGUGcuWEdob2RkNWdGR2FQV0N4bXB4V3pLdw.NJAZW1WLq7rsF9zoiKlseyV0xNejNM6Iq0GyhvBr1JU",
  "input": {
    "code": "7952d2de-86e5-4d60-acfa-d6ccb4acfa8b"
  }
}'
{
    "type": "localAutoLogin",
    "tag": "end",
    "status": {
        "success": true
    },
    "additions": {
        "successUrl": "http://localhost:8080",
        "credentialJwt": "eyJ0eXAiOiJKV1QiLCJjdHkiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ZXlKMGVYQWlPaUpLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2lVbE5CTVY4MUluMC5pVWlGZlRBalJ5aEpKcU5HWGVYWGk0ZGxlN1VMZ21NVDBvNmxuWXlMYUhadE9QeWNMV3c5eG94UHdlTzFVQUhPRUVfMjlhTUw1TGtlbl9OLVhGX0pERFl4TmtfdjVXSE5kdTlzMk1WWWxIa2RoYkw1ejZzNEl4cGc2cDdJM0VTYXM2QVhRT2l5NTV4UGt2cHU4UUhSXzdiS1NNQV9FVGtHZ0ZVUE85bGFGTEpVd055Rll3NWhVTUVYdW0xOFBQOUJVVnlJNElnbC1Dc3NwQlZXZzBxc1hkNFNfUHRpWGpidjZHZGpFOVcxX25kekJuS1MyRGhUc3FMaTd6NnAwdE9tTnhld1l4bTRfODE0N0Y2dU55cEtXVTNNZFk4QkdZVU4yeGdlUG51b0VYYl92MXBrd3ljRFJfR0xBbFBZZ0ZFYVNJZWtyVlJVTVpGTDBlZmNXc3B4aUEuR2RZNUZYRm82aVAxQnIxMU04MGpudy52aV9YYlBVMHdFVWRWZG5HX2dHbmEycTc0dUxpYm90ZzVOcGk1MnhISXYtclRXRjNCRWFxTDFMdkRKN0lZVGZNaGZlREZWcXczM3JHOUxyaVBLOUxHc2JTWHE2ci1mTmhrM3hBV1FTMW1aSExrS1F4NDNmV29fRTBadUdySGVmeGNXaU4wWlY2OWNMZDNxNmlubk5vNGcuNzVfUjROR1BqOUpsN1g0WEVfUlEzUQ.s7VfRxaGwi-DPy1AhZSrXqS93syyoNyRHDKrE5u2Tes"
    }
}

Multiple selfservice registration

(note taken from Jake) (this should work with all other selfservices like password reset as well)

multiple self-service registration endpoints can be configured, each pointing to their own managed objects. There are two stages you will need to change from the out-of-the-box configuration:

        ```{
            "name" : "idmUserDetails",
            "identityEmailField" : "mail",
            "socialRegistrationEnabled" : true,
            "identityServiceUrl" : "managed/user",
            "registrationProperties" : [
                "userName",
                "givenName",
                "sn",
                "mail"
            ],
            "registrationPreferences": ["marketing", "updates"]
        }
and
        {
            "name" : "selfRegistration",
            "identityServiceUrl" : "managed/user"
        }```

Note the identityServiceUrl You can save these two configurations as something like conf/selfservice-registrationEmployee.json and conf/selfservice-registrationConsumer.json Which would result in services exposed as /openidm/selfservice/registrationEmployee etc... For the respective policy behavior to work properly, you will need to also adjust policy.json Out of the box we ship this:

        ```{
            "resource" : "selfservice/registration",
            "calculatedProperties" : {
                "type" : "text/javascript",
                "source" : "require('selfServicePolicies').getRegistrationProperties()"
            }
        }```

You would need to change that to match your new service name, and be sure there is an entry for both

Finally, unfortunately it looks like there is a need to make a minor change to the out-of-the-box JS there. bin/defaults/script/selfServicePolicies.js hard-codes "getRegistrationProperties" to look for "config/selfservice/registration". This will need to be changed. I'll give you a diff you can use

The configuration path is now available as an argument With this change, your policy could look like this:

        ```{
            "resource" : "selfservice/registrationEmployee",
            "calculatedProperties" : {
                "type" : "text/javascript",
                "source" : "require('selfServicePolicies').getRegistrationProperties('config/selfservice/registrationEmployee')"
            }
        },
        {
            "resource" : "selfservice/registrationConsumer",
            "calculatedProperties" : {
                "type" : "text/javascript",
                "source" : "require('selfServicePolicies').getRegistrationProperties('config/selfservice/registrationConsumer')"
            }
        }```

Terms & Conditions

T&C are stored in the internal repo and can be queried by

The terms and conditions config can be found here



curl -X GET \
  'https://localhost:8443/openidm/managed/user?_queryFilter=userName+eq+'scarter'&_fields=*,/_meta/*' \
  -H 'Cache-Control: no-cache' \
  -H 'X-OpenIDM-Password: openidm-admin' \
  -H 'X-OpenIDM-Username: openidm-admin'

{
    "result": [
        {
            "_id": "scarter",
            "_rev": "000000007091083d",
            "mail": "scarter@example.com",
            "givenName": "Steven",
            "sn": "Carter",
            "description": "Created By CSV",
            "userName": "scarter",
            "telephoneNumber": "1234567",
            "accountStatus": "active",
            "effectiveRoles": [],
            "effectiveAssignments": [],
            "postalAddress": "ttest",
            "postalCode": "etst",
            "city": "etwst",
            "_meta": {
                "_ref": "internal/usermeta/3698fec2-f406-419e-b9f8-8b092805464c",
                "_refResourceCollection": "internal/usermeta",
                "_refResourceId": "3698fec2-f406-419e-b9f8-8b092805464c",
                "_refProperties": {
                    "_id": "4436d958-47c0-4a46-9b15-475b641ede38",
                    "_rev": "00000000a4a69d6b"
                },
                "createDate": "2018-06-19T12:26:30.258Z",
                "lastChanged": {
                    "date": "2018-06-19T12:27:02.783Z"
                },
                "loginCount": 1,
                "termsAccepted": {
                    "acceptDate": "2018-06-19T12:26:54.028Z",
                    "termsVersion": "1.0"
                },
                "stagesCompleted": [
                    {
                        "identifier": "1621838512",
                        "dateCompleted": "2018-06-19T12:27:02.960Z"
                    }
                ],
                "_rev": "00000000071ba567",
                "_id": "3698fec2-f406-419e-b9f8-8b092805464c"
            }
        }
    ],
    "resultCount": 1,
    "pagedResultsCookie": null,
    "totalPagedResultsPolicy": "NONE",
    "totalPagedResults": -1,
    "remainingPagedResults": -1
}


Stash is accessible by forgerock staff only.

see also Password Reset per email