diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/disable-login-attempts-security.png b/en/asgardeo/docs/assets/img/guides/account-configurations/disable-login-attempts-security.png new file mode 100644 index 0000000000..1f8ced2e7d Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/disable-login-attempts-security.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/enable-login-attempts-security.png b/en/asgardeo/docs/assets/img/guides/account-configurations/enable-login-attempts-security.png new file mode 100644 index 0000000000..e534d23bf7 Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/enable-login-attempts-security.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/login-attempts.png b/en/asgardeo/docs/assets/img/guides/account-configurations/login-attempts.png new file mode 100644 index 0000000000..0ca5254a6c Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/login-attempts.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/self-register-form.png b/en/asgardeo/docs/assets/img/guides/account-configurations/self-register-form.png new file mode 100644 index 0000000000..b5ecd7e793 Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/self-register-form.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration-add-method.png b/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration-add-method.png new file mode 100644 index 0000000000..f7dae114e7 Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration-add-method.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration-form-attributes.png b/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration-form-attributes.png new file mode 100644 index 0000000000..65ff2b8e27 Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration-form-attributes.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration.png b/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration.png new file mode 100644 index 0000000000..6a1082e8a1 Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/self-registration.png differ diff --git a/en/asgardeo/docs/assets/img/guides/account-configurations/sign-up-methods.png b/en/asgardeo/docs/assets/img/guides/account-configurations/sign-up-methods.png new file mode 100644 index 0000000000..92b05022f8 Binary files /dev/null and b/en/asgardeo/docs/assets/img/guides/account-configurations/sign-up-methods.png differ diff --git a/en/asgardeo/docs/guides/account-configurations/account-recovery/password-recovery.md b/en/asgardeo/docs/guides/account-configurations/account-recovery/password-recovery.md new file mode 100644 index 0000000000..c69cc2e397 --- /dev/null +++ b/en/asgardeo/docs/guides/account-configurations/account-recovery/password-recovery.md @@ -0,0 +1 @@ +{% include "../../../../../includes/guides/account-configurations/account-recovery/password-recovery.md" %} \ No newline at end of file diff --git a/en/asgardeo/docs/guides/account-configurations/index.md b/en/asgardeo/docs/guides/account-configurations/index.md new file mode 100644 index 0000000000..113c83a749 --- /dev/null +++ b/en/asgardeo/docs/guides/account-configurations/index.md @@ -0,0 +1 @@ +{% include "../../../../includes/guides/account-configurations/index.md" %} \ No newline at end of file diff --git a/en/asgardeo/docs/guides/account-configurations/login-security/login-attempts.md b/en/asgardeo/docs/guides/account-configurations/login-security/login-attempts.md new file mode 100644 index 0000000000..ca095a7f55 --- /dev/null +++ b/en/asgardeo/docs/guides/account-configurations/login-security/login-attempts.md @@ -0,0 +1 @@ +{% include "../../../../../includes/guides/account-configurations/login-security/login-attempts.md" %} \ No newline at end of file diff --git a/en/asgardeo/docs/guides/account-configurations/login-security/password-validation.md b/en/asgardeo/docs/guides/account-configurations/login-security/password-validation.md new file mode 100644 index 0000000000..ae4b5d8744 --- /dev/null +++ b/en/asgardeo/docs/guides/account-configurations/login-security/password-validation.md @@ -0,0 +1 @@ +{% include "../../../../../includes/guides/account-configurations/login-security/password-validation.md" %} \ No newline at end of file diff --git a/en/asgardeo/docs/guides/account-configurations/user-onboarding/self-registration.md b/en/asgardeo/docs/guides/account-configurations/user-onboarding/self-registration.md new file mode 100644 index 0000000000..26aea8089c --- /dev/null +++ b/en/asgardeo/docs/guides/account-configurations/user-onboarding/self-registration.md @@ -0,0 +1 @@ +{% include "../../../../../includes/guides/account-configurations/user-onboarding/self-registration.md" %} \ No newline at end of file diff --git a/en/asgardeo/docs/guides/user-accounts/password-recovery.md b/en/asgardeo/docs/guides/user-accounts/password-recovery.md deleted file mode 100644 index 7b75adf227..0000000000 --- a/en/asgardeo/docs/guides/user-accounts/password-recovery.md +++ /dev/null @@ -1,2 +0,0 @@ -{% set product_name = "Asgardeo" %} -{% include "../../../../includes/guides/user-accounts/password-recovery.md" %} \ No newline at end of file diff --git a/en/asgardeo/mkdocs.yml b/en/asgardeo/mkdocs.yml index ad8c472d36..655502ff4b 100644 --- a/en/asgardeo/mkdocs.yml +++ b/en/asgardeo/mkdocs.yml @@ -123,11 +123,15 @@ plugins: 'apis/organization-apis/org-group-mgt.md': 'apis/organization-apis/scim2/scim2-org-group-mgt.md' 'apis/organization-apis/scim-bulk.md': 'apis/organization-apis/scim2/scim2-org-bulk.md' 'guides/api-authorization.md' : 'guides/authorization/api-authorization/api-authorization.md' - 'guides/account-configurations.md': 'guides/user-accounts/index.md' + 'guides/user-accounts/index.md': 'guides/account-configurations/index.md' 'references/application-logs.md' : 'guides/asgardeo-logs.md' 'apis/oauth-dcr.md' : 'apis/dynamic-client-registration-rest-api.md' '/guides/authorization/impersonation/user-impersonation/' : '/guides/authorization/user-impersonation/' 'guides/branding/localization-in-asgardeo.md': 'guides/branding/localization.md' + 'guides/user-accounts/password-recovery.md': 'guides/account-configurations/account-recovery/password-recovery.md' + 'guides/user-accounts/account-security/login-attempts-security.md': 'guides/account-configurations/account-security/login-attempts.md' + 'guides/user-accounts/account-security/password-validation.md': 'guides/account-configurations/login-security/password-validation.md' + 'guides/user-accounts/configure-self-registration.md': 'guides/account-configurations/user-onboarding/self-registration.md' exclude_docs: | /get-started/hello-world.md @@ -302,16 +306,18 @@ nav: - Connect a remote user store: guides/users/user-stores/configure-a-user-store.md - Configure high availability: guides/users/user-stores/configure-high-availability.md - Manage remote user stores: guides/users/user-stores/update-user-stores.md - - Account management: - - Account management: guides/user-accounts/index.md - - Configure password recovery: guides/user-accounts/password-recovery.md - - Configure self-registration: guides/user-accounts/configure-self-registration.md - - Manage account security: - - Configure login-attempts security: guides/user-accounts/account-security/login-attempts-security.md - - Configure bot detection: guides/account-configurations/login-security/bot-detection.md - - Configure password validation: guides/user-accounts/account-security/password-validation.md - - Manage account login: - - Configure username validation: guides/user-accounts/account-login/username-validation.md + - Account configurations: + - Account configurations: guides/account-configurations/index.md + - Login security: + - Login attempts: guides/account-configurations/login-security/login-attempts.md + - Bot detection: guides/account-configurations/login-security/bot-detection.md + - Password validation: guides/account-configurations/login-security/password-validation.md + - Account recovery: + - Password recovery: guides/account-configurations/account-recovery/password-recovery.md + - User onboarding: + - Self-registration: guides/account-configurations/user-onboarding/self-registration.md + - Manage login identifiers: + - Configure username validation: guides/account-configurations/account-login/username-validation.md - Configure alternative login identifiers: guides/user-accounts/account-login/configure-login-identifiers.md - User self-service: - User self-service: guides/user-self-service/index.md diff --git a/en/identity-server/7.0.0/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png b/en/identity-server/7.0.0/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png index dc6292f061..710de0c276 100644 Binary files a/en/identity-server/7.0.0/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png and b/en/identity-server/7.0.0/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png differ diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md b/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md index f1d1a70020..3bc1a0a025 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md @@ -1,13 +1 @@ -# Admin initiated password reset - -Provide administrators with the ability to initiate a password reset process for users in {{product_name}}. - -Follow the steps below to set up admin initiated password reset: - -1. On the {{product_name}} Console, go to **Login & Registration** > **Account Recovery** > **Admin Initiated Password Reset**. - -2. Select **Enable Password Reset via Recovery Email** checkbox. Once an administrator forces a password reset, users may reset their passwords through a recovery link sent via email. - -3. Click **Update** to save the changes. - -![Admin Initiated Password Reset Configuration]({{base_path}}/assets/img/guides/account-configurations/admin-initiated-password-reset.png){: width="800" style="display: block; margin: 0;"} +{% include "../../../../../../includes/guides/account-configurations/account-recovery/admin-initiated-password-reset.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/password-recovery.md b/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/password-recovery.md index 68de549e6a..4c6fc9ad20 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/password-recovery.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/password-recovery.md @@ -1,24 +1 @@ -# Password recovery - -Provide self-service password recovery right from the login page of {{product_name}} for users to securely reset a forgotten password. - -Follow the steps below to configure password recovery: - -1. On the {{product_name}} Console, go to **Login & Registration** > **Account Recovery** > **Password Recovery**. -2. Toggle the switch to enable passwords recovery. -3. Configure the following options: - - - - - - - - - - -
Notify on Successful RecoveryWhen checked, the user will be notified via email after a successful password recovery.
Recovery Link Expiry TimeTime in minutes until the password recovery link expires.
- -4. Click **Update** to save the changes. - -![Password Recovery Configuration]({{base_path}}/assets/img/guides/account-configurations/password-recovery.png){: width="800" style="display: block; margin: 0;"} \ No newline at end of file +{% include "../../../../../../includes/guides/account-configurations/account-recovery/password-recovery.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/username-recovery.md b/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/username-recovery.md index aaebbebcd7..3e843ac6a4 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/username-recovery.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/account-recovery/username-recovery.md @@ -1,12 +1 @@ -# Username recovery - -Allow users to retrieve their usernames through a self-service process on the login page in {{product_name}}. - -Follow the steps below to enable username recovery: - -1. On the {{product_name}} Console, go to **Login & Registration** > **Account Recovery** > **Username Recovery**. -2. Toggle the switch to enable username recovery option to allow users to recover their usernames. -3. Click **Update** to save the changes. - -![Username Recovery Configuration]({{base_path}}/assets/img/guides/account-configurations/username-recovery.png){: width="900" style="display: block; margin: 0;"} - +{% include "../../../../../../includes/guides/account-configurations/account-recovery/username-recovery.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/login-attempts.md b/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/login-attempts.md index 5760277a4d..8067f09d5e 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/login-attempts.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/login-attempts.md @@ -1,61 +1 @@ -# Login attempts - -Secure user accounts from unauthorized access by configuring the login attempts policy in {{product_name}}. - -## Configuration instructions - -To manage login attempts settings, do the following: - -1. In the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Login Attempts**. -2. Adjust the settings according to your security requirements. -3. Click **Update** to save the changes. - -![Login Attempts Configuration]({{base_path}}/assets/img/guides/account-configurations/login-attempts.png){: width="900" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - - - - - -
ParameterDescription
Number of Consecutive Failed Login AttemptsThe count of consecutive incorrect login attempts before locking the account.
Account Lock DurationThe time in minutes an account stays locked after reaching the failed attempt limit.
Account Lock Duration Increment FactorThe rate at which the lock duration increases after successive lockouts.
- -!!! Info - - In the {{product_name}} login pages, a generic error message is displayed by default to end-users in the event of login failures. To show more specific error messages on the login page, the following properties can be configured in the `deployment.toml` file, which is located in the `/repository/conf` directory. - - Basic authenticator configurations: - - ```toml - [authentication.authenticator.basic.parameters] - showAuthFailureReason = true - showAuthFailureReasonOnLoginPage = true - ``` - - Email OTP authenticator configurations: - - ```toml - [authentication.authenticator.email_otp.parameters] - showAuthFailureReason = true - showAuthFailureReasonOnLoginPage = true - ``` - - TOTP authenticator configurations: - - ```toml - [authentication.authenticator.totp.parameters] - showAuthFailureReason = true - showAuthFailureReasonOnLoginPage = true - ``` +{% include "../../../../../../includes/guides/account-configurations/login-security/login-attempts.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/password-validation.md b/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/password-validation.md index 50a3bcd52b..8ac83abcbf 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/password-validation.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/password-validation.md @@ -1,37 +1 @@ -# Password validation - -Customize password validation rules to enhance the security of user accounts in {{product_name}}. - -## Configuration instructions - -To configure password validation rules, follow the steps below: - -1. On the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Password Validation**. -2. Adjust the settings according to your security requirements. - - ![Password Validation Configuration]({{base_path}}/assets/img/guides/account-configurations/password-validation.png){: width="600" style="display: block; margin: 0;"} - - - - - - - - - - - - - - - - - - -
ParameterDescription
Password ExpirationDefines the number of days after which a password must be changed.
Password History CountSpecifies the number of unique new passwords a user must use before an old password can be reused.
Password Input ValidationSets requirements for password complexity, including length and character types.
- -3. Click **Update** to save the changes. - -!!! note "Validation for whitespace in passwords" - - {{product_name}} automatically trims leading and trailing whitespace from passwords when creating, updating, or when entering passwords to login. \ No newline at end of file +{% include "../../../../../../includes/guides/account-configurations/login-security/password-validation.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/session-management.md b/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/session-management.md index 6a699e048b..a18675687f 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/session-management.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/login-security/session-management.md @@ -1,30 +1 @@ -# Session management - -Customize session timeout and remember me settings to maintain optimal security and user experience in {{product_name}}. - -## Configuration instructions - -To adjust session management settings, follow these steps: - -1. On the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Session Management**. -2. Configure the **Idle Session Timeout** and **Remember Me Period** to suit your security policies. -3. Click **Update** to save the changes. - -![Session Management Configuration]({{base_path}}/assets/img/guides/account-configurations/session-management.png){: width="800" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - -
ParameterDescription
Idle Session TimeoutTime in minutes before an inactive user session is automatically ended.
Remember Me PeriodDuration in minutes that the system will remember a user's session.
+{% include "../../../../../../includes/guides/account-configurations/login-security/session-management.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md b/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md index 119e8c9aa9..a0a349c55d 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md @@ -1,45 +1 @@ -# Invite user to set password - -Allow administrator to invite users to set their own passwords during the onboarding process in {{product_name}}. - -## Configuration instructions - -For inviting users to set their password, follow these instructions: - -1. On the {{product_name}} Console, go to **Login & Registration** > **User Onboarding** > **Invite User to Set Password**. -2. Check the **Enable email invitations for user password setup** to send an email to the user to set the password after user creation. -3. Select the **Enable account lock on creation** to lock the user account during user creation. -4. If you want to send an account activation confirmation email, enable the **Send account activation email**. -5. Set the **Password setup invitation code expiration time** in minutes to define how long the password setup invitation e-mail would be valid. For infinite validity period, set -1. Setting 0 will cause immediate expiry of the invitation. -6. Click **Update** to save the changes. - -![Invite User to Set Password Configuration]({{base_path}}/assets/img/guides/account-configurations/invite-user-to-set-password.png){: width="700" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - -
ParameterDescription
Enable user email verificationTriggers a verification notification during user creation if enabled.
Enable account lock on creationLocks the user account during creation to prevent unauthorized access.
Send account activation emailSends an email to users for account activation if enabled.
Email verification code expiry timeThe duration in minutes for which the email verification code remains valid.
Password Setup Invitation Code Expiration TimeDefines the validity period in minutes for the password setup code sent to users. For infinite validity period, set -1.
+{% include "../../../../../../includes/guides/account-configurations/user-onboarding/invite-user-to-set-password.md" %} \ No newline at end of file diff --git a/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/self-registration.md b/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/self-registration.md index 8bbc43c668..cf711a9885 100644 --- a/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/self-registration.md +++ b/en/identity-server/7.0.0/docs/guides/account-configurations/user-onboarding/self-registration.md @@ -1,43 +1 @@ -# Self registration - -Enable users to self-register and create their own accounts within the organization on {{product_name}}. - -## Configuration instructions - -To set up self-registration, follow these steps: - -1. On the {{product_name}} Console, go to **Login & Registration** > **User Onboarding** > **Self Registration**. -2. Toggle the switch to enable self-registration. -3. Configure the additional settings such as account verification, auto-login, and notification emails as needed. -4. Click **Update** to save the changes. - -![Self Registration Configuration]({{base_path}}/assets/img/guides/account-configurations/self-registration.png){: width="900" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - -
ParameterDescription
Account VerificationWhen enabled, requires users to verify their accounts as part of registration.
Account verification link expiry timeTime in minutes until the account verification link expires.
Activate account immediatelyIf selected, the new account is activated immediately after registration without waiting for account confirmation.
Enable auto loginIf selected, the user will be automatically logged in after registration.
Send sign up confirmation emailA confirmation email is sent upon successful self-registration if this option is enabled.
+{% include "../../../../../../includes/guides/account-configurations/user-onboarding/self-registration.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/apis/restapis/scim2-resource-types.yaml b/en/identity-server/next/docs/apis/restapis/scim2-resource-types.yaml new file mode 100644 index 0000000000..e489c21302 --- /dev/null +++ b/en/identity-server/next/docs/apis/restapis/scim2-resource-types.yaml @@ -0,0 +1,110 @@ +openapi: 3.0.1 +info: + title: SCIM 2.0 Resource Types Retrieval API + description: | + This document specifies **SCIM 2.0 Resource Types RESTful API** for **WSO2 Identity Server**. + version: 1.0.0 +servers: + - url: https://{serverUrl}/t/{tenantDomain}/scim2 + variables: + serverUrl: + default: localhost:9443 + tenantDomain: + default: carbon.super +security: + - OAuth2: [] + - BasicAuth: [] +paths: + /ResourceTypes: + get: + tags: + - ResourceTypes Endpoint + summary: Get resource types + description: | + This API lists and returns metadata about resource types. + + No Scope(Permission) required. + operationId: getResourceType + responses: + 200: + description: Schema is found + content: + application/scim+json: + schema: + $ref: '#/components/schemas/ResourceTypeResponse' + 401: + description: Unauthorized + content: + application/scim+json: + schema: + $ref: '#/components/schemas/ErrorUnauthorized' + x-codeSamples: + - lang: Curl + source: | + curl -X 'GET' \ + 'https://localhost:9443/scim2/ResourceTypes' \ + -H 'accept: application/scim+json' +components: + schemas: + UserObResourceType: + type: object + properties: + schema: + type: string + example: urn:ietf:params:scim:schemas:core:2.0:User + endpoint: + type: string + example: /Users + meta: + type: object + properties: + location: + type: string + example: https://localhost:9443/scim2/ResourceType/User + resourceType: + type: string + example: ResourceType + name: + type: string + example: User + description: + type: string + example: User Account + schemaExtensions: + type: object + properties: + schema: + type: string + example: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User + required: + type: boolean + example: false + id: + type: string + example: User + ResourceTypeResponse: + type: object + properties: + schemas: + type: array + items: + type: string + example: urn:ietf:params:scim:schemas:core:2.0:ResourceType + resourceType: + type: array + items: + $ref: '#/components/schemas/UserObResourceType' + ErrorUnauthorized: + required: + - status + type: object + properties: + status: + type: string + example: "401" + schemas: + type: string + example: urn:ietf:params:scim:api:messages:2.0:Error + scimType: + type: string + example: Unauthorized diff --git a/en/identity-server/next/docs/apis/scim2/index.md b/en/identity-server/next/docs/apis/scim2/index.md new file mode 100644 index 0000000000..29605ddb2e --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/index.md @@ -0,0 +1,11 @@ +# SCIM 2.0 API + +The SCIM2 Rest APIs of {{product_name}} implements the SCIM 2.0 protocol according to the [specification](https://datatracker.ietf.org/doc/html/rfc7644){target="_blank"}. This section includes the following APIs. + +- [SCIM 2.0 Users API]({{base_path}}/apis/scim2/scim2-users-rest-api/) +- [SCIM 2.0 Groups API]({{base_path}}/apis/scim2/scim2-groups-rest-api/) +- [SCIM 2.0 Patch operations]({{base_path}}/apis/scim2/scim2-patch-operations/) +- [SCIM 2.0 Bulk API]({{base_path}}/apis/scim2/scim2-bulk-rest-api/) +- [SCIM 2.0 Batch operations]({{base_path}}/apis/scim2/scim2-batch-operations/) +- [SCIM 2.0 Resource types API]({{base_path}}/apis/scim2/scim2-resource-types/) +- [SCIM 2.0 Service provider configuration API]({{base_path}}/apis/scim2/scim2-sp-config-rest-api/) \ No newline at end of file diff --git a/en/identity-server/next/docs/apis/scim2/scim2-batch-operations.md b/en/identity-server/next/docs/apis/scim2/scim2-batch-operations.md new file mode 100644 index 0000000000..fae2622fbb --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-batch-operations.md @@ -0,0 +1,1172 @@ +# SCIM2 Bulk Operations + +Follow the topics given below to understand how **Bulk** operations can be used when you manage resources in the [SCIM2 API]({{base_path}}/apis/scim2-bulk-rest-apis/#tag/Bulk-Endpoint). + +The SCIM2 API allows you to send multiple resource operations in a single request. That is, you can add new records (POST data), replace an existing record (PUT data), update elements of an existing record (PATCH data), and delete records (DELETE data) in bulk. These bulk operations are supported for managing users and groups with the SCIM API in WSO2 Identity Server. + +## Manage users in bulk + +You can use the **bulk** operations to add, remove, update, and replace users in bulk. + +!!! Info + The examples given below show individual resource operations (POST, PATCH, PUT, or DELETE) handled in a single request. However, note that a single request can execute a combination of operation types simultaneously. + +### Add users + +Given below is an example request payload to manage users in bulk. This request includes an array of operations that adds multiple new users. + +```json +{ + "failOnErrors":1, + "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"], + "Operations": [ + { + "method": "POST", + "path": "/Users", + "bulkId": "qwerty", + "data": { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "userName": "Kim", + "password":"kim123", + "name": { + "givenName": "Kim", + "familyName": "Berry" + } + } + }, + { + "method": "POST", + "path": "/Users", + "bulkId": "ytrewq", + "data": { + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:User", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" + ], + "name": { + "givenName": "Smith", + "familyName": "Berry" + }, + "userName": "smith", + "password": "smith123", + "emails": [ + { + "value": "smith@gmail.com", + }, + { + "type": "work", + "value": "smith@wso2.com" + } + ], + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "employeeNumber": "1234A", + "manager": { + "value": "Taylor" + } + } + } + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:
+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To add multiple new users, add an array of POST operations. You can include any number of operations in one bulk request.
+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.
+ Possible value:POST. +
pathRequired + Add this path to specify that a new user is being added.
+ Possible value:/Users. +
bulkidRequired + A unique identifier for the bulk operation. The bulkid is required for POST operations.

+ Possible value: An integer value. +
dataRequired + Specify the details of the new user that should be added. The parameters that can be used for this “data” object are explained below. +
+ +- Data parameters + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
schemasRequired + Specify the list of SCIM2 user schemas to which the new user should be linked.
+ Possible values: +
    +
  • urn:ietf:params:scim:schemas:core:2.0:User
    • +
  • urn:ietf:params:scim:schemas:enterprise:2.0:User
    • +
  • urn:scim:wso2:schema
    • +
+
{attribute_name}Required + The name of the attribute that will be updated.
+ Possible values: User attributes as per the SCIM protocol. +
+ +### Update users + +Given below is an example request payload to update users in bulk. This request includes an array of operations that updates multiple details of multiple users. + +```json +{ + "failOnErrors":1, + "schemas":[ + "urn:ietf:params:scim:api:messages:2.0:BulkRequest" + ], + "Operations":[ + { + "method":"PATCH", + "path":"/Users/e67906fb-308f-4b15-89bd-0ab6e3d996e5", + "data":{ + "Operations":[ + { + "op":"replace", + "path":"name", + "value":{ + "givenName":"john", + "familyName":"Anderson" + } + }, + { + "op":"add", + "path":"nickName", + "value":"shaggy" + } + ] + } + }, + { + "method":"PATCH", + "path":"/Users/b1781d25-bde5-460a-a58a-8fe8dbfd8487", + "data":{ + "Operations":[ + { + "op":"remove", + "path":"emails[type eq home]" + } + ] + } + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:

+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To update multiple users, add an array of PATCH operations. You can include any number of operations in one bulk request.

+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.

+ Possible Value:PATCH. +
pathRequired if op is remove.
+ Optional if op is add or replace. + 		+ Add this path to specify the new user that is being updated.

+ Possible Value:/Users/{user_id}. +
bulkidOptional + A unique identifier for the bulk operation. The bulkid is required for POST operations.

+ Possible Value: An integer value. +
dataRequired + Specify the details of the new user that should be updated. The parameters that can be used for this “data” object are explained below. +
+ +- Data parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
opRequired + The operation that should be applied to the existing user’s data.
+ Possible Values: +
    +
  • add
    • +
  • replace
    • +
  • remove
    • +
+ See SCIM2 Patch Operations for details on how to define patch operations. +
pathRequired if op is remove.
+ Optional if op is add or replace + 		+ The path to the resource (user attribute) that should be updated.
+ For example, if the name of the user is to be updated, the path should be “name”. +
valueRequired if op is remove.
+ Optional if op is add or replace. + 		+ The value of the parameter specified by the path. +

For example, if the path is “name”, the value should be the actual name.

+ See SCIM2 Patch Operations for details on how to define values for the patch operations. +
+ +### Replace users + +Given below is an example request payload to replace existing users in bulk. This request includes an array of operations that replace multiple users. + +```json +{ + "failOnErrors":1, + "schemas":["urn:ietf:params:scim:api:messages:2.0:BulkRequest"], + "Operations":[ + { + "method": "PUT", + "path": "/Users/e67906fb-308f-4b15-89bd-0ab6e3d996e5", + "bulkId": "qwerty", + "data":{ + "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], + "userName": "Kim", + "name": { + "givenName": "John", + "familyName": "Berry" + }, + "emails": [ + { + "type": "home", + "value": "john@gmail.com" + } + ] + } + }, + { + "method": "PUT", + "path": "/Users/b1781d25-bde5-460a-a58a-8fe8dbfd8487", + "bulkId":"ytrewq", + "data":{ + "schemas":[ + "urn:ietf:params:scim:schemas:core:2.0:User", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" + ], + "userName":"smith", + "name": { + "givenName": "Smith", + "familyName": "Berry" + }, + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{ + "employeeNumber": "12345" + } + } + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:
+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To replace multiple users, add an array of PUT operations. You can include any number of operations in one bulk request.
+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.
+ Possible value:PUT. +
pathRequired + Add this path to specify the existing user that should be replaced by the new user information that is added.
+ Possible value:/Users/{user_id}. +
bulkidOptional + A unique identifier for the bulk operation. The bulkid is required for POST operations.

+ Possible value: An integer value. +
dataRequired + Specify the new user details that should be used to replace the existing user specified in the path. The parameters that can be used for this “data" object are explained below. +
+ +- Data parameters + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
schemasRequired + Specify the list of SCIM2 user schemas where the new user details should replace the existing user specified by the path.
+ Possible values: +
    +
  • urn:ietf:params:scim:schemas:core:2.0:User
    • +
  • urn:ietf:params:scim:schemas:enterprise:2.0:User
    • +
  • urn:scim:wso2:schema
    • +
+
{attribute_name}Required + The name of the attribute that will be replaced.
+ Possible values: User attributes as per the SCIM protocol. +
+ +### Delete users + +Given below is an example request payload to delete existing users in bulk. This request includes an array of operations that delete multiple users. + +```json +{ + "failOnErrors":1, + "schemas":["urn:ietf:params:scim:api:messages:2.0:BulkRequest"], + "Operations":[ + { + "method": "DELETE", + "path": "/Users/e67906fb-308f-4b15-89bd-0ab6e3d996e5" + }, + { + "method": "DELETE", + "path": "/Users/b1781d25-bde5-460a-a58a-8fe8dbfd8487" + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:
+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To delete multiple users, add an array of DELETE operations. You can include any number of operations in one bulk request.
+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.
+ Possible value:DELETE. +
pathRequired + Add this path to specify the existing user that should be deleted.
+ Possible value:/Users/{user_id}. +
+ +## Manage user groups in bulk + +You can use **bulk** operations to add, update, replace, and delete user groups in bulk. + +!!! Info + The examples given below show individual resource operations (POST, PATCH, PUT, or DELETE) handled in a single request. However, note that a single request can execute a combination of operation types simultaneously. + +### Add user groups + +Given below is an example request payload to add user groups in bulk. This request includes an array of operations that adds multiple new user groups. + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"], + "Operations": [ + { + "method": "POST", + "path": "/Groups", + "bulkId": "ytrewq", + "data": { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "displayName": "TourGuides", + "members": [ + { + "type": "User", + "value": "3633c988-69bf-48fc-978a-83dfde12695f" + } + ] + } + }, + { + "method": "POST", + "path": "/Groups", + "bulkId": "ytrewq", + "data": { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "displayName": "SLTourGuides", + "members": [ + { + "type": "User", + "value": "3633c988-69bf-48fc-978a-83dfde12695f" + }, + { + "type": "User", + "value": "40390b19-54c9-4e77-b223-fe31d55e59e0" + } + ] + } + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:

+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To add multiple new user groups, add an array of POST operations. You can include any number of operations in one bulk request.
+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.

+ Possible Value:POST. +
pathRequired + Add this path to specify that a new user group that should be added.
+ Possible Value:/Group. +
bulkidOptional + A unique identifier for the bulk operation. The bulkid is required for POST operations.

+ Possible Value: An integer value. +
dataRequired + Specify the details of the new user group that should be added. The parameters that can be used for this “data” object are explained below. +
+ +- Data parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
displayNameRequired + The display name of the user group.
+
membersOptional + An array of member users.
+
displayRequired if members is used. + The display name of a user assigned to the group.
+ Possible values: The username. +
valueRequired if members is used. + The ID of the user.
+ Possible values: The user ID. +
+ +### Update groups + +Given below is an example request payload to update user groups in bulk. This request includes an array of operations that update multiple details in multiple user groups. + +```json +{ + "schemas":[ + "urn:ietf:params:scim:api:messages:2.0:BulkRequest" + ], + "Operations":[ + { + "method":"PATCH", + "path":"/Groups/46887262-2ba1-4cee-b3ef-64549423e0b0", + "data":{ + "Operations":[ + { + "op":"replace", + "path":"members", + "value":[ + { + "display":"smith", + "value":"ba1db5ff-8062-415b-bc78-5f79738d00ea" + } + ] + } + ] + } + }, + { + "method":"PATCH", + "path":"/Groups/18d04a36-0894-4f71-bdc4-2610fcc6ae42", + "data":{ + "Operations":[ + { + "op":"add", + "path":"members", + "value":[ + { + "display":"smith", + "value":"ba1db5ff-8062-415b-bc78-5f79738d00ea" + } + ] + }, + { + "op":"remove", + "path":"members[value eq \"3633c988-69bf-48fc-978a-83dfde12695f\"]" + } + ] + } + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:

+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To update multiple user groups, add an array of PATCH operations. You can include any number of operations in one bulk request.

+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.

+ Possible Value:PATCH. +
pathRequired + Add this path to specify the user group that should be updated.
+ Possible Value:/Group/{group_id}. +
bulkidOptional + A unique identifier for the bulk operation. The bulkid is required for POST operations.

+ Possible Value: An integer value. +
dataRequired + Specify the details that should be updated for the user group specified in the path. The parameters that can be used for this “data” object are explained below. +
+ +- Data parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
opRequired + The operation that should be applied to the existing user group.
+ Possible values: +
    +
  • add
    • +
  • replace
    • +
  • remove
    • +
+ See SCIM2 Patch Operations for details on how to define patch operations. +
pathRequired if op is remove.
+ Optional if op is add or replace. + 		+ Specify “members” as the path.
+ Possible values: members +
valueRequired if op is add or replace. + An array of users that belong to the group. +
+ +- Data operation value parameters + + + + + + + + + + + + +
displayRequired if path is set to members. + The display name of the user, who is a member.
+ Possible values: The username. +
valueRequired if path is set to members. + The user ID of the member user.
+ Possible values: The user ID. +
+ +### Replace groups + +Given below is an example request payload to replace existing user groups in bulk. This request includes an array of operations that replace multiple user groups. + +```json +{ + "failOnErrors":1, + "schemas":[ + "urn:ietf:params:scim:api:messages:2.0:BulkRequest" + ], + "Operations":[ + { + "method":"PUT", + "path":"/Groups/46887262-2ba1-4cee-b3ef-64549423e0b0", + "data":{ + "displayName":"TourGuides", + "members":[ + { + "display":"Alice", + "value":"3633c988-69bf-48fc-978a-83dfde12695f" + } + ] + } + }, + { + "method":"PUT", + "path":"/Groups/18d04a36-0894-4f71-bdc4-2610fcc6ae42", + "data":{ + "displayName":"SLTourGuides", + "members":[ + { + "display":"Alice", + "value":"3633c988-69bf-48fc-978a-83dfde12695f" + } + ] + } + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:
+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To replace multiple user groups, add an array of PUT operations. You can include any number of operations in one bulk request.
+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.
+ Possible value:PUT. +
pathRequired + Add this path to specify the existing user group that should be replaced by the new information that is added.
+ Possible value:/Groups/{group_id}. +
bulkidOptional + A unique identifier for the bulk operation. The bulkid is required for POST operations.

+ Possible value: An integer value. +
dataRequired + Specify the new group details that should be used to replace the existing user group specified in the path. The parameters that can be used for this “data" object are explained below. +
+ +- Data parameters + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
displayNameRequired + The display name of the user group.
+
membersRequired + Array of member users.
+
displayRequired + The display name of a user assigned to the group.
+ Possible values: The username. +
valueRequired + The ID of the user.
+ Possible values: The user ID. +
+ +### Delete users + +Given below is an example request payload to delete existing user groups in bulk. This request includes an array of operations that delete multiple user groups. + +```json +{ + "schemas":["urn:ietf:params:scim:api:messages:2.0:BulkRequest"], + "Operations":[ + { + "method": "DELETE", + "path": "/Groups/46887262-2ba1-4cee-b3ef-64549423e0b0" + }, + { + "method": "DELETE", + "path": "/Groups/18d04a36-0894-4f71-bdc4-2610fcc6ae42" + } + ] +} +``` + +The parameters in the request body are explained below. + +- Main parameters + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
failOnErrorsOptionalThe number of errors that will be accepted by WSO2 IS before returning the response.
+ Possible values: An integer. +
schemasRequiredThis is the schema that is required for sending bulk requests:
+ urn:ietf:params:scim:api:messages:2.0:BulkRequest. +
operationsRequiredArray of operations. To delete multiple user groups, add an array of PUT operations. You can include any number of operations in one bulk request.
+ The parameters that can be used for the operation are explained below. +
+ +- Operation parameters + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
methodRequired + The method that should be used in the operation.
+ Possible value:DELETE. +
pathRequired + Add this path to specify the existing user group that should be deleted.
+ Possible value:/Groups/{group_id}. +
\ No newline at end of file diff --git a/en/identity-server/next/docs/apis/scim2/scim2-bulk-rest-api.md b/en/identity-server/next/docs/apis/scim2/scim2-bulk-rest-api.md new file mode 100644 index 0000000000..a9f6153a07 --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-bulk-rest-api.md @@ -0,0 +1,5 @@ +--- +template: templates/redoc.html +--- + + diff --git a/en/identity-server/next/docs/apis/scim2/scim2-groups-rest-api.md b/en/identity-server/next/docs/apis/scim2/scim2-groups-rest-api.md new file mode 100644 index 0000000000..2ab5a73107 --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-groups-rest-api.md @@ -0,0 +1,5 @@ +--- +template: templates/redoc.html +--- + + diff --git a/en/identity-server/next/docs/apis/scim2/scim2-patch-operations.md b/en/identity-server/next/docs/apis/scim2/scim2-patch-operations.md new file mode 100644 index 0000000000..c6566239d1 --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-patch-operations.md @@ -0,0 +1,941 @@ +# SCIM2 Patch Operations + +Follow the topics given below to understand how **Patch** operations can be used when you invoke the SCIM2 [User PATCH operation]({{base_path}}/apis/scim2-users-rest-apis/#tag/Users-Endpoint/operation/patchUser), [Group PATCH operation]({{base_path}}/apis/scim2-groups-rest-apis/#tag/Groups-Endpoint/operation/patchGroup), [Role PATCH operation]({{base_path}}/apis/roles-v2-rest-api/#tag/Roles-Endpoint/operation/patchRole) and [Me PATCH operation]({{base_path}}/apis/scim2-me-rest-apis/#tag/Me-Endpoint/operation/patchUserMe). + +## Introduction + +WSO2 Identity Server supports **SCIM Patch**, which can be used to update one or more attributes of a SCIM resource. + +When you create your request payload to update attributes in a SCIM resource, you need to first determine the following two factors: + +- Type of attribute that should be updated +- Type of update operation that should be used + +### Types of attributes + + + + + + + + + + + + + + + + + + +
Singular attributeA resource attribute that contains a single value. For example, the displayName attribute can only have one unique value. +
Multi-valued attributeA resource attribute that contains multiple values. For example, the emails attribute may have multiple email addresses as values. +
Complex attributeA singular or multi-valued attribute, which has a value that is a composition of one or more simple attributes. For example, the addresses attribute has the sub-attributes streetAddress, locality, postalCode, and country. +
Simple attributeA singular or multi-valued attribute, which has a value that is a primitive. A simple attribute must not contain sub-attributes. +
+ +### Types of update operations + + + + + + + + + + + + + + +
addAdd a new value for the attribute.
replaceReplace the existing value of an attribute.
removeDelete the existing value of an attribute.
+ +### Patch request payload + +The structure of a patch request payload is as follows: + +```json +{ + "schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + "Operations":[ + { + "op": "add|replace|remove", + "path": "attribute_path|value_path|sub_attribute_path" + "value": {}, + }, + ... + ] +} +``` + +The main parameters in the above payload are explained below. + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
schemasRequiredSpecify the following schema when sending patch requests:
+ urn:ietf:params:scim:api:messages:2.0:PatchOp. +
operationsRequiredSpecify the array of add, remove, replace operations that should be used to update the information. You can include any number of operations in one request.
+ +The parameters per operation in the above payload are explained below. + + + + + + + + + + + + + + + + + + + + + + +
ParameterRequired/OptionalDescription
opRequiredThe method that should be used in the operation.
+ Possible values: +
    +
  • add
    • +
  • remove
    • +
  • replace
    • +
+
pathRequired if op is remove.
+ Optional if op is add or replace. + 		Add the path to specify the attribute/sub-attribute that should be updated.
+ Since path is an optional parameter for add and replace operations, there are two ways to define the operation in a payload: with or without the path parameter. +
valueRequired if op is add or replace.The value that should be updated.
+ +## Patch users + +You can use the patch operations to add/remove/replace attributes of users in a specific SCIM2 schema. Consider the following SCIM2 schemas that you will update: + +- User Core schema +- Enterprise schema +- Custom schemas + +!!! Note + If you are adding or replacing user attributes from a user in the **Core** user schema, it is not necessary to specify the schema in the request payload. See the examples given below. + +### Add user attributes + +Let's create patch request payloads to `add` user attributes of different types. + +**Simple singular attributes** + +Consider the `nickname` attribute in the **Core** user schema and the `country` attribute in the **Enterprise** user schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`). These are simple singular attributes. + +- **Example 1:** Add the `nickName` attribute in the **Core** user schema (without using the path param): + + ```json + { + "op": "add", + "value": { + "nickName": "shaggy" + } + } + ``` + +- **Example 2:** Add the `nickName` attribute in the **Core** user schema (using the path param): + + ```json + { + "op": "add", + "path": "nickName", + "value": "Tomy" + } + ``` + +- **Example 3:** Add the `country` attribute in the **Enterprise** user schema (without using the path param): + + ```json + { + "op": "add", + "value": { + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "country": "Sri Lanka" + } + } + } + ``` + +- **Example 4:** Add the `country` attribute in the **Enterprise** user schema (using the path param): + + ```json + { + "op": "add", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:country", + "value": "India" + } + ``` + +**Complex singular attributes** + +Consider the `name` attribute in the **Core** user schema, which has sub-attributes such as `givenName`, `familyName`, etc. and the `manager` attribute in the **Enterprise** user schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`), which has `displayName`, `value`, `ref`, etc. as sub-attributes. + +These a complex singular attributes because there are multiple sub-attributes. + +- **Example 1:** Add the `name` attribute in the **Core** user schema (without using the path param): + + ```json + { + "op": "add", + "value": { + "name": { + "givenName": "John", + "familyName": "Doe" + } + } + } + ``` + +- **Example 2:** Add the `name` attribute in the **Core** user schema (using the path param): + + !!! Note + There are two ways to define the `path` paratmeter. + + In the first method, you need only one operation to add the sub-attributes as shown below. + + ```json + { + "op": "add", + "path": "name", + "value": { + "givenName": "John", + "familyName": "John" + } + }, + ``` + + In the second method, you need two separate operations to add the sub-attributes as shown below. + + ```json + { + "op": "add", + "path": "name.givenName", + "value": "John" + }, + { + "op": "add", + "path": "name.familyName", + "value": "Doe" + } + ``` + +- **Example 3:** Add the `manager` attribute in the **Enterprise** user schema (without using the path param): + + ```json + { + "op": "add", + "value": { + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "manager": { + "displayName": "Manager1", + "value": "Joe" + } + } + } + } + ``` + +- **Example 4:** Add the `manager` attribute in the **Enterprise** user schema (using the path param): + + ```json + { + "op": "add", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager", + "value": { + "displayName": "Manager2" + } + } + ``` + +**Simple multi-valued attributes** + +Attributes of this type are not found in the core schemas of the SCIM specification. However, you can add simple multi-valued attributes to custom schemas as shown below. + +Let's consider a custom schema with an attribute called `devices`, which can have multiple attributes. + +- **Example 1:** Add the `devices` attribute to a **custom** user schema (without using the path param): + + ```json + { + "op": "add", + "value": { + "urn:scim:wso2:schema": { + "devices": [ + "D1", + "D2", + "D3" + ] + } + } + } + ``` + +- **Example 2:** Add the `devices` attribute to a **custom** user schema (using the path param): + + ```json + { + "op": "add", + "path": "urn:scim:wso2:schema:devices", + "value": ["D4", "D5"] + } + ``` + +**Complex multi-valued attributes** + +Consider the `emails` attribute in the **Core** user schema, which can have multiple emails types such as `home`, `work`, etc. Each email attribute has sub-attributes such as `value`, `type`, and `primary`. + +- **Example 1:** Add the `emails` complex attribute to a **Core** user schema (without using the path param): + + ```json + { + "op": "add", + "value": { + "emails": [ + { + "value": "abc@gmail.com", + "type": "home" + }, + { + "value": "xyz@gmail.com", + "type": "work" + } + ] + } + } + ``` + +- **Example 2:** Add the `emails` complex attribute to a **Core** user schema (using the path param): + + ```json + { + "op": "add", + "path": "emails", + "value": [ + { + "value": "abc@gmail.com", + "type": "home" + }, + { + "value": "xyz@gmail.com", + "type": "work" + } + ] + } + ``` + +### Replace user attributes + +Let's create patch request payloads to `replace` user attributes of different types. + +**Simple singular attributes** + +Consider the `nickname` attribute in the **Core** user schema and the `country` attribute in the **Enterprise** user schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`). These are simple singular attributes. + +- **Example 1:** Replace the `nickName` attribute in the **Core** user schema (without using the path param): + + ```json + { + "op": "replace", + "value": { + "nickName": "Blinki" + } + } + ``` + +- **Example 2:** Replace the `nickName` attribute in the **Core** user schema (using the path param): + + ```json + { + "op": "replace", + "path": "nickName", + "value": "Shaini" + } + ``` + +- **Example 3:** Replace the `country` attribute in the **Enterprise** user schema (without using the path param): + + ```json + { + "op": "replace", + "value": { + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "country": "USA" + } + } + } + ``` + +- **Example 4:** Replace the `country` attribute in the **Enterprise** user schema (using the path param): + + ```json + { + "op": "replace", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:country", + "value": "UK" + } + ``` + +**Complex singular attributes** + +Consider the `name` attribute in **Core** user schema, which has sub-attributes such as `givenName`, `familyName`, etc. and the `manager` attribute in the **Enterprise** user schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`), which has `displayName`, `value`, `ref`, etc. as sub-attributes. + +- **Example 1:** Replace the `name` attribute in the **Core** user schema (without using the path param): + + ```json + { + "op": "replace", + "value": { + "name": { + "givenName": "Peterson" + } + } + } + ``` + +- **Example 2:** Replace the `name` attribute in the **Core** user schema (using the path param): + + ```json + { + "op": "replace", + "path": "name", + "value": { + "givenName": "Martin", + "familyName": "Freeman" + } + }, + { + "op": "replace", + "path": "name.familyName", + "value": "Jackson" + } + ``` + +- **Example 3:** Replace the `manager` attribute in the **Enterprise** user schema (without using the path param): + + ```json + { + "op": "replace", + "value": { + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { + "manager": { + "displayName": "Manager3", + "value": "Tom" + } + } + } + } + ``` + +- **Example 4:** Replace the `manager` attribute in the **Enterprise** user schema (using the path param): + + ```json + { + "op": "replace", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager", + "value": { + "displayName": "Manager4" + } + }, + { + "op": "replace", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value", + "value": "Jem" + } + ``` + +**Simple multi-valued attributes** + +This type of attribute is not found in the core schemas of the SCIM specification. However, there is a capability to add simple multi-valued attributes to our extended schemas (custom schemas). + +Let's consider a custom schema with an attribute called devices. + +- **Example 1:** Replace the `devices` attribue in a **Custom** user schema (without using the path param): + + ```json + { + "op": "replace", + "value": { + "urn:scim:wso2:schema": { + "devices": ["M1", "M2"] + } + } + } + ``` + +- **Example 2:** Replace the `devices` attribue in a **custom** user schema (using the path param): + + ```json + { + "op": "replace", + "path": "urn:scim:wso2:schema:devices", + "value": [ + "M6", + "M7" + ] + } + ``` + +**Complex multi-valued attributes** + +Consider the `emails` attribute in the **Core** user schema, which can have multiple emails types such as `home`, `work`, etc. Each email attribute has sub-attributes such as `value`, `type`, and `primary`. + +- **Example 1:** Replace the `emails` attribute in a **Core** user schema (without using the path param): + + ```json + { + "op": "replace", + "value": { + "emails": [ + { + "value": "abcd@gmail.com", + "type": "home" + }, + { + "value": "wxyz@gmail.com", + "type": "work" + } + ] + } + } + ``` + +- **Example 2:** Replace the `emails` attribute in a **Core** user schema (using the path param): + + ```json + { + "op": "replace", + "path": "emails", + "value": [ + { + "value": "abcde@gmail.com", + "type": "home" + }, + { + "value": "vwxyz@gmail.com", + "type": "work" + } + ] + } + ``` + +### Remove user attributes + +Let's create patch request payloads to `remove` user attributes of different types. + +**Simple singular attributes** + +Consider the `nickname` attribute in the **Core** user schema and the `country` attribute in the **Enterprise** user schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`). These are simple singular attributes. + +- **Example 1:** Remove the `nickName` attribute of a user in the **Core** user schema. + + ```json + { + "op": "remove", + "path": "nickName" + } + ``` + +- **Example 2:** Remove the `country` attribute of a user in the **Enterprise** user schema. + + ```json + { + "op": "remove", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:country" + } + ``` + +**Complex singular attributes** + +Consider the `name` attribute in **Core** user schema, which has sub-attributes such as `givenName`, `familyName`, etc. and the `manager` attribute in the **Enterprise** user schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`), which has `displayName`, `value`, `ref`, etc. as sub-attributes. + +!!! Note + - If the path contains the complex attribute, all sub-attribute values are removed. + - There is a special case for the `name` attribute. Even though `“path”: “name”` is specified, the `familyName` attribute is not removed. This is only applicable when an LDAP user store is used. + - If you just want to delete a sub-attribute of a complex attribute, use the `attribute.subattribute` format as shown below. + +- **Example 1:** Remove a sub-attribute of the `name` attribute in the **Core** user schema: + + ```json + { + "op": "remove", + "path": "name.givenName" + } + ``` + +- **Example 2:** Remove the manager's `value` attribute and whole `manager` object in the **Enterprise** user schema: + + ```json + { + "op": "remove", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value" + }, + { + "op": "remove", + "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager" + } + ``` + +**Simple multi-valued attributes** + +This type of attribute is not found in the core schemas of the SCIM specification. However, there is a capability to add simple multi-valued attributes to our extended schemas (custom schemas). + +Let's consider a custom schema with an attribute called devices. + +```json +{ + "op": "remove", + "path": "urn:scim:wso2:schema:devices[value eq \"M7\"]" +}, +{ + "op": "remove", + "path": "urn:scim:wso2:schema:devices" +} +``` + +**Complex multi-valued attributes** + +Consider the `emails` attribute in the **Core** user schema, which can have multiple emails types such as `home`, `work`, etc. Each email attribute has sub-attributes such as `value`, `type`, and `primary`. + +```json +{ + "op": "remove", + "path": "emails[type eq home]" +}, +{ + "op": "remove", + "path": "emails" +} +``` + +## Patch groups + +You can use the patch operations to add/remove/replace users (members) in a user group. You can also rename the a user group by using the `replace` operation. + +### Add members + +Let's create patch request payloads to `add` members to a user group. + +- **Example 1:** Add a member to a group (without using the path param): + + ```json + { + "op": "add", + "value": { + "members": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + } + ``` + +- **Example 2:** Add a member to a group (using the path param): + + ```json + { + "op": "add", + "path": "members", + "value": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + ``` + +### Replace members + +Let's create patch request payloads to `replace` members in a user group. + +- **Example 1:** Replace members in a group (without using the path param): + + ```json + { + "op": "replace", + "value": { + "members": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + } + ``` + +- **Example 2:** Replace members in a group (using the path param): + + ```json + { + "op":"replace", + "path":"members", + "value":[ + { + "display":"alex", + "value":"0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + ``` + +### Remove members + +Let's create patch request payloads to `remove` members from a user group. + +- **Example 1:** Specify the member (by user ID) who needs to be removed. + + ```json + { + "op": "remove", + "path": "members[value eq 0565f472-28fe-4d93-83ad-096c66ed4a47]" + } + ``` + +- **Example 2:** Specify the member (by username) who needs to be removed. + + ```json + { + "op": "remove", + "path": "members[display eq alex]" + } + ``` + +### Rename user group + +Let's create a patch request payload to rename an existing user group. + +- **Example 1:** Rename a user group (without using the path param): + + ```json + { + "op": "replace", + "value": { + "displayName": "new_group_name" + } + } + ``` + +- **Example 1:** Rename a user group (using the path param): + + ```json + { + "op": "replace", + "path": "displayName", + "value": "new_group_name" + } + ``` + +## Patch roles + +You can use the patch operations to add/remove/replace users and user groups for a role. + +### Assign users + +Let's create patch request payloads to `add` users to a user role. + +- **Example 1:** Assign users to a role (without using the path param): + + ```json + { + "op": "add", + "value": { + "users": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + } + + + ``` + +- **Example 2:** Assign users to a role (using the path param): + + ```json + { + "op": "add", + "path": "users", + "value": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + ``` + +### Replace users + +Let's create patch request payloads to `replace` users assigned to a user role. + +- **Example 1:** Replace users in a role (without using the path param): + + ```json + { + "op": "replace", + "value": { + "users": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + } + ``` + +- **Example 2:** Replace users in a role (using the path param): + + ```json + { + "op": "replace", + "path": "users", + "value": [ + { + "display": "alex", + "value": "0565f472-28fe-4d93-83ad-096c66ed4a47" + } + ] + } + ``` + +### Remove users + +Let's create patch request payloads to `remove` users from a user role. + +- **Example 1:** Specify the user (by user ID) who needs to be removed. + + ```json + { + "op": "remove", + "path": "users[value eq 0565f472-28fe-4d93-83ad-096c66ed4a47]" + } + ``` + +- **Example 2:** Specify the user (by username) who needs to be removed. + + ```json + { + "op": "remove", + "path": "members[users eq alex]" + } + ``` + +### Assign user groups + +Let's create patch request payloads to `add` user groups to a user role. + +- **Example 1:** Assign user groups to a role (without using the path param): + + ```json + { + "op": "add", + "value": { + "groups": [ + { + "value": "78144fd9-48e7-4fc9-95b5-cd3883f5ce4a" + } + ] + } + } + ``` + +- **Example 2:** Assign user groups to a role (using the path param): + + ```json + { + "op": "add", + "path": "groups", + "value": [ + { + "value": "78144fd9-48e7-4fc9-95b5-cd3883f5ce4a" + } + ] + } + ``` + +### Replace user groups + +Let's create patch request payloads to `replace` user groups assigned to a user role. + +- **Example 1:** Replace user groups in a role (without using the path param): + + ```json + { + "op": "replace", + "value": { + "groups": [ + { + "value": "78144fd9-48e7-4fc9-95b5-cd3883f5ce4a" + } + ] + } + } + ``` + +- **Example 2:** Replace user groups in a role (using the path param): + + ```json + { + "op": "replace", + "path": "groups", + "value": [ + { + "value": "78144fd9-48e7-4fc9-95b5-cd3883f5ce4a" + } + ] + } + ``` + +### Remove user groups + +Let's create patch request payloads to `remove` user groups assigned to a user role. + +- **Example 1:** Specify the group (by group ID) that needs to be removed. + + ```json + { + "op": "remove", + "path": "groups[value eq 78144fd9-48e7-4fc9-95b5-cd3883f5ce4a]" + } + ``` + +- **Example 2:** Specify the group (by group name) that needs to be removed. + + ```json + { + "op": "remove", + "path": "groups[display eq PRIMARY/ABCD]" + } + ``` diff --git a/en/identity-server/next/docs/apis/scim2/scim2-resource-types.md b/en/identity-server/next/docs/apis/scim2/scim2-resource-types.md new file mode 100644 index 0000000000..da68d8f3a3 --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-resource-types.md @@ -0,0 +1,5 @@ +--- +template: templates/redoc.html +--- + + diff --git a/en/identity-server/next/docs/apis/scim2/scim2-sp-config-rest-api.md b/en/identity-server/next/docs/apis/scim2/scim2-sp-config-rest-api.md new file mode 100644 index 0000000000..f407ad7bcd --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-sp-config-rest-api.md @@ -0,0 +1,5 @@ +--- +template: templates/redoc.html +--- + + diff --git a/en/identity-server/next/docs/apis/scim2/scim2-users-rest-api.md b/en/identity-server/next/docs/apis/scim2/scim2-users-rest-api.md new file mode 100644 index 0000000000..ceb4e2b771 --- /dev/null +++ b/en/identity-server/next/docs/apis/scim2/scim2-users-rest-api.md @@ -0,0 +1,5 @@ +--- +template: templates/redoc.html +--- + + diff --git a/en/identity-server/next/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png b/en/identity-server/next/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png index 4a56d0637d..710de0c276 100644 Binary files a/en/identity-server/next/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png and b/en/identity-server/next/docs/assets/img/guides/account-configurations/admin-initiated-password-reset.png differ diff --git a/en/identity-server/next/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md b/en/identity-server/next/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md index 572693b7d6..3bc1a0a025 100644 --- a/en/identity-server/next/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md +++ b/en/identity-server/next/docs/guides/account-configurations/account-recovery/admin-initiated-password-reset.md @@ -1,27 +1 @@ -# Admin initiated password reset - -Provide administrators with the ability to initiate a password reset process for users in {{product_name}}. - -## Configuration instructions - -To set up admin initiated password reset, follow these instructions: - -1. In the {{product_name}} Console, go to **Login & Registration** > **Account Recovery** > **Admin Initiated - Password Reset**. -2. Check the option to **Enable password reset via recovery email** if you want users to reset their password through a recovery link sent via email. -3. Click **Update** to save the changes. - -![Admin Initiated Password Reset Configuration]({{base_path}}/assets/img/guides/account-configurations/admin-initiated-password-reset.png){: width="600" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - -
ParameterDescription
Enable Password Reset via Recovery EmailWhen enabled, allows users to reset their password through a link sent to their email.
+{% include "../../../../../../includes/guides/account-configurations/account-recovery/admin-initiated-password-reset.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/account-recovery/password-recovery.md b/en/identity-server/next/docs/guides/account-configurations/account-recovery/password-recovery.md index 555ea03216..4c6fc9ad20 100644 --- a/en/identity-server/next/docs/guides/account-configurations/account-recovery/password-recovery.md +++ b/en/identity-server/next/docs/guides/account-configurations/account-recovery/password-recovery.md @@ -1,58 +1 @@ -# Password recovery - -Enable self-service password recovery for users, providing a secure method to reset passwords on the login page of {{product_name}}. - -## Configuration instructions - -To configure password recovery, follow these steps: - -1. In the {{product_name}} Console, go to **Login & Registration** > **Account Recovery** > **Password Recovery**. -2. Toggle the switch to enable passwords recovery option to allow users to recover their passwords. -3. Select one or both of the recovery options: **Email Link** or **SMS OTP**, to enable them for your account. - ![Password Recovery Configuration]({{base_path}}/assets/img/guides/organization/account-recovery/password-recovery/configure-password-recovery.png){: width="800" style="display: block; margin: 0;"} -4. Configure the below settings if you want to change the password recovery configurations. - - - - - - - - - - - - - - - -

Email Link

Notify on successful recoverySpecifies whether to notify the user via an email when password recovery is successful.
Recovery link expiry timeSpecifies password recovery link expiry time in minutes. If you enter 60 min, the password recovery email notification will expire after 60 min.
- - - - - - - - - - - -

SMS OTP

Password recovery OTP expiry timeSpecifies the duration (in minutes) after which the OTP code sent through SMS will expire.
-5. Configure the below settings if you want to change the password recovery OTP code configurations. - !!! info - Note that including a character set does not guarantee that at least one of those characters will be included in each OTP code. - ![Password Recovery Configuration]({{base_path}}/assets/img/guides/organization/account-recovery/password-recovery/configure-password-recovery-otp-code.png){: width="800" style="display: block; margin: 0;"} - - - - - - - -
Password recovery OTP expiry timeSpecifies the duration (in minutes) after which the OTP code sent through SMS will expire.
-6. Set the following settings to configure the limitations for password recovery attempts. - ![Password Recovery Attempts Limitations Configuration]({{base_path}}/assets/img/guides/organization/account-recovery/password-recovery/configure-password-recovery-attempts-limitation.png){: width="800" style="display: block; margin: 0;"} -7. Click **Update** once you configure the required settings. - -Try self-service password recovery. +{% include "../../../../../../includes/guides/account-configurations/account-recovery/password-recovery.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/account-recovery/username-recovery.md b/en/identity-server/next/docs/guides/account-configurations/account-recovery/username-recovery.md index 2fe158f3a1..3e843ac6a4 100644 --- a/en/identity-server/next/docs/guides/account-configurations/account-recovery/username-recovery.md +++ b/en/identity-server/next/docs/guides/account-configurations/account-recovery/username-recovery.md @@ -1,27 +1 @@ -# Username recovery - -Allow users to retrieve their usernames through a self-service process on the login page in {{product_name}}. - -## Configuration instructions - -To enable username recovery, take the following steps: - -1. In the {{product_name}} Console, go to **Login & Registration** > **Account Recovery** > **Username Recovery**. -2. Enable the prefered username channels by selecting the appropriate checkboxes. - - **Email**: Users can recover their usernames by Email. - - **SMS**: Users can recover their usernames by SMS. -3. Click **Update** to save the changes. - -![Username Recovery Configuration]({{base_path}}/assets/img/guides/account-configurations/username-recovery.png){: width="900" style="display: block; margin: 0;"} - -!!! note - Once users enter their details on the username recovery page, such as their first name, email, or mobile number, if the system can verify a unique user based on the provided information, an email will be sent to their registered email address. If the system is unable to identify a unique user, no recovery information will be sent by default. - - If you want to enable username recovery for non-unique users, you can configure it by adding the following configuration to the `deployment.toml` file located in the `/repository/conf` directory. - - ``` toml - [identity_mgt.username_recovery.non_unique_user] - enabled = true - ``` - - When this configuration is enabled, the system will send **multiple recovery notifications** with all usernames associated with the identified users. \ No newline at end of file +{% include "../../../../../../includes/guides/account-configurations/account-recovery/username-recovery.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/login-security/login-attempts.md b/en/identity-server/next/docs/guides/account-configurations/login-security/login-attempts.md index 5760277a4d..8067f09d5e 100644 --- a/en/identity-server/next/docs/guides/account-configurations/login-security/login-attempts.md +++ b/en/identity-server/next/docs/guides/account-configurations/login-security/login-attempts.md @@ -1,61 +1 @@ -# Login attempts - -Secure user accounts from unauthorized access by configuring the login attempts policy in {{product_name}}. - -## Configuration instructions - -To manage login attempts settings, do the following: - -1. In the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Login Attempts**. -2. Adjust the settings according to your security requirements. -3. Click **Update** to save the changes. - -![Login Attempts Configuration]({{base_path}}/assets/img/guides/account-configurations/login-attempts.png){: width="900" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - - - - - -
ParameterDescription
Number of Consecutive Failed Login AttemptsThe count of consecutive incorrect login attempts before locking the account.
Account Lock DurationThe time in minutes an account stays locked after reaching the failed attempt limit.
Account Lock Duration Increment FactorThe rate at which the lock duration increases after successive lockouts.
- -!!! Info - - In the {{product_name}} login pages, a generic error message is displayed by default to end-users in the event of login failures. To show more specific error messages on the login page, the following properties can be configured in the `deployment.toml` file, which is located in the `/repository/conf` directory. - - Basic authenticator configurations: - - ```toml - [authentication.authenticator.basic.parameters] - showAuthFailureReason = true - showAuthFailureReasonOnLoginPage = true - ``` - - Email OTP authenticator configurations: - - ```toml - [authentication.authenticator.email_otp.parameters] - showAuthFailureReason = true - showAuthFailureReasonOnLoginPage = true - ``` - - TOTP authenticator configurations: - - ```toml - [authentication.authenticator.totp.parameters] - showAuthFailureReason = true - showAuthFailureReasonOnLoginPage = true - ``` +{% include "../../../../../../includes/guides/account-configurations/login-security/login-attempts.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/login-security/password-validation.md b/en/identity-server/next/docs/guides/account-configurations/login-security/password-validation.md index 81b6ec1eee..8ac83abcbf 100644 --- a/en/identity-server/next/docs/guides/account-configurations/login-security/password-validation.md +++ b/en/identity-server/next/docs/guides/account-configurations/login-security/password-validation.md @@ -1 +1 @@ -{% include "../../../../../../includes/guides/user-accounts/account-security/password-validation.md" %} \ No newline at end of file +{% include "../../../../../../includes/guides/account-configurations/login-security/password-validation.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/login-security/session-management.md b/en/identity-server/next/docs/guides/account-configurations/login-security/session-management.md index 6a699e048b..a18675687f 100644 --- a/en/identity-server/next/docs/guides/account-configurations/login-security/session-management.md +++ b/en/identity-server/next/docs/guides/account-configurations/login-security/session-management.md @@ -1,30 +1 @@ -# Session management - -Customize session timeout and remember me settings to maintain optimal security and user experience in {{product_name}}. - -## Configuration instructions - -To adjust session management settings, follow these steps: - -1. On the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Session Management**. -2. Configure the **Idle Session Timeout** and **Remember Me Period** to suit your security policies. -3. Click **Update** to save the changes. - -![Session Management Configuration]({{base_path}}/assets/img/guides/account-configurations/session-management.png){: width="800" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - -
ParameterDescription
Idle Session TimeoutTime in minutes before an inactive user session is automatically ended.
Remember Me PeriodDuration in minutes that the system will remember a user's session.
+{% include "../../../../../../includes/guides/account-configurations/login-security/session-management.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md b/en/identity-server/next/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md index 34ef476337..a0a349c55d 100644 --- a/en/identity-server/next/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md +++ b/en/identity-server/next/docs/guides/account-configurations/user-onboarding/invite-user-to-set-password.md @@ -1,45 +1 @@ -# Invite user to set password - -Allow administrator to invite users to set their own passwords during the onboarding process in {{product_name}}. - -## Configuration instructions - -For inviting users to set their password, follow these instructions: - -1. On the {{product_name}} Console, go to **Login & Registration** > **User Onboarding** > **Invite User to Set Password**. -2. Check the **Enable email invitations for user password setup** to send an email to the user to set the password after user creation. -3. Select the **Enable account lock on creation** to lock the user account during user creation. -4. If you want to send an account activation confirmation email, enable the **Send account activation email**. -5. Set the **Password setup invitation code expiration time** in minutes to define how long the password setup invitation e-mail would be valid. For infinite validity period, set -1. Setting 0 will cause immediate expiry of the invitation -6. Click **Update** to save the changes. - -![Invite User to Set Password Configuration]({{base_path}}/assets/img/guides/account-configurations/invite-user-to-set-password.png){: width="700" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - -
ParameterDescription
Enable user email verificationTriggers a verification notification during user creation if enabled.
Enable account lock on creationLocks the user account during creation to prevent unauthorized access.
Send account activation emailSends an email to users for account activation if enabled.
Email verification code expiry timeThe duration in minutes for which the email verification code remains valid.
Password Setup Invitation Code Expiration TimeDefines the validity period in minutes for the password setup code sent to users. For infinite validity period, set -1.
+{% include "../../../../../../includes/guides/account-configurations/user-onboarding/invite-user-to-set-password.md" %} \ No newline at end of file diff --git a/en/identity-server/next/docs/guides/account-configurations/user-onboarding/self-registration.md b/en/identity-server/next/docs/guides/account-configurations/user-onboarding/self-registration.md index 8bbc43c668..cf711a9885 100644 --- a/en/identity-server/next/docs/guides/account-configurations/user-onboarding/self-registration.md +++ b/en/identity-server/next/docs/guides/account-configurations/user-onboarding/self-registration.md @@ -1,43 +1 @@ -# Self registration - -Enable users to self-register and create their own accounts within the organization on {{product_name}}. - -## Configuration instructions - -To set up self-registration, follow these steps: - -1. On the {{product_name}} Console, go to **Login & Registration** > **User Onboarding** > **Self Registration**. -2. Toggle the switch to enable self-registration. -3. Configure the additional settings such as account verification, auto-login, and notification emails as needed. -4. Click **Update** to save the changes. - -![Self Registration Configuration]({{base_path}}/assets/img/guides/account-configurations/self-registration.png){: width="900" style="display: block; margin: 0;"} - -## Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - -
ParameterDescription
Account VerificationWhen enabled, requires users to verify their accounts as part of registration.
Account verification link expiry timeTime in minutes until the account verification link expires.
Activate account immediatelyIf selected, the new account is activated immediately after registration without waiting for account confirmation.
Enable auto loginIf selected, the user will be automatically logged in after registration.
Send sign up confirmation emailA confirmation email is sent upon successful self-registration if this option is enabled.
+{% include "../../../../../../includes/guides/account-configurations/user-onboarding/self-registration.md" %} \ No newline at end of file diff --git a/en/includes/guides/account-configurations/account-recovery/admin-initiated-password-reset.md b/en/includes/guides/account-configurations/account-recovery/admin-initiated-password-reset.md new file mode 100644 index 0000000000..84f58d0dfb --- /dev/null +++ b/en/includes/guides/account-configurations/account-recovery/admin-initiated-password-reset.md @@ -0,0 +1,15 @@ +# Admin initiated password reset + +Administrators can initiate password recovery for users. Once initiated, an email will be sent to the user with a password recovery link which can be used to reset the password. + +To do so, + +1. On the {{product_name}} Console, go to **Login & Registration**. + +2. Under **Account Recovery**, click on **Admin Initiated Password Reset**. + +3. Check the option to **Enable password reset via recovery email**. + +4. Click **Update** to save the changes. + +![Admin Initiated Password Reset Configuration]({{base_path}}/assets/img/guides/account-configurations/admin-initiated-password-reset.png){: width="600" style="display: block; margin: 0;"} \ No newline at end of file diff --git a/en/includes/guides/account-configurations/account-recovery/password-recovery.md b/en/includes/guides/account-configurations/account-recovery/password-recovery.md new file mode 100644 index 0000000000..23698e9d34 --- /dev/null +++ b/en/includes/guides/account-configurations/account-recovery/password-recovery.md @@ -0,0 +1,114 @@ +# Password recovery + +{% if product_name == "WSO2 Identity Server" and is_version == "7.0.0" %} + +You may enable self-service password recovery for users so that they may reset their forgotten passwords right from the login page. Once enabled, users can click the `Forgot password?` option and receive a password reset link to their registered emails. + +To do so, + +1. On the {{product_name}} Console, go to **Login & Registration**. +2. Under **Account Recovery**, click on **Password Recovery**. +3. Toggle the switch on to enable password recovery. +4. Configure the following options: + + + + + + + + + + +
Notify on Successful RecoveryWhen checked, the user will be notified via email after a successful password recovery.
Recovery Link Expiry TimeTime in minutes until the password recovery link expires.
+ +5. Click **Update** to save the changes. + +![Password Recovery Configuration]({{base_path}}/assets/img/guides/account-configurations/password-recovery.png){: width="800" style="display: block; margin: 0;"} + +{% else %} + +You may enable self-service password recovery for users so that they may reset their forgotten passwords right from the login page. Users can click the `Forgot password?` option and either receive an email or a mobile OTP to reset the password. + +To do so, + +1. On the {{product_name}} Console, go to **Login & Registration**. +2. Under **Account Recovery**, click on **Password Recovery**. +3. Toggle the switch to enable passwords recovery option to allow users to recover their passwords. +4. Select both **Email Link** and **SMS OTP** or one of the options to enable them for your organization. + + ![Password Recovery Configuration]({{base_path}}/assets/img/guides/organization/account-recovery/password-recovery/configure-password-recovery.png){: width="800" style="display: block; margin: 0;"} + +5. Configure the corresponding settings. + + + + + + + + + + + + + + + +

Email Link

Notify on successful recoverySpecifies whether to notify the user via an email when password recovery is successful.
Recovery link expiry timeSpecifies the duration (in minutes) after which the email link will expire.
+ + + + + + + + + + + +

SMS OTP

Password recovery OTP expiry timeSpecifies the duration (in minutes) after which the OTP code sent through SMS will expire.
+ +6. Configure the following settings if you wish to customize the OTP pattern. + + + + + + + + + + + + + + + + + + +
Include upper case lettersIf nothing else is selected, the code will have only upper case letters or else a combination of upper case letters and any other selected character types.
Include lower case lettersIf nothing else is selected, the code will have only lower case letters or else a combination of lower case letters and any other selected character types.
Include numeric charactersIf nothing else is selected, the code will have only digits or else a combination of digits and any other selected character types.
Password recovery OTP code lengthSpecify the length of the code
+ + !!! info + + Including a character set does not guarantee that at least one of those characters will be included in each OTP code. + +7. Set the following settings to configure the limitations for password recovery attempts. + + + + + + + + + + + + +
Max failed attempts countSpecifies the maximum number of incorrect entries allowed for a password recovery method.
Max resend attempts countSpecifies the maximum number of times a user can request to resend the OTP or recovery link.
+ +8. Click **Update** once you configure the required settings. + +{% endif %} \ No newline at end of file diff --git a/en/includes/guides/account-configurations/account-recovery/username-recovery.md b/en/includes/guides/account-configurations/account-recovery/username-recovery.md new file mode 100644 index 0000000000..6e3b2a3716 --- /dev/null +++ b/en/includes/guides/account-configurations/account-recovery/username-recovery.md @@ -0,0 +1,36 @@ +# Username recovery + +You may enable self-service username recovery for users so that they may reset their forgotten usernames right from the login page. Once enabled, users can click the `Forgot username?` option and proceed to recover their usernames. + +To do so, + +1. On the {{product_name}} Console, go to **Login & Registration**. +2. Under **Account Recovery**, click on **Username Recovery**. + +{% if product_name == "WSO2 Identity Server" and "is_version" == "7.0.0" %} + +3. Toggle the switch to enable username recovery option. +4. Click **Update** to save the changes. + +![Username Recovery Configuration]({{base_path}}/assets/img/guides/account-configurations/username-recovery.png){: width="900" style="display: block; margin: 0;"} + +{% else %} + +3. Select both **email based recovery** and **SMS based recovery** or one of the options to enable them for your organization. + +3. Click **Update** to save the changes. + +![Username Recovery Configuration]({{base_path}}/assets/img/guides/account-configurations/username-recovery.png){: width="800" style="display: block; margin: 0;"} + +!!! note "Send recovery emails to non-unique users" + + When a user attempts to recover the username, {{product_name}} requests for the first name, last name and either the email address or mobile number. If based on the details, a unique user is found, an email will be sent to the registered email address. If a unique user is not found, no action will be taken. + + + To enable sending emails to all users matching the provided information, even if the user is not unique, add the following configuration to the `deployment.toml` file located in the `/repository/conf` directory: + + ``` toml + [identity_mgt.username_recovery.non_unique_user] + enabled = true + ``` +{% endif %} \ No newline at end of file diff --git a/en/includes/guides/account-configurations/index.md b/en/includes/guides/account-configurations/index.md new file mode 100644 index 0000000000..4ca0032b7a --- /dev/null +++ b/en/includes/guides/account-configurations/index.md @@ -0,0 +1,30 @@ +# Account configurations + +{{product_name}} provides a robust suite of tools designed to ensure secure and efficient management of user accounts. This section details the configurations available to administrators for enhancing user account security, streamlining the onboarding process, and facilitating account recovery. + +## Login security +Enhance the security of user logins through various settings that prevent unauthorized access. + +- [Password Validation]({{base_path}}/guides/account-configurations/login-security/password-validation/) +- [Login Attempts]({{base_path}}/guides/account-configurations/login-security/login-attempts/) +- [Bot Detection]({{base_path}}/guides/account-configurations/login-security/bot-detection/) +{% if product_name == "WSO2 Identity Server" %} +- [Session Management]({{base_path}}/guides/account-configurations/login-security/session-management/) +{% endif %} + +## User onboarding +Streamline the addition of new users to your organization with flexible onboarding configurations. + +- [Self Registration]({{base_path}}/guides/account-configurations/user-onboarding/self-registration/) +{% if product_name == "WSO2 Identity Server" %} +- [Invite User to Set Password]({{base_path}}/guides/account-configurations/user-onboarding/invite-user-to-set-password/) +{% endif %} + +## Account recovery +Provide users with options to recover their access credentials, ensuring they can regain account access efficiently. + +- [Password Recovery]({{base_path}}/guides/account-configurations/account-recovery/password-recovery/) +{% if product_name == "WSO2 Identity Server" %} +- [Username Recovery]({{base_path}}/guides/account-configurations/account-recovery/username-recovery/) +- [Admin Initiated Password Reset]({{base_path}}/guides/account-configurations/account-recovery/admin-initiated-password-reset/) +{% endif %} \ No newline at end of file diff --git a/en/includes/guides/account-configurations/login-security/bot-detection.md b/en/includes/guides/account-configurations/login-security/bot-detection.md index 5e05a57f2a..e9225f78be 100644 --- a/en/includes/guides/account-configurations/login-security/bot-detection.md +++ b/en/includes/guides/account-configurations/login-security/bot-detection.md @@ -11,8 +11,8 @@ This guide explains how you can enable bot detection for your applications to mi To enable bot detection, proceed with the following: -1. In the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Bot Detection**. -2. Toggle the switch to activate reCAPTCHA for your organization. +1. On the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Bot Detection**. +2. Toggle the switch on to activate reCAPTCHA for your organization. ![Bot Detection Configuration]({{base_path}}/assets/img/guides/account-configurations/bot-detection.png){: width="900" style="display: block; margin: 0;"} diff --git a/en/includes/guides/account-configurations/login-security/login-attempts.md b/en/includes/guides/account-configurations/login-security/login-attempts.md new file mode 100644 index 0000000000..e300b24dd6 --- /dev/null +++ b/en/includes/guides/account-configurations/login-security/login-attempts.md @@ -0,0 +1,99 @@ +# Configure login-attempts security + +You can protect user accounts in {{ product_name }} from brute-force attacks by locking the account after consecutive failed login attempts. + +You can configure the number of consecutive failed login attempts that should be allowed for users in an organization. When a user exceeds this number of attempts, the account is automatically locked and the user is informed via email. The account will be activated automatically after the specified lock duration. + +## Enable login attempts security + +This setting is disabled by default. To enable login attempts security, + +1. On the {{ product_name }} Console, go to **Login Registration**. + +2. Click on **Login Attempts** under **Login Security** section. + +3. Switch to **Enabled** to enable this configuration. + + ![Enable login attempts security]({{base_path}}/assets/img/guides/organization/account-security/login-attempts-security/enable-login-attempts-security.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +4. Configure the settings below if you want to change how login attempts security works by default. + + ![View account security options]({{base_path}}/assets/img/guides/account-configurations/login-attempts.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + + + + + + + + + + + + + + + + + + + + + +
Number of consecutive failed login attemptsSpecifies the number of consecutive failed login attempts allowed before the account is locked.
+ If you enter 5 as the value, the user's account is locked when five login attempts fail consecutively.
Account lock durationSpecifies the initial duration that the account will be locked for. The account is automatically unlocked after this time period.
+ If you enter 5 minutes as the value, the user's account is locked for 5 minutes starting from the last login attempt. The user can log in again after 5 minutes.
Account lock duration increment factorSpecifies the factor by which the account lock duration should be incremented on further failed login attempts after the account is locked.
Notify user when lock time is increasedSend an email notification to the user when the lock time increases due to continuous failed login attempts.
+ +5. Click **Update** once you configure the required settings. + +## How it works + +Let's look at how the login attempt configurations work with an example. Imagine a scenario where an admin has configured the settings below: + +- Number of consecutive failed login attempts: 5 +- Account lock duration: 5 min +- Account lock duration increment factor: 2 + +Based on the above settings, the following happens when a user tries to log in with an incorrect password. + +1. User tries to log in with an incorrect password for **5 consecutive attempts**. +2. User account will be **locked** for **5 minutes**. +3. After **5 minutes**, the account will be unlocked. + + - If the user enters the correct password, the user can successfully log in. + - If the user tries enters an incorrect password for another **5 consecutive attempts**, the account lock period will be incremented by **2 times** the previous lock duration i.e. the account will be locked for 2 x (5 ^ 1)= 10 minutes. + - If the user attempts to enter an incorrect password for another **5 consecutive attempts**, after the wait time (10min), the account will be locked again for 2 * (5 ^ 2)= 50 minutes. + +``` +Time for account to unlock = Account lock duration increment factor * (Account lock duration factor ^ Number of account locks due to consecutive failed logins) +``` + +{% if product_name == "WSO2 Identity Server" %} + +!!! Info + - In the {{product_name}} login pages, a generic error message is displayed by default to end-users in the event of login failures. To show more specific error messages on the login page, the following properties can be configured in the `deployment.toml` file, which is located in the `/repository/conf` directory. + + Basic authenticator configurations: + + ```toml + [authentication.authenticator.basic.parameters] + showAuthFailureReason = true + showAuthFailureReasonOnLoginPage = true + ``` + + Email OTP authenticator configurations: + + ```toml + [authentication.authenticator.email_otp.parameters] + showAuthFailureReason = true + showAuthFailureReasonOnLoginPage = true + ``` + + TOTP authenticator configurations: + + ```toml + [authentication.authenticator.totp.parameters] + showAuthFailureReason = true + showAuthFailureReasonOnLoginPage = true + ``` +{% endif %} \ No newline at end of file diff --git a/en/includes/guides/account-configurations/login-security/password-validation.md b/en/includes/guides/account-configurations/login-security/password-validation.md new file mode 100644 index 0000000000..a2b1f7064e --- /dev/null +++ b/en/includes/guides/account-configurations/login-security/password-validation.md @@ -0,0 +1,124 @@ +# Password validation + +This guide explains how you can manage user passwords securely using multiple validation techniques, such as enforcing password expiration and imposing password complexity requirements. + +## Configure password validation + +You may find the configuration options by following the steps below. + +1. On the {{product_name}} Console, navigate to **Login & Registration**. + +2. Under **Login Security**, select **Password Validation**. + +3. On the **Password Validation** page, use the following three options to validate passwords. Each option is explained in detail in the sections below: + + - [Rule-based password expiration](#rule-based-password-expiration): Define rules to control password expiration based on the user's groups and roles. + - [Password history count](#password-history-count): Specify how often users can reuse old passwords. + - [Password input validation](#password-input-validation): Set requirements for password complexity by defining its length constraints and required character types. + +3. Click **Update** to save the changes. + +## Rule-Based password expiration + +Rule-based password expiration allows administrators to set custom password expiration rules based on the user's groups and roles. The higher a rule appears on the list, the greater its priority. Rules are evaluated based on their priorities and the first rule that matches the user's condition will take effect. + +To configure rule-based password expiration, + +1. Turn the **Password Expiration** toggle on to enable password expiration. + +2. Set a default password expiry rule that applies to any user that does not meet the custom criteria. + +3. Click **Add Rule** and start defining custom rules. Each subsequent rule you add will be added to the top of the list. You may use the arrows on the left to change their priorities. + + ![Rule-Based Password Expiration]({{base_path}}/assets/img/guides/organization/account-security/password-validation/password-expiration.png){: width="800" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +Refer to the following table for more information on rule parameters. + + + + + + + + + + + + + + + + + + + + + + +
ParameterDescription
AttributeUser attribute against which you are enforcing password expiry. Select either Groups or Roles.
ValuesSelect the specific group/role. You may also select multiple values thus making the rule act as an AND operator, and is enforced only on users belonging to all selected groups/roles.
Operator +
    +
  • Apply: Password expiry will be enforced for users who meet the rule criteria.
    • +
  • Skip: Password expiry will not be enforced for users who meet the rule criteria.
    • +
+
Expiration (days)Passwords of users meeting the criteria expire after this number of days.
+ +## Password history count + +The **Password History Count** feature allows you to specify the number of unique new passwords a user must use before an old password can be reused. This enhances account security by preventing the reuse of old passwords. + +![Password History Count]({{base_path}}/assets/img/guides/organization/account-security/password-validation/password-history-count.png){: width="800" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +To enable this, select the corresponding checkbox and configure the following option. + + + + + + + + + + +
ParameterDescription
Password History Count[Optional] The number of unique passwords that must be set before reusing an old password.
Example: If set to 3, the user cannot reuse the last three passwords they have set.
+ +## Password input validation + +The **Password Input Validation** feature enables you to set password complexity requirements which include minimum password length and required character types. + +![Password Input Validation]({{base_path}}/assets/img/guides/organization/account-security/password-validation/password-input-validation.png){: width="800" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +Configure the following parameters to enforce input validation. + + + + + + + + + + + + + + + + + + + + + + +
ParameterDescription
Number of charactersYou can add the minimum and maximum length of the password users should use.
Mandatory charactersBy default, a user password should contain at least one of the following characters. +
    +
  • Numbers
    • +
  • Upper-case characters
    • +
  • Lower-case characters
    • +
  • Special characters
    • +
+
Number of unique characters[Optional] This field identifies the number of unique (non-repeated) characters the password should contain.
Number of repeated characters[Optional]This field identifies the number of characters that can be repeated consecutively in a user password.
Example: If you assign 1 as the number of repeated characters, the password cannot contain any repeated characters consecutively.
The password aa1@Znlq is incorrect as it has the character a appearing consecutively.
+ +!!! note "Validation for whitespace in passwords" + + {{product_name}} automatically trims leading and trailing whitespace from passwords when creating, updating, or when entering passwords to login. \ No newline at end of file diff --git a/en/includes/guides/account-configurations/login-security/session-management.md b/en/includes/guides/account-configurations/login-security/session-management.md new file mode 100644 index 0000000000..6a699e048b --- /dev/null +++ b/en/includes/guides/account-configurations/login-security/session-management.md @@ -0,0 +1,30 @@ +# Session management + +Customize session timeout and remember me settings to maintain optimal security and user experience in {{product_name}}. + +## Configuration instructions + +To adjust session management settings, follow these steps: + +1. On the {{product_name}} Console, go to **Login & Registration** > **Login Security** > **Session Management**. +2. Configure the **Idle Session Timeout** and **Remember Me Period** to suit your security policies. +3. Click **Update** to save the changes. + +![Session Management Configuration]({{base_path}}/assets/img/guides/account-configurations/session-management.png){: width="800" style="display: block; margin: 0;"} + +## Parameters + + + + + + + + + + + + + + +
ParameterDescription
Idle Session TimeoutTime in minutes before an inactive user session is automatically ended.
Remember Me PeriodDuration in minutes that the system will remember a user's session.
diff --git a/en/includes/guides/account-configurations/user-onboarding/invite-user-to-set-password.md b/en/includes/guides/account-configurations/user-onboarding/invite-user-to-set-password.md new file mode 100644 index 0000000000..119e8c9aa9 --- /dev/null +++ b/en/includes/guides/account-configurations/user-onboarding/invite-user-to-set-password.md @@ -0,0 +1,45 @@ +# Invite user to set password + +Allow administrator to invite users to set their own passwords during the onboarding process in {{product_name}}. + +## Configuration instructions + +For inviting users to set their password, follow these instructions: + +1. On the {{product_name}} Console, go to **Login & Registration** > **User Onboarding** > **Invite User to Set Password**. +2. Check the **Enable email invitations for user password setup** to send an email to the user to set the password after user creation. +3. Select the **Enable account lock on creation** to lock the user account during user creation. +4. If you want to send an account activation confirmation email, enable the **Send account activation email**. +5. Set the **Password setup invitation code expiration time** in minutes to define how long the password setup invitation e-mail would be valid. For infinite validity period, set -1. Setting 0 will cause immediate expiry of the invitation. +6. Click **Update** to save the changes. + +![Invite User to Set Password Configuration]({{base_path}}/assets/img/guides/account-configurations/invite-user-to-set-password.png){: width="700" style="display: block; margin: 0;"} + +## Parameters + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterDescription
Enable user email verificationTriggers a verification notification during user creation if enabled.
Enable account lock on creationLocks the user account during creation to prevent unauthorized access.
Send account activation emailSends an email to users for account activation if enabled.
Email verification code expiry timeThe duration in minutes for which the email verification code remains valid.
Password Setup Invitation Code Expiration TimeDefines the validity period in minutes for the password setup code sent to users. For infinite validity period, set -1.
diff --git a/en/includes/guides/account-configurations/user-onboarding/self-registration.md b/en/includes/guides/account-configurations/user-onboarding/self-registration.md new file mode 100644 index 0000000000..c7f85e79c2 --- /dev/null +++ b/en/includes/guides/account-configurations/user-onboarding/self-registration.md @@ -0,0 +1,175 @@ +# Self registration + +You can enable users to self-register to your organization from the login page of the application. This creates a new user account for the user. + +## Enable/Disable self-registration + +To enable/disable user self-registration or to change the default configurations, see the following instructions: + +1. On the {{ product_name }} Console, go to **Login & Registration**. + +2. Under **User Onboarding**, click **Self Registration**. + + ![Configure self registration]({{base_path}}/assets/img/guides/organization/self-registration/configure-self-registration.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +3. Turn the toggle on to enable self-registration or off to disable it. + +4. Configure the settings below. + + + + + + + + + + + + + + + + {% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version != "7.0.0") %} + + + + + {% endif %} + + + + + +
Account verification + If enabled, an email will be sent to the user's specified email address requesting account confirmation.

+ If this option is enabled along with the Activate account immediately option, users will be signed into the application without waiting for verification. However, you may leverage the account verification status to control the user experience and the level of access granted for the user. + [Learn how to get verification status](#get-the-verification-status-of-user-accounts). +
Account verification link expiry timeSpecifies the duration (in minutes) after which the confirmation link expires.
Activate account immediately + Activates the account without waiting for account verification.

+ However, you may leverage the account verification status to control the user experience and the level of access granted for the user. + [Learn how to get verification status](#get-the-verification-status-of-user-accounts). +
Display message if username unavailable + Display a message to the user from the registration page if the selected username is already taken. Enable this with caution, as it may lead to username enumeration. +
Enable auto login + When a user self-registers: +
    +
  • If MFA is not configured, the user is redirected straight into the application without having to log in.
    • +
  • If MFA is configured, the initial level of authentication is bypassed, and the user is directed straight to the next configured authentication steps.
    • +
+ Note that if Account Verification is enabled, it is mandatory to also enable Activate account immediately to enable auto login. +
+ + +## Configure self-registration methods + +Users may self-register to your organization using the same methods configured as sign-in options in your application. + +Refer to the documentation on how to [configure sign-in options]({{base_path}}/guides/authentication/) for your application. + +!!! note + Currently, {{ product_name }} does not support Magic Links for self-registration. + +During user self-registration, the available methods are displayed to the user as shown below. + +![Self sign-up methods]({{base_path}}/assets/img/guides/organization/self-registration/sign-up-methods.png){: width="300" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +For information on how a user can self-register, refer to [Try self-registration]({{base_path}}/guides/user-self-service/self-register/). + +## Customize the self-registration form + +If a user decides to self-register using email, the following form is displayed to the user. + +![Self registration form]({{base_path}}/assets/img/guides/organization/self-registration/self-register-form.png){: width="300" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +You can follow the instructions below and customize the attributes presented during self-registration. + +1. On the {{ product_name }} Console, go to **User Attributes & Stores** > **Attributes**. +2. Under **Manage Attributes**, click on **Attributes**. +2. Click the **Edit** icon on the attribute that you wish to add/remove from the registration form. + + ![customize user attributes in self-registration form]({{base_path}}/assets/img/guides/organization/self-registration/self-registration-form-attributes.png){: width="500" style="display: block; margin: 0; border: 0.3px solid lightgrey;"} + +3. Select **Display this attribute on the user's profile**. The attribute will now appear on the self-registration form presented to the user (Uncheck the attribute to remove from the registration form). +4. Select **Make this attribute required on the user's profile** if it is a mandatory attribute. + +!!! note + Learn more about [user attributes]({{base_path}}/guides/users/attributes/manage-attributes/). + +## Get the verification status of user accounts + +The verification status of a user account indicates whether or not the user has confirmed the account through email verification. You may leverage this status to enforce access control or tailor the user interface of your application. + +This capability is especially useful when you have self-registered users. For example, you may want self-registered users with unverified accounts to only have read access to your application, whereas verified users may get complete access. + +!!! tip + + To implement this scenario, you must enforce account verification for self-registered users and activate accounts immediately without waiting for verification.

Learn more in [enable/disable self-registration](#enabledisable-self-registration). + +You can get the account verification status of users through the [SCIM2 API]({{base_path}}/apis/scim2/scim2-users-rest-api/) as shown below. + +{% if product_name == "Asgardeo" %} + +- To get your own information, invoke the `/scim2/Me` endpoint: + + ```bash + https://api.asgardeo.io/t/{organization_name}/scim2/Me + ``` + +- To get information about other users in your organization, invoke the `/scim2/Users/` endpoint: + + ```bash + https://api.asgardeo.io/t/{organization_name}/scim2/Users/{user_id} + ``` + +{% else %} + +- To get your own information, invoke the `/scim2/Me` endpoint: + + ```bash + https://localhost:9443/scim2/Me + ``` + +- To get information about other users in your organization, invoke the `/scim2/Users/` endpoint: + + ```bash + https://localhost:9443/scim2/Users/{user_id} + ``` + +{% endif %} + +The following is part of the API response: + +``` text +"roles": [ + { + "display": "selfsignup", + "value": "a85d4baf-2e7a-37b1-a722-d4d427039736", + "$ref": "https://{{ host_name }}{{ organization_path_param }}/scim2/v2/Roles/16ba9acb-fa30-42ef-8e25-29b557862124", + "audienceValue": "", + "audienceType": "organization", + "audienceDisplay": "" + }, + ...... + ], +"{{ scim_schema_for_wso2_custom_claims }}": { + "emailVerified": "true", + "accountConfirmedTime": "2023-02-16T03:07:34.392293Z" + ..... +} +``` +Note the following details in the response payload: + + + +!!! abstract "" + - If the `role.display` parameter is set to `selfsignup`, the user has self-registered. + - Under the `urn:scim:wso2:schema` schema, if the `emailVerified` parameter is available, the user has already clicked the email link to verify the account. This parameter will have the following values: + + - `true` - User has successfully verified the account. + - `false` - User's account verification attempt has failed. + + - The `accountConfirmedTime` parameter will only be available under the same schema when email verification is successful for self-registered users. + +Once you have identified the `emailVerified` status of the user and the method by which the user is onboarded (self-registration or onboarded by an administrator), you can enforce any access restrictions for that user through your application logic. +