7.7. Register Policy¶
7.7.1. User registration¶
Users are allowed to register with eduMFA. I.e. a user that does not exist in a given realm and resolver can create a new account.
Note
Registering new users is only possible, if there is a writeable resolver and if the necessary policy in the scope register is defined. For editable UserIdResolvers see UserIdResolvers.
If a register policy is defined, the login window of the Web UI gets a new link “Register”.
A user who clicks the link to register a new account gets this registration dialog:
During registration the user is also enrolled Registration token. This registration code is sent to the user via a notification email.
Note
Thus - using the right policies in scope webui and authentication - the user could login with the password he set during registration an the registration code he received via email.
7.7.2. Policy settings¶
In the scope register several settings define the behaviour of the registration process.
7.7.2.1. realm¶
type: string
This is the realm, in which a new user will be registered. If this realm is not specified, the user will be registered in the default realm.
7.7.2.2. resolver¶
type: string
This is the resolver, in which the new user will be registered. If this resolver is not specified, registration is not possible!
Note
This resolver must be an editable resolver, otherwise the user can not be created in this resolver.
7.7.2.3. smtpconfig¶
type: string
This is the unique identifier of the SMTP server configuration. This SMTP server is used to send the notification email with the registration code during the registration process.
Note
If there is no smtpconfig or set to a wrong identifier, the user will get no notification email.
7.7.2.4. requiredemail¶
type: string
This is a regular expression according to [1].
Only email addresses matching this regular expression are allowed to register.
Example: If you want to authenticate the user only by the OTP value, no matter what OTP PIN he enters, a policy might look like this:
action: requiredemail=/.*@mydomain\..*/
This will allow all email addresses from the domains mydomain.com, mydomain.net etc…
7.7.2.5. registration_body¶
type: str
The body of the registration email. Use the {regkey}
as tag for the
registration key.