Registration & Enrollment

IAM implements a basic registration service that requires the intervention of an IAM admin. In fact, when users apply for membership in an organization, administrators are asked to validate membership requests.

Registration with external IdP

When an external OIDC or SAML IdP is used to authenticate users, IAM allows to configure:

  • Whether users are required to authenticate through an external IdP and optionally which ones
  • Which information must be retrieved from the IdP to fill the account creation form

This is done by creating a YAML file in /indigo-iam/config, for example /indigo-iam/config/application-registration.yaml. When deploying IAM with a container, a volume providing this file must be mapped into the container.

The contents in this file must be under the following hierarchy:

iam:
  registration:

Requiring external authentication

To require that users must authenticate through an external IdP, you need to set the parameter require-external-authentication=true. You can also specify the type of external IdP (oidc or saml) and require one specific issuer.

The following fragment is an example of authentication with the (OIDC-based) CERN SSO required before being redirected to the registration page. It also defines how information from identity tokens issued by CERN SSO is mapped to IAM membership information

iam:
  registration:
    require-external-authentication: true
    oidc-issuer: https://auth.cern.ch/auth/realms/cern
    authentication-type: oidc

Filling information from IdP

The first time a user authenticates in an IAM instance, the account creation form will be displayed. It is possible to request that some of the fields are filled with the value of an IdP attribute and to define that some of these fields are read-only, i.e. that the value provided by the IdP cannot be changed.

To enable filling the creation form with values provided by the IdP, you need to create a YAML file in /indigo-iam/config, for example /indigo-iam/config/application-registration.yaml. The contents should be something similar to:

iam:
  registration:
    fields:
      email:
        read-only: false
        external-auth-attribute: email
      name:
        read-only: false
        external-auth-attribute: given_name
      surname:
        read-only: false
        external-auth-attribute: family_name
      username:
        read-only: false
        external-auth-attribute: preferred_username

read-only can be set to true if you want to prevent that the value provided supplied by the ID is modified by the user. Note that if a field is defined as read-only=true and now value is not provided by the IdP, it may result that the user cannot submit the account creation form if the field, when it is required.

external-auth-attribue must be the name of the IdP attribute, or token claim (when provided by SAML IdPs, or OIDC Providers, respectively) to use for the mentioned account creation form field.

Automatic enrollment through SAML IdPs

In case of registration through an external SAML Identity Provider, IAM offers a flexible user enrollment flow, also without IAM admin intervention. The default IAM behavior is that the user enrollment requires an administrator approval step.

In order to enable the automatic enrollment flow via an external IdP, one should set the following properties, under the saml hierarchy:

saml:
  jit-account-provisioning:
    enabled: true
    # this will consider as trusted all the IdPs declared in your
    # application-saml.yml file
    trusted-idps: all

In order to directly declare the list of trusted SAML IdPs, a comma separated list of entity IDs have to be set, e.g. saml.jit-account-provisioning.trusted-idps=idp1,idp2,idp3.

User editable fields

Starting with version 1.6.0, IAM allows to limit which fields of the user profile are editable by users.

The default, backward-compatible settings that allow users to edit all their profile fields are defined as follows:

iam:
  user-profile:
    editable-fields:
      - email
      - name
      - picture
      - surname

To prevent modifications to any of the fields remove the field name from editable-fields list.

External configuration can be managed by placing directives as shown above in a custom configuration file

Automatically set the nickname as attribute

Since IAM v1.9.0, during a registration request the username can be automatically added as an attribute named nickname. This process happens both for login with external provider, or when one directly clicks on the Apply for an account button. The nickname value will be the same as the username set during the registration request.

This behavior does not appear by default. To enable it, add to your config file

iam:
  registration:
    add-nickname-as-attribute: true

or set the environment variable IAM_ADD_NICKNAME_AS_ATTRIBUTE=true.

Once the new IAM user has been created, the Attributes view from the dashboard looks like the following

Attributes view

Last modified July 22, 2024: Add description of client registration variables/properties (#122) (9a80609)