|Oracle® Fusion Middleware User's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)
Part Number E14316-04
This chapter describes the tasks that you can perform using self-service registration and how to configure auto-approval for self-registration in the following sections:
The login page when accessed in an unauthenticated context provides the ability to log in, and provides a starting point for all unauthenticated operations. This page is displayed when you access Oracle Identity Manager Administrative and User Console without authenticating either natively to Oracle Identity Manager or by using SSO.
Typical tasks you can perform before logging in to Oracle Identity Manager Administrative and User Console include:
If Oracle Identity Manager is configured to support native authentication, then the login link takes you to a form in which you can authenticate by using your Oracle Identity Manager username and password.
If Oracle Identity Manager is configured to support Single Sign-On (SSO), then the login link takes you to the SSO application login page.
Go to Oracle Identity Manager Administrative and User Console login page.
In the User ID field, enter your username.
In the Password field, enter your password.
Click Sign In. If you are successfully authenticated, then are logged in and directed to the main page in the authenticated context.
The login attempt might generate an error because of the following reasons:
Incorrect credentials: If the user name and password entered are not correct, then an error message is displayed. This may be because of the following reasons:
Username does not exist
Password is incorrect
Username exists but the user is deleted
The system configuration property Maximum Number of Login Attempts provides the number of times authentication can fail before your OIM account is locked. By default this value is 10. The login backend must keep a counter of the number of times a failed login attempt occurs on an account. When login fails, the backend increments the count. For a successful authentication while the account is not locked, the counter is reset to 0. If the counter exceeds the value of the Login Failures Allowed before Lockout configuration property, then the account is locked. In addition, the value of the Account Locked On attribute is set to current timestamp, and the value of the Manually Locked attribute is set to No.
If the configuration property is set to 0 or a negative number, then the account is not locked irrespective of how many login attempts fail.
Locked account: If the account is locked, then you are not allowed to log in even if the credentials are correct. If an account is locked by the system and not manually locked, then the system configuration property "Direct Locked User to Forgotten Password" determines if the error message stating that the account is locked also directs you to the "Forgotten Password" feature. Going through that flow successfully will unlock a locked account if the system is configured to do so.
Disabled user: If your user account is disabled, then you are not allowed to log in.
If your password has expired, then the Change Password form is displayed. You are not allowed to proceed to the main page of the console without changing the password. Enter a new password and click Sign In.
If the system configuration property "Force to set questions at start up" is set to "Yes", then the login flow checks if you have set the required challenge responses on your profile. If not, then the form to set the challenge responses is displayed. If you have the challenge responses set, or if the configuration property is set to "No", then this step is skipped. In the form, set the challenge responses, and then click Submit.
Alternatively, you can click Remind Later if you want to avoid setting challenge questions and logging on to Oracle Identity Manager Self Service.
Note:The PCQ.FORCE_SET_QUES system property with <NAME> Force to set questions at startup indicates whether or not the challenge questions are required to be set on login. If not, then a Remind Later button is displayed. On clicking this button, you can log in to the console without setting the challenge questions.
If you attempt to access a deep linked UI in Oracle Identity Manager and you are not already logged in, then you are redirected to the login page. Follow the login instruction provided in this section to log on to Oracle Identity Manager. However, you will be directed to the deep linked UI instead of the authenticated User console.
If the system property "Force Password Change At First Login" is set to "Yes" then the login flow forces you to change the password the first time when you log in to Oracle Identity Manager Administrative and User Console.
Oracle Identity Manager requires you to register yourself with identity to Oracle Identity Manager to perform certain tasks on Oracle Identity Manager Self Service. To register yourself in to Oracle Identity Manager:
In Oracle Identity Manager Administrative and User Console login page, click Register. The Basic information page of User Registration wizard is displayed.
Enter first name, middle name, last name, and email in the respective fields and click Next. The Login Information and Security Information page is displayed.
The UI does not allow you to enter more than the allowed number of characters. The maximum length for the values entered during self-registration is specified as 80 characters for First Name, Middle Name, Last Name, and Common Name and 382 characters for the Display Name.
If any other attributes are added on the self-service UI by modifying the dataset, the values will not be validated explicitly. The field on the UI will allow only as many characters to be entered as specified in the length field of the UI.
There is no restriction on the characters that can be entered in each of these fields. The input for each of these fields can contain any special characters.
Email should be provided as per the pattern mentioned against system property "XL.EmailValidationPattern". If the email is inappropriate, the UI gives an error "Invalid e-mail ID. Please enter a valid email ID." If the email Id specified is already used by any other user in the system, the UI gives an error "Email ID <email id> is already taken. Please enter a different Email ID."
In the Select a User ID and Password section, enter user login, password and confirm password. The password entered will be subjected to a password policy. On the next page, the password policy is shown adjacent to the password fields. If the password does not satisfy the criteria of the password policy, the UI gives an error defining the criteria required to be satisfied. Refer "Password Management" for detailed information about password policy.
If you do not enter the password, then the system generates the password automatically and emails it to the email address that you entered in the first page of the User Registration page.
The registration form is internally populated based on templates provided for self-registration. The registration page contains attributes defined in the template and not hardcoded to these attributes.
The Administrator can create custom self-registration URLs by specifying the custom template name in the URL. The link that the end-user uses will then determine the template used during self-registration. So, multiple forms of self-registration can be supported via such register links. For registration, either the link will be configured on the UI or specified in the email for the end-user to register.
In the Set your Challenge Questions and Answers section, select the challenge questions and set an answer for each question. The challenge questions and answers are checked for:
distinct challenge questions not selected
distinct answers not specified for the challenge questions
If these conditions are not satisfied, an error is displayed.
Click Register. You are provided a tracking ID for the registration request that can used for tracking the request.
Challenge questions and answers are asked if the attribute for this is defined in the template for self registration.
All Oracle Identity Manager deployments do not support self-registration. This is especially true of internal deployments that manage the identities of employees and contractors, where the identities are added through reconciliation and not self-registration.
The configuration property Provide is "Is Self-Registration Allowed". The Register link is always displayed on the unauthenticated self-service console. If the property is set to False, then clicking on the Register link gives an error, "Self registration is not allowed". If it is set to True, then self registration is allowed.
You can track your request to register as an identity in Oracle Identity Manager. If the current status indicates success, then you can go to the Oracle Identity Manager Administrative and User Console, and then enter your username and password to log in to the Oracle Identity Manager Self Service.
To track your registration:
In Oracle Identity Manager Administrative and User Console login page, click Track Registration. The Request Status page is displayed.
In the Tracking ID field, enter the tracking ID that was assigned to your registration request. Then click Submit. The Self-Registration Status page is displayed with the following details:
Request submission date
This date is not shown explicitly. When the request is submitted and approval is not done, the Date shown equals the request submission date. As such, track registration shows only the last update date.
Every self-registration request that is submitted has to go through approvals for it to be processed completely. Refer "Approval Levels" for details about different approval levels in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If a user tracks the current status of the request, the status is shown with a description of the stage the request is in. The status would be one of the following:
Pending: This state indicates that the request is submitted and the approval is pending. In case of default approval, the following status message is displayed:
"Obtaining request-level approval for registration. The manager needs to approve this request."
If the request level approval is pending. Once the request level approval is obtained, the following status message is displayed:
"Obtaining operation-level approval for registration."
Rejected: This state indicates that the request is rejected during approval. The description indicates the reason of rejection. In case of default approval levels, if the request got disapproved at the request approval level, the following status message is displayed:
"Request approval rejected for registration."
If the request gets disapproved at the operation approval level, the following status message is displayed:
"Operation approval rejected for registration."
Completed: This state indicates that the request is completed. If all the approvals have been provided and the request is successfully completed, the following status message is displayed:
"The registration request is completed."
Failed: This state indicates that the request is failed during submission. If the request submission is failed, the following status message is displayed:
"The request registration failed."
Date of last status update
Note:You can only track the status of Self Registration Requests from this page.
End-user self-registration can be configured so that the system will automatically approve new registrations without human intervention.
In the default self-registration template, SelfCreateUserDataset.xml, the Organization field is designated as an approver-only field. This means that an approver must manually supply a value for the Organization field when approving the request. To configure the self-registration template so that registrations are approved automatically, make a copy of the default template, remove the approver-only flag for the Organization field, and provide a link to the new template. See the following task for more details.
To Configure Auto-Approval for Self-Registration:
Note:You must understand the concepts covered in Chapter 10, "Managing Requests", before undertaking this task.
Create a new request template for Self-Register user by making a copy of the default template. Include the Organization attribute but add a restriction by specifying the organization that should be used.
For information about configuring the request template, refer to Chapter 17, "Managing Request Templates".
Modify the self-create user data set to remove the approver-only flag for the Organization attribute.
For details about request datasets, refer to "Creating a Request Dataset for the Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
For information about uploading the data set into MDS, refer to "Uploading Request Datasets into MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create two new approval policies, one with the request level approval enabled for self-registration, and the other with the operational level approval enabled.
For information about creating approval policy rules, see "Creating Approval Policies".
Refer to the following to use the newly created template for self-registration:
The system takes a parameter T_ID=<template name> to use a custom template for self-registration. If the user clicks on the Register link, it takes the user to the following page:
This page uses the default template.
To use a custom template, use T_ID at the end of the request, for example:
This will display the self-registration page as per "new_template" instead of the default one.