|Oracle® Fusion Middleware User's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)
Part Number E14316-08
This chapter describes the tasks that you can perform using self-service registration and how to configure auto-approval for self-registration in the following sections:
The login page provides the ability to log in, and provides a starting point for all unauthenticated operations. This page is displayed when you access Oracle Identity Manager Administrative and User Console without authenticating either natively to Oracle Identity Manager or by using SSO.
Typical tasks you can perform before logging in to Oracle Identity Manager Administrative and User Console include:
If Oracle Identity Manager is configured to support native authentication, then the login link redirects you to a form in which you can authenticate by using your Oracle Identity Manager username and password.
If Oracle Identity Manager is configured to support Single Sign-On (SSO), then the login link redirects you to the SSO application login page.
Go to Oracle Identity Manager Administrative and User Console login page.
In the User ID field, enter your username.
In the Password field, enter your password.
Click Sign In. If you are successfully authenticated, then you are logged in and directed to the main page in the authenticated context.
The login attempt might generate an error because of the following reasons:
Incorrect credentials: If the user name and password entered are not correct, then an error message is displayed. This may be because of the following reasons:
Username does not exist
Password is incorrect
Username exists but the user is deleted
The system configuration property Maximum Number of Login Attempts provides the number of times authentication can fail before your OIM account is locked. By default this value is 10. The login backend must keep a counter of the number of times a failed login attempt occurs on an account. When login fails, the backend increments the count. For a successful authentication while the account is not locked, the counter is reset to 0. If the counter exceeds the value of the Login Failures Allowed before Lockout configuration property, then the account is locked. In addition, the value of the Account Locked On attribute is set to current timestamp, and the value of the Manually Locked attribute is set to No.
If the configuration property is set to 0 or a negative number, then the account is not locked irrespective of how many login attempts fail.
Locked account: If the account is locked, then you are not allowed to log in even if the credentials are correct. On trying to login with a locked account, the "Invalid sign in" message is displayed. Contact Oracle HelpDesk if your account is locked.
Soft locking a user because of maximum login failures can be configured in Oracle WebLogic. This configuration is independent of the maximum login attempt configuration in Oracle Identity Manager and determines when and for what time user is to be soft locked. By default, the maximum login failures for a user to soft lock by WebLogic is five consecutive login failures because of incorrect passwords, and duration for locking is 30 minutes. You can modify this configuration by navigating to the following location in the WebLogic Administrative Console:
Home, Security Realms, myrealm, User Lockout in WLS Console
Therefore, if you try to login to Oracle Identity Manager Administrative and User Console with correct username and incorrect password for more than five times and less than 10 times, then your account is soft locked by WebLogic Security Realms, but remains unlocked in Oracle Identity Manager. Although your account is enabled and unlocked in Oracle Identity Manager, you cannot login for 30 minutes even by entering correct password, and your account cannot be unlocked before the configured time, for example 30 minutes.
If you try incorrect password for more than 10 times, your account will be locked by both WebLogic and Oracle Identity Manager. As a result, if Oracle Identity Manager administrator resets or unlocks the account, it is still soft locked by WebLogic and you cannot login till 30 minutes expire.
Disabled user: If your user account is disabled, then you are not allowed to log in.
If your password has expired, then the Change Password page is displayed. You are not allowed to proceed to the main page of the console without changing the password. Enter a new password and click Apply.
If the system configuration property "Force to set questions at start up" is set to "Yes", then the login flow checks if you have set the required challenge responses on your profile. If not, then the form to set the challenge responses is displayed. If you have the challenge responses set, or if the configuration property is set to "No", then this step is skipped. In the form, set the challenge responses, and then click Submit.
Alternatively, you can click Remind Later if you want to defer setting challenge questions and continue with login to Oracle Identity Manager Self Service.
The PCQ.FORCE_SET_QUES system property with name 'Force to set questions at startup' indicates whether or not the challenge questions are required to be set on first logon. If setting challenge questions is not required, then the Remind Later button is displayed. On clicking this button, you can log in to the Administrative and User Console without setting the challenge questions.
If you attempt to access an Oracle Identity Manager UI page other than login and you are not already logged in, then you are redirected to the login page. Follow the login instruction provided in this section to log on to Oracle Identity Manager. Following successful login, you will then be redirected to the original page you tried to access.
After you log in for the first time, the Change Password page is displayed. This is because you must change your password after logging in for the first time. Change the password, and login again.
The XL.ForcePasswordChangeAtFirstLogin system property is no longer used in Oracle Identity Manager 11g Release 1 (11.1.1). Therefore, forcing the user to change the password at first login cannot be configured. By default, the user must change the password:
When the new user is logging in to Oracle Identity Manager for the first time
When the user is logging in to Oracle Identity Manager for the first time after the password has been reset by the administrator
When the user's password has expired
Oracle Identity Manager requires you to register yourself with identity to Oracle Identity Manager to perform certain tasks on Oracle Identity Manager Self Service. To register yourself in to Oracle Identity Manager:
In Oracle Identity Manager Administrative and User Console login page, click Register. The Basic information page of User Registration wizard is displayed.
The information required in the User Registration wizard is governed by the Self-Register User request dataset. See "Step 1: Creating a Request Dataset for the Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about request datasets.
Enter first name, middle name, last name, and email in the respective fields and click Next. The Login Information and Security Information page is displayed.
The UI does not allow you to enter more than the allowed number of characters. The maximum length for the values entered during self-registration is specified as 80 characters for First Name, Middle Name, Last Name, and Common Name and 382 characters for the Display Name.
If any other attributes are added on the self-service UI by modifying the Self-Register User request dataset, then the values will not be validated explicitly. The field on the UI will allow only as many characters to be entered as specified in the length field of the UI.
There is no restriction on the characters that can be entered in each of these fields. The input for each of these fields can contain any special characters, such as hash (#) and percentage (%).
Email should be provided as per the pattern mentioned against system property "XL.EmailValidationPattern". If the email is inappropriate, the UI gives an error "Invalid e-mail ID. Please enter a valid email ID." If the email Id specified is already used by any other user in the system, the UI gives an error "Email ID <email id> is already taken. Please enter a different Email ID."
In the Select a User ID and Password section, enter user login, password and confirm password. The password entered will be subjected to a password policy. On the next page, the password policy is shown adjacent to the password fields. If the password does not satisfy the criteria of the password policy, the UI gives an error defining the criteria required to be satisfied. Refer "Password Management" for detailed information about password policy.
If you do not enter the password, then the system generates the password automatically and emails it to the email address that you entered in the first page of the User Registration page.
The registration form is prepopulated with attributes from self-registration templates.
The Administrator can create custom registration forms by specifying a custom registration template name in the URL link. The URL link that the user uses will then determine the template and form used during registration. Therefore, multiple registration forms can be supported via multiple URL links. For registration, the URL link can either be configured on the UI or included in the e-mail requesting the user to register.
In the Set your Challenge Questions and Answers section, select the challenge questions and set an answer for each question. The challenge questions and answers are checked for:
distinct challenge questions not selected
distinct answers not specified for the challenge questions
If either of theses conditions are detected, then an error is displayed.
Click Register. You are provided a tracking ID for the registration request that can used for tracking the request.
Challenge questions and answers are asked if the attribute for this is defined in the template for self registration.
All Oracle Identity Manager deployments do not support self-registration. This is especially true of internal deployments that manage the identities of employees and contractors, where the identities are added through reconciliation and not self-registration.
Oracle Identity Manager provides the Is Self-Registration Allowed system property to enable self registration. The Register link is always displayed on the unauthenticated self-service console. If the property is set to False, then clicking on the Register link gives an error, "Self registration is not allowed". If it is set to True, then self registration is allowed.
You can track your request to register as an identity in Oracle Identity Manager. If the current status indicates success, then you can go to the Oracle Identity Manager Administrative and User Console, and then enter your username and password to log in to the Oracle Identity Manager Self Service.
To track your registration:
In Oracle Identity Manager Administrative and User Console login page, click Track Registration. The Request Status page is displayed.
In the Tracking ID field, enter the tracking ID that was assigned to your registration request. Then click Submit. The Self-Registration Status page is displayed with the following details:
Request submission date
When the request is submitted and approval is not done, the date shown is the request submission date. In all cases, the date always reflects the last update date.
Every self-registration request that is submitted has to go through approvals for it to be processed completely. See "Approval Levels" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for details about different approval levels.
If a user tracks the current status of the request, the status is shown with a description of the stage the request is in. The status would be one of the following:
Pending: This state indicates that the request is submitted and the approval is pending. In case of default approval, the following status message is displayed:
"Obtaining request-level approval for registration. The manager needs to approve this request."
If the request level approval is pending. Once the request level approval is obtained, the following status message is displayed:
"Obtaining operation-level approval for registration."
Rejected: This state indicates that the request is rejected during approval. The description indicates the reason of rejection. In case of default approval levels, if the request got disapproved at the request approval level, the following status message is displayed:
"Request approval rejected for registration."
If the request gets disapproved at the operation approval level, the following status message is displayed:
"Operation approval rejected for registration."
Completed: This state indicates that the request is completed. If all the approvals have been provided and the request is successfully completed, the following status message is displayed:
"The registration request is completed."
Failed: This state indicates that the request is failed during submission. If the request submission is failed, the following status message is displayed:
"The request registration failed."
You can only track the status of Self Registration Requests from this page.
End-user self-registration can be configured so that the system will automatically approve new registrations without human intervention.
In the default Self-Registration request dataset, SelfCreateUserDataset.xml, the Organization field is designated as an approver-only field. This means that an approver must manually supply a value for the Organization field when approving the request. To configure the self-registration request dataset so that registrations are approved automatically, make a copy of the default dataset, remove the approver-only flag for the Organization field in the Self-Registration request dataset, and provide a link to the new template.
To configure auto-approval for self-registration:
You must understand the concepts covered in Chapter 10, "Managing Requests", before undertaking this task.
Create a new request template for Self-Register user by making a copy of the default template. Include the Organization attribute but add a restriction by specifying the organization that should be used.
For information about configuring the request template, refer to Chapter 17, "Managing Request Templates".
Modify the self-create user data set to remove the approver-only flag for the Organization attribute.
For details about request datasets, refer to "Creating a Request Dataset for the Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
For information about uploading the data set into MDS, refer to "Uploading Request Datasets into MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create two new approval policies, one at request level and the other at the operational level for self registration, with auto-approval configuration.
For information about creating approval policy rules, see "Creating Approval Policies".
Refer to the following to use the newly created template for self-registration:
The system takes a parameter T_ID=<template name> to use a custom template for self-registration. If the user clicks on the Register link, it takes the user to the following page:
This page uses the default template.
To use a custom template, use T_ID at the end of the request, for example:
This will display the self-registration page as per "new_template" instead of the default one.