When Identity Federation acts in Service Provider (SP) mode, the user assertion is mapped to a local user record in the LDAP directory to complete the federated single sign-on. If the mapping fails because the user performing the Federation SSO operation does not have a local account, Identity Federation can be configured to trigger a user self-registration flow to enable the user to create an account locally.
At runtime, when the Assertion mapping operation fails and if self-registration is enabled, the user self-registration framework:
Redirects the user to a self-registration page.
The self-registration page includes the following fields:
username
password
confirm password
first name
last name
email address
These fields may be pre-populated with data from the Assertion. Also, any field used in the Assertion Mapping process cannot be edited: the user will not be able to change the information used for the Assertion Mapping operation for security reasons.
Once the user creates the account, the Federation SSO flow resumes and results You with the creation of an Access Manager session. At that point, the user will be redirected to the protected resource.
You can enable or disable the user self registration module.
To configure the Federation User Self-Registration module:
You can configure Identity Federation to pre-populate the fields of the self-registration page with the data that are included in the Assertion. By default, the self-registration page populates these fields based on the following registration properties:
If the attributes or NameID are missing from the assertion, the fields are empty.
first name: Identity Federation will use either the firstname or givenname attributes contained in the Assertion. The userregistrationfirstnameattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that field is set to firstname,givenname.
last name: Identity Federation will use either the lastname or sn attributes contained in the Assertion. The userregistrationlastnameattr configuration property indicates the list of comma separated attributes that you need to populate this field. By default, that setting is set to lastname,sn
email address: Identity Federation will use either the mail attribute contained in the Assertion, or the Assertion's NameID (referenced by fed.nameidvalue). The userregistrationemailattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that setting is set to mail,fed.nameidvalue.
username: Identity Federation is not configured to use any Assertion attributes to populate this field. The userregistrationusernameattr configuration property indicates the list of comma separated attributes that should be used to populate this field. By default, that setting is empty.