Self registration¶
You can enable users to self-register to your organization from the login page of the application. This creates a new user account for the user.
Enable/Disable self-registration¶
To enable/disable user self-registration or to change the default configurations, see the following instructions:
-
On the WSO2 Identity Server Console, go to Login & Registration.
-
Under User Onboarding, click Self Registration.
-
Turn the toggle on to enable self-registration or off to disable it.
-
Configure the settings below.
Account verification If enabled, an email will be sent to the user's specified email address requesting account confirmation.
If this option is enabled along with the Activate account immediately option, users will be signed into the application without waiting for verification. However, you may leverage the account verification status to control the user experience and the level of access granted for the user. Learn how to get verification status.Account verification link expiry time Specifies the duration (in minutes) after which the confirmation link expires. Activate account immediately Activates the account without waiting for account verification.
However, you may leverage the account verification status to control the user experience and the level of access granted for the user. Learn how to get verification status.Enable auto login When a user self-registers: - If MFA is not configured, the user is redirected straight into the application without having to log in.
- If MFA is configured, the initial level of authentication is bypassed, and the user is directed straight to the next configured authentication steps.
Configure self-registration methods¶
Users may self-register to your organization using the same methods configured as sign-in options in your application.
Refer to the documentation on how to configure sign-in options for your application.
Note
Currently, WSO2 Identity Server does not support Magic Links for self-registration.
During user self-registration, the available methods are displayed to the user as shown below.
For information on how a user can self-register, refer to Try self-registration.
Customize the self-registration form¶
If a user decides to self-register using email, the following form is displayed to the user.
You can follow the instructions below and customize the attributes presented during self-registration.
- On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.
- Under Manage Attributes, click on Attributes.
-
Click the Edit icon on the attribute that you wish to add/remove from the registration form.
-
Select Display this attribute on the user's profile. The attribute will now appear on the self-registration form presented to the user (Uncheck the attribute to remove from the registration form).
- Select Make this attribute required on the user's profile if it is a mandatory attribute.
Note
Learn more about user attributes.
Get the verification status of user accounts¶
The verification status of a user account indicates whether or not the user has confirmed the account through email verification. You may leverage this status to enforce access control or tailor the user interface of your application.
This capability is especially useful when you have self-registered users. For example, you may want self-registered users with unverified accounts to only have read access to your application, whereas verified users may get complete access.
Tip
To implement this scenario, you must enforce account verification for self-registered users and activate accounts immediately without waiting for verification. Learn more in enable/disable self-registration.
You can get the account verification status of users through the SCIM2 API as shown below.
-
To get your own information, invoke the
/scim2/Me
endpoint:https://localhost:9443/scim2/Me
-
To get information about other users in your organization, invoke the
/scim2/Users/<user_id>
endpoint:https://localhost:9443/scim2/Users/{user_id}
The following is part of the API response:
"roles": [
{
"display": "selfsignup",
"value": "a85d4baf-2e7a-37b1-a722-d4d427039736",
"$ref": "https://{{ host_name }}{{ organization_path_param }}/scim2/v2/Roles/16ba9acb-fa30-42ef-8e25-29b557862124",
"audienceValue": "<organization id>",
"audienceType": "organization",
"audienceDisplay": "<organization name>"
},
......
],
"{{ scim_schema_for_wso2_custom_claims }}": {
"emailVerified": "true",
"accountConfirmedTime": "2023-02-16T03:07:34.392293Z"
.....
}
- If the
role.display
parameter is set toselfsignup
, the user has self-registered. -
Under the
urn:scim:wso2:schema
schema, if theemailVerified
parameter is available, the user has already clicked the email link to verify the account. This parameter will have the following values:true
- User has successfully verified the account.false
- User's account verification attempt has failed.
-
The
accountConfirmedTime
parameter will only be available under the same schema when email verification is successful for self-registered users.
Once you have identified the emailVerified
status of the user and the method by which the user is onboarded (self-registration or onboarded by an administrator), you can enforce any access restrictions for that user through your application logic.