6.7. Register Policy¶
6.7.1. User registration¶
Starting with privacyIDEA 2.10 users are allowed to register with privacyIDEA. I.e. a user that does not exist in a given realm and resolver can create a new account.
Registering new users is only possible, if there is a writeable resolver and if the necessary policy in the scope register is defined. For editable UserIdResolvers see UserIdResolvers.
If a register policy is defined, the login window of the Web UI gets a new link “Register”.
A user who clicks the link to register a new account gets this registration dialog:
During registration the user is also enrolled Registration token. This registration code is sent to the user via a notification email.
Thus - using the right policies in scope webui and authentication - the user could login with the password he set during registration an the registration code he received via email.
6.7.2. Policy settings¶
In the scope register several settings define the behaviour of the registration process.
This is the realm, in which a new user will be registered. If this realm is not specified, the user will be registered in the default realm.
This is the resolver, in which the new user will be registered. If this resolver is not specified, registration is not possible!
This resolver must be an editable resolver, otherwise the user can not be created in this resolver.
This is the unique identifier of the SMTP server configuration. This SMTP server is used to send the notification email with the registration code during the registration process.
If there is no smtpconfig or set to a wrong identifier, the user will get no notification email.
This is a regular expression according to 1.
Only email addresses matching this regular expression are allowed to register.
Example: If you want to authenticate the user only by the OTP value, no matter what OTP PIN he enters, a policy might look like this:
This will allow all email addresses from the domains mydomain.com, mydomain.net etc…