7.7. Register Policy

7.7.1. User registration

Starting with privacyIDEA 2.10 users are allowed to register with privacyIDEA. I.e. a user that does not exist in a given realm and resolver can create a new account.


Registering new users is only possible, if there is a writeable resolver and if the necessary policy in the scope register is defined. For editable UserIdResolvers see UserIdResolvers.

If a register policy is defined, the login window of the Web UI gets a new link “Register”.


Next to the login button is a new link ‘register’, so that new users are able to register.

A user who clicks the link to register a new account gets this registration dialog:


Registration form

During registration the user is also enrolled Registration token. This registration code is sent to the user via a notification email.


Thus - using the right policies in scope webui and authentication - the user could login with the password he set during registration an the registration code he received via email.

7.7.2. Policy settings

In the scope register several settings define the behaviour of the registration process.


Creating a new registration policy realm

type: string

This is the realm, in which a new user will be registered. If this realm is not specified, the user will be registered in the default realm. resolver

type: string

This is the resolver, in which the new user will be registered. If this resolver is not specified, registration is not possible!


This resolver must be an editable resolver, otherwise the user can not be created in this resolver. smtpconfig

type: string

This is the unique identifier of the SMTP server configuration. This SMTP server is used to send the notification email with the registration code during the registration process.


If there is no smtpconfig or set to a wrong identifier, the user will get no notification email. requiredemail

type: string

This is a regular expression according to 1.

Only email addresses matching this regular expression are allowed to register.

Example: If you want to authenticate the user only by the OTP value, no matter what OTP PIN he enters, a policy might look like this:

action: requiredemail=/.*@mydomain\..*/

This will allow all email addresses from the domains mydomain.com, mydomain.net etc… registration_body

type: str

The body of the registration email. Use the {regkey} as tag for the registration key.