The fix protocol has a logon message, but I can't find anything on how those accounts are created and verified.
Is there some other out of band mechanism for those accounts to be created?
Yes. It's out of band.
The way that accounts or users are managed is dependent upon the application's implementation and the organization's practices.
Related
I have 3 different use case were i want to create a sysusers, in same model:
in on-boarding process of my customers to the platform my customers
co-workers register to be users on their organization from email
invite my customers customers register a account in the checkout
process.
And I want them to enter their new password i the process. How do I solve this best?
In the latest version the returnUrl is kept even when the user goes through register and that solves the issue. Thanks MDriven for absolutely terrific support!
Even if it is possible to go this route I would suggest that you flip it the other way around. Ask the user to create an account. Once they have an account you promote that account to being coworker and/or customer by setting some state on the already existing sysuser.
... Have a UserInvite object - email the link to a page where the invite is accepted - in the accept page show user link to register or login if they have not done that.
Once you have a CurrentUser and UserInviteObject in scope you can tie it all together and be done think.
Our old authentication mechanism had mandatory and immutable email for each user by design. After exporting old authentincation mechanism into the hands of Keycloak 4.6.Final, We are left with old references to users by email as this was in fact used as an id from the beginning of this system.
Keycloak User Management UI is delivered to client as part of a whole system. Now we're facing a problem where the users administrator at the customer's side is able to create users with no email, and even worst, he give a user one email and overtime change it. Leaving this option open is most likely to create bugs for the client as the user base grows.
I've been digging around google, sof, keycloak mailing list search engine, and couldn't find any documentation relating developer's ability to apply configuration on top of particular keycloak distribution which would set features such as mandatory and immutable on some user attributes which are optional and editable by default.
I know that question is old, but maybe someone will need answer.
it's 2022-11 and there is experimentas feature in Keycloak 20. You can enable declarative-user-profile and then customize your user profile and set required fields and other options. user-profile
This feature may be removed in the future, because it's experimental.
And this feature has bugs (tried with 20.0.1). For example, if you add required attribute group, then you can see groups while creating new user and you can select groups. But if you try to save user, then error appears telling, that group is required.
Is it possible in GitHub enterprise to arbitrarily add a user to an organization if you are a site administrator. I am evaluating the software, but cannot seem to do this reliably. A site admin who is not themselves part of an organization cannot pull up the organizations dashboard, nor see which users are part of it, although they can view and contribute to the repositories within (in a round about way). I know that it is possible to impersonate a non-admin user, but you would have to know who already is a part of that organization to do this, which is hidden. There has to be a better way because what if some nefarious employee and removed everyone but themselves. The organization would effectively be orphaned.
Thank you
I think I have found where all the members are, under "Members & Teams", duh. I can usurp their account and make myself an owner if needed. Seems cumbersome though.
You most likely want ghe-org-admin-promote
I'm at the early days of looking into IdentityServer v3 and IdentityManager, as I'm certain those guys are more clued up than I, but I cannot see how to configure the IdentityManager.
If we're deploying IdentityManager to a client, all the client want to do is "standard admin type stuff", such as
create users
unlock accounts (e.g. after 3 failed login attempts)
suspend accounts (not paid your bill, tut tut...)
delete users
..rather than amend claims, roles and suchlike (presumably these would be hidden from the Administrators).
What am I missing?
Or, is the IdentityManager supposed to be used by the implementation team installing the thing, and then the business administrators who deal with the topics listed above actually don't use IdentityManager at all, but a separate admin site we have to write? As far as I can make out all the pages, htm letc is within the nuget package so cannot be amended by me.
If it makes any difference, we're trying to create a public facing website that can be logged into, but the users are only created by the company, whose admin site to create & administer the users is IP restricted / not public facing.
Identity Manager is aimed at developers and internal administrators for testing and initial configuration purposes, as opposed to end users.
Check out https://vimeo.com/125426951 by the repo's author. I think it's explicitly stated at around the 1 minute mark. It's mentioned on the Github issue tracker quite frequently too.
Also, it's not that extensible yet, so you won't be able to brand it or remove sections (such as your requirement of no claims).
I work for a large company, which uses MS Exchange for Email. We have a distribution list for people to post questions, where anyone can answer. I am looking for a way to maintain a copy of this distribution list so that anyone can search it. Ideally, this would be searchable from within Outlook as well as by going to a webpage, but I will take either one. Someone has proposed to create a dummy email account, which just gets the distribution list traffic. Everyone interested in this distribution list could then attach this account. While this may work, there are several challenges with this approach:
1) It becomes problematic when you have several hundred people attaching a single email Inbox/account.
2). I need this account to be read-only, so someone doesn't accidentally delete an email from this account, thinking that it is in their personal account.
3). Our company has an auto-archive policy. This account would need to be exempt from that policy.
Any ideas?
Thanks
GS
The dummy mailbox is not a bad idea. You can give the people appropiate permissions to the Inbox folder of that mailbox.
To work around the permission issue you could either
1) create a transport agent which monitors the mailflow and dumps all messages to a database or CMS/SharePoint/whatever.
2) Create the dummy mailbox and setup a service which monitors this mailbox using push/pull/streaming notifications and dump the messages to a database/CMS/SharePoint/whatever.
The SharePoint solution would make the search option a piece of cake. But if you don't already have a SharePoint instance up and running this might be overkill.