Feature management¶
What is Feature management?¶
The Onegini IdP has several features that can be enabled or disabled. E.g. features to enable a end-user to log in or sign-up in a specific way. The settings can be managed on the Feature management tab in the Onegini Consumer Identity Access Manager.
How do I manage features in the Onegini IDP?¶
- Login to the Onegini Consumer Identity Access Manager -> go to
Configuration-> click the tabFeature Management. - The window Feature Management opens:
In the Feature Management window features can be configured for:
- Processes: Features for logging in and signing up processes.
- Action Tokens: Manage features for Action Tokens, e.g. options to set the validity of an Action Token.
- Person Activation: Manage features for person activation, e.g. the account activation.
- Person attributes: Manage features for person attributes, e.g. enable password reset.
- Migration: Manage features for migration, e.g. enable the migration of an existing user to the Onegini IdP.
- Invitation verification: Features for invitation verification, e.g. enabling verification through SMS.
- Security: Features for security, e.g. enabling mobile authentication for end-users.
- APIs: Enables APIs, e.g. for configuration, sessions or persons.
- Experimental features: Enable the experimental features here.
The options in each section are described below.
Processes¶
The following options are available:
| Option | Description |
|---|---|
| Login enabled | When enabled, the user is allowed to login. |
| Sign-up enabled | When enabled, it is possible to sign up for a new account at the Onegini IdP. |
| Automated external identity sign up enabled | If this checkbox is enabled, the user account is immediately created if a user authenticates with an external IDP and all required attributes are provided. If not all attributes are provided, you will see the sign-up page to fill missing fields. A pre-creation extension can be used to add missing fields or do additional linking actions. If this is disabled, we will always show the sign-up page, the attributes provided by the external IDP are prefilled. Or you can authenticate with UnP to link an existing CIM account. |
| Automated external identity linking enabled | If this checkbox is enabled, we try to link a user from an external IDP to an existing CIM account. If a user is matched, CIM will link the two accounts and users can authenticate with both methods. To use this feature, automatic email verification needs to be enables in the Identity Provider settings. If this is disabled, we will always show the sign-up page, the attributes provided by the external IDP are prefilled. Or you can authenticate with UnP to link an existing CIM account. |
| Allow linking multiple external identities to one CIM-account | This option is connected to the 'Automated external identity coupling enabled' option. When enabled, person data will be merged that uses different identity providers but the same e-mail address. |
| Accepting invitation enabled | When enabled, an end-user can use the link in the e-mail invitation to activate his or her account. When disabled, the link will not work. |
| Post-login extra registration after second login | When enabled, the end-user needs to provide additional data when logging in for a second time. |
Action Tokens¶
The following options are available:
| Option | Description |
|---|---|
| Login via Action Token enabled | When and end-user logs in, this option allows the user to use an action token when logging in. |
| - Action Token Validity (seconds) | Action Token validity in seconds. |
| - Authentication Level | Select the Authentication Level, 1 to 4. |
| - Enable generating Action Token Login Link via UI | If enabled, an Action Token Login Link can be presented to the end-user via a user interface. |
| App to Web via Action Token enabled | When enabled, a connection from App to Web via an Action Token can be made. |
| - Action Token Validity (seconds) | Action Token validity in seconds. |
| - Authentication level | Select the Authentication Level, 1 to 4. |
| Coupling via Action Token enabled | When enabled coupling via an Action Token is possible. |
| - Action Token Validity (seconds) | Action Token validity in seconds. |
| Redirect URL whitelist | Defines a list of URLs that can be used optionally when defining an Action Token. |
Person activation¶
The following options are available:
| Option | Description |
|---|---|
| Activation enabled | This option enables the end-user to activate his or her account. |
| Activate via email | This option enables account activation through e-mail. |
| - Expiration time | The amount of time activation link in the received email remains valid before expiring. |
| Activate via externally delivered code | This option enables account activation through a delivered code. |
| - Allow to resend code after period (seconds) | Defines the time period after which it is allowed to resend an activation code. |
| - Unavailability time (seconds) | Defines the time in which a generated code can be kept before it is used. |
| - Activation code expiration time (seconds) | The amount of time the activation code remains valid before expiring. |
| - Force activation after accepting invitation | When enabled, account activation will be mandatory for an end-user as soon as he or she accepted the invitation (that has been sent through an externally delivered code). |
Person attributes¶
The following options are available:
| Option | Description |
|---|---|
| Password reset via SMS enabled | When enabled, the end-user can decide to receive a password reset through a link sent by e-mail or by receiving a SMS code. When there is no phone number available, the end-user receives an e-mail. When disabled, password reset is only possible through an e-mail link. |
| Username reminder via SMS enabled | This option enables that the end-user can receive a username reminder through SMS. |
| Mobile number validation for back-end services enabled | Determines whether the Onegini IdP should validate the mobile number provided by the end-user. The functionality may be especially useful in case users are being migrated from an external service and the mobile number values do not pass the Onegini IdP's validation process. |
| Custom email validation enabled | This option enables custom email validation. |
Migration¶
The following options are available:
| Option | Description |
|---|---|
| Migration enabled | When enabled, it is possible to migrate a user from an existing user database to the Onegini IdP. A customer specific implementation is a prerequisite. |
| Unauthenticated migration | When enabled, it is possible to migrate a user from an existing user base to the Onegini IdP without validating the user's current password, through the password reset form. A customer specific implementation is a prerequisite. |
| Person identifier in external profile required for migration | When enabled, the Onegini IdP will use the person identifier provided by the extension in the migration process instead of an auto generated one. In the absence of an identifier, the migration process will be aborted. |
Invitation verification¶
The following options are available:
| Option | Description |
|---|---|
| Invitation verification required | When enabled, the end-user needs to verify his or her identity through an invitation. |
| Verification via birth date enabled | When enabled, the end-user can choose to verify through date of birth. |
| Verification via SMS enabled | When enabled, the end-user can choose to verify through SMS. |
| Verification via externally delivered code enabled | When enabled, the end-user gets a verification code via some external means, e,g. a letter. |
| Allow sign-up without invitation validation | When, enabled the end-user will be able to activate his or her account even if an invitation of an earlier date has been ignored. |
Security¶
The following options are available:
| Option | Description |
|---|---|
| Pin enabled | When enabled, users have to define a pin which can be used for step-up authentication. |
| SMS enabled | When enabled, the Onegini IdP can send SMS messages for step-up authentication as well as pin code reset. |
| Google Authenticator step-up authentication enabled | When enabled, users can attach a Google authenticator or other app implementing the time based one time password algorithm and use it as a step-up authentication method. |
| Mobile Authentication enabled | When enabled, users can use their mobile apps connected via the Onegini Token Server for mobile authentication. Apps will be listed in the device list of the user. |
| Step-up authentication method externally delivered code enabled | When enabled, the end-user gets a verification code via some external means, e.g. a letter. |
| ↳ Expiration time (seconds) | The time, expressed in seconds, after which the externally delivered code is considered invalid for a step-up. |
| ↳ Not available when other methods are | The externally delivered code step-up method will be unavailable when at least one other method is available for the user. It will also not be presented on the alternative step-up methods list. |
| Cookie Based SamL Authentication | When enabled, the service provider can request for the data which a user authenticated himself or herself in the past. Even if user's session expired the information will be returned by a cookie with user's session token. |
APIs¶
The following options are available:
| Option | Description |
|---|---|
| Person API enabled | The person API can be used to manage persons in the Onegini IdP. |
| Credentials API enabled | The credentials API can be used to validate credentials of persons in the Onegini IdP. This API can also be used to process action tokens. |
| Events API enabled | The events API can be used to list events of persons in the Onegini IdP |
| Statistics API enabled | The statistics API can be used to generate usage statistics of Onegini Consumer Identity Access Manager. |
| Configuration API enabled | The Configuration API can be used to fetch and update the Onegini IdP configuration. |
| Session API enabled | The Session API can be used to retrieve session data of the end-user. |
| Storage API enabled | The Storage API can be used to store generic data needed in some authentication flows (currently only sign in with Apple). |
Experimental features¶
The following option is available:
| Option | Description |
|---|---|
| Experimental features enabled | When enabled, all the experimental features that are currently available are activated. Experimental features might not be fully implemented. Use this option for test purposes only. |