Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The Registration Identity Authenticator may be used to create and authenticate a new account from data entered by the end-user.
↓Parent Component
↓Properties
↓dsconfig Usage
The Registration Identity Authenticator component inherits from the Identity Authenticator
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ authentication-method-reference | |
| ↓ schema-urn | |
| ↓ identity-provider-type-attribute | |
| ↓ identity-provider-type-default | |
| ↓ register-resource-attribute | |
| ↓ additional-attribute-values | |
| ↓ verify-attributes-against-external-identity-provider |
| Description | A description for this Identity Authenticator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
authentication-method-reference
| Description | Specifies identifiers of the authentication methods provided by this Registration Identity Authenticator. Each value is exposed in the "amr" (authentication method reference) claim in an ID token, and also the "lastLoginMethods" and "lastSecondFactorMethods" properties of a user session SCIM sub-resource. |
| Default Value | registration |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The URN which identifies the SCIM extension schema that should contain attributes intended for this Registration Identity Authenticator in authentication request and response messages. |
| Default Value | urn:pingidentity:scim:api:messages:2.0:RegistrationAuthenticationRequest |
| Allowed Values | A URN begins with 'urn:', is followed by a namespace component that is no more than 32 alpha-numeric characters long, which is followed by one or more colon-delimited identifiers consisting of legal URN characters (letters, digits, and characters in '()+,-.:=@;$_!*'). For example, a URN in the 'acme' namespace might be "urn:acme:identity:User.name". |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
identity-provider-type-attribute
| Description | The name of an attribute that should be added to the account, to indicate which identity provider type (such as 'google') was used to authenticate the user being registered. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
identity-provider-type-default
| Description | A default value for 'identity-provider-type-attribute', if it could not be automatically determined. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The resource attribute paths that the Registration Identity Authenticator should trust the client to set. Attributes submitted by the client not in this list will be ignored. Examples of valid attribute paths are:
|
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Name and value pairs for any additional attributes that the Registration Identity Authenticator should set. Examples of valid additional attribute values are:
|
| Default Value | No additional attribute values are set. |
| Allowed Values | The 'name' must be a valid SCIM attribute name for the user schema, and 'value' must be a valid value for that attribute type. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
verify-attributes-against-external-identity-provider
| Description | A list of attribute values which must be verified against the external identity provider, when users are authenticated using an external identity. The registration will be rejected if any of these attributes are present in both the client resource and the external identity, but the client value does not match the external one. If any of these attributes are missing from the client resource but present in the external identity, they will be set to the external value. |
| Default Value | No attributes need to be verified. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Identity Authenticators:
dsconfig list-identity-authenticators
[--property {propertyName}] ...
To view the configuration for an existing Identity Authenticator:
dsconfig get-identity-authenticator-prop
--authenticator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Identity Authenticator:
dsconfig set-identity-authenticator-prop
--authenticator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Registration Identity Authenticator:
dsconfig create-identity-authenticator
--authenticator-name {name}
--type registration
--set register-resource-attribute:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Identity Authenticator:
dsconfig delete-identity-authenticator
--authenticator-name {name}