Account Managers
Account managers handle user accounts for the authentication. They are used in the Authentication Service and in the Token Service when access to the account is needed.
The following tasks are performed by an account manager:
- Create new accounts
- Delete accounts
- Update accounts
- Activate accounts
- Link accounts
- Look up accounts
- Look up linked accounts
- Delete links on accounts
Registration - Create account#
Registration is the process of creating new accounts. It can be used if the account manager has registration enabled in the configuration.
When registration is enabled, authenticators (such as the HTML Forms Authenticator ) will show the registration option, and users can create accounts.
Account Verification Method#
Account Verification deals with making sure that the user exists. Typically this is done by sending an email with a confirmation link to the address the user has entered.
Before Account Verification the account is de-activated, and the user cannot authenticate.
Account registration attempts can be throttled. See throttling .
If the Account Verification Method is set to email-verification or totp-email-verification, it is also possible to configure the following settings:
max-verification-period
Defines how long the user has to activate the account by using the relevant verification method. After this period has elapsed, the account can no longer be activated using the verification method unless the registration is restarted. In some cases, the only way to activate the account after this period has elapsed is by using another mechanism, such as the APIs provided in the User Managemenet profile .
max-unverified-account-period
If configured, defines an expiration time for accounts that did not get activated after registration. After this period has elapsed, the un-activated account is eligible to be deleted the next time someone attempts to register an account with the same email address, so that the newer registration can proceed.
This setting is related to, but not the same as max-verification-period. While max-verification-period is a time limit for the user to complete their account registration, max-unverified-account-period is a time limit in which the presence of the un-activated account may forbid other accounts from registering with the same email address.
If max-unverified-account-period is not configured, it is possible for a malicious user to register several email
addresses without actually verifying them, which makes it impossible for the legitimate owners of those email
addresses to later register an account with them. By configuring this setting, that can be prevented.
See Enable Registration for the full configuration options available.
Username is Email#
The setting username-is-email (and corresponding AccountManager.useUsernameAsEmail method in the SDK service) specifies that the username is to be used as primary email whenever an email is needed.
When set, this means that no other email attribute is required for the account, and the email field in the Create Account or Reset Password page is hidden.
All emails, such as Activation or Reset Password will be sent to the email from the username attribute. This requires all user names to be functional email addresses.
If Active Directory is used as the account data source, this setting cannot be used. Active Directory requires a
sAMAccountName which is not in the form of an email.
Group Management#
Accounts managed by an Account Manager support the concept of groups, as defined by the SCIM (System for Cross-domain Identity Management) specification. By default, these groups are stored as simple strings inside the stored accounts.
It is also possible to store groups and their account membership relations in an Entity Manager , configured with an Entity Schema having group support. This enables the Curity Identity Server to expose group management interfaces such as the SCIM Groups endpoint.
Configuring an Account Manager with an Entity Manager that has group support changes how the groups attribute of an account is computed:
- On single account retrieval, the groups stored inside the account are ignored, and the Entity Manager is used instead to compute the account’s groups.
- On account list retrieval, no group membership will be included in the retrieved accounts.
- On account creation or mutation, the groups present in the account are ignored. This means that account group membership mutation, such as adding a group to an account, cannot currently be done via an Account Manager, when Group Management is enabled.
This aligns with the SCIM specification, which considers the
groupsattribute of an account as being read-only. - On account deletion, the group membership relations for that account are automatically deleted, except if they exceed a maximum number (currently 50). When that happens, the account deletion fails, and some of the group membership relations must be deleted before the account deletion is retried.
It is important to note that once an Account Manager is configured with an Entity Manager supporting account groups, then all account retrievals will use that Entity Manager for determining the account’s group membership.
- The main advantage is that the account’s group membership will be consistent in all the different places an account is retrieved from an Account Manager, namely: SCIM Users endpoint, authenticators, authentication actions, and claims providers.
- The disadvantage is that retrieving an account will incur on the additional cost of computing the group membership, even when that information isn’t needed. A possible improvement is to use two Account Managers, one with a configured Entity Manager, for when group membership is required, and another without a configured Entity Manager, for when group membership is not needed.
The management of account groups via Entity Managers is experimental and its behavior and configuration model may change in future versions of the Curity Identity Server.