Auto Create Account
The Auto Create Account action creates an account using the designated account manager if none exists. It is meant to be used when the user logs in using external authenticators, such as Facebook or Google, or with an authenticator that only has a credential manager, such as HTML form with an LDAP backend.
The purpose is to create a non-active account that can be used for linking and other purposes. In general, there is no need to auto-create accounts for foreign logins, but in some cases it’s needed. Auto Link Accounts is one of those.
Creating accounts#
The action will look at the incoming username, and look for an account matching that. Since we are auto-creating, it will make sure that the account it finds is created using the same Authenticator as the current action is running on.
If the account is found, nothing is done. Otherwise it creates a new account, with a minimum set of attributes defined. Depending on the configuration it’s possible to populate email and phonenumber along with the account, but also add all other incoming attributes if add-extra-attributes is set to true. Note that, in the latter case, incoming attributes will override attributes set by this action.
By default the username, email and phone-number attributes are retrieved from the subject attributes. However it is possible to change this source location by using the settings username-attribute-source, email-attribute-source, and phone-number-attribute-source. The alternative locations are the context attributes and the action attributes.
By default, accounts are created as inactive, but this behavior can be controlled via configuration. Accounts should only be created as active when the data being used is known to be verified (e.g. email address was previously verified).
In most cases, inactive accounts will cause password authentication via a Credential Manager to fail, namely when an HTML Forms authenticator is used.
Configuration#
The following configuration options are available:
| Configuration | Mandatory | Description |
|---|---|---|
account-manager | Yes | Where the account should be created. |
username-attribute | No | Where username should be found in the incoming attributes. Defaults to subject. |
username-attribute-source | No | Location where the username attribute is searched (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes. |
email-attribute | No | Where email should be found in the incoming attributes. If not set, a fake email is used. |
email-attribute-source | No | Location where the email attribute is searched (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes. |
phone-number-attribute | No | Where phone number should be found in the attributes. If not set, it is not stored. |
phone-number-attribute-source | No | Location where the phone number attribute is searched (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes. |
add-extra-attributes | No | If set to true, all incoming attributes will be added as extra attributes in the account. |
extra-attributes-source | No | Location where the extra attributes are retrieved from (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes. |
create-active | No | If set to true, the account is created as active. Defaults to false, i.e. the account is created as inactive. |
fail-on-conflicts | No | If set to true, any conflict when creating the account (or a link if the auto-create-link is enabled) will cause the action to fail the authentication. |
auto-create-link | No | If set to true, a link will be created, using the configured account-manager. The link will have as local account the newly created one, foreign account the subject and linking-domain the authenticator’s account-domain. |
If you use the auto-create-link functionality, make sure the authenticator you attach this action to has an account-domain configured, otherwise no link will be created.
Default Values in the account#
The created account will get a unique ID, and will use the username of the incoming attributes. If the email setting is left empty, the user will be given an email in the form rnd-identifier@autogen.curity.se.
Errors#
When using auto create account, it is considered an error if the defined attributes are not present. If say email is configured to exist in the email attribute, for example, then the server will produce an error if there is no attribute with that name in the incoming attributes.
Back-channel support#
This action can be used in back-channel authentication.