The auto create account action creates an account using the designated account manager if none exists. It is meant to be used when the user logs in using external authenticators, such as Facebook or Google, or with an authenticator that only has a credential manager, such as HTML form with an LDAP backend.
The purpose is to create a non-active account that can be used for linking and other purposes. In general, there is no need to auto-create accounts for foreign logins, but in some cases it’s needed. Auto Link Accounts is one of those.
The action will look at the incoming username, and look for an account matching that. Since we are auto-creating, it will make sure that the account it finds is created using the same Authenticator as the current action is running on.
If the account is found, nothing is done. Otherwise it creates a new account, with a minimum set of attributes defined. Depending on the configuration it’s possible to populate email and phonenumber along with the account, but also add all other incoming attributes if add-extra-attributes is set to true.
email
phonenumber
add-extra-attributes
By default the username, email and phone number attributes are retrieved from the subject attributes. However it is possible to change this source location by using the settings username-attribute-source, email-attribute-source, and phone-number-attribute-source. The alternative locations are the context attributes and the action attributes.
username-attribute-source
email-attribute-source
phone-number-attribute-source
The account will be marked as active if the configured account-manager’s Account Verification Method is set to no-verification; otherwise it will be marked inactive.
active
account-manager
no-verification
inactive
Note
An auto created account cannot be used to login with using an HTML form authenticator since it will be marked as inactive.
The following configuration options are available:
username-attribute
subject-attributes
context-attributes
action-attributes
email-attribute
phone-number-attribute
extra-attributes-source
fail-on-conflicts
auto-create-link
subject
If you use the auto-create-link functionality, make sure the authenticator you attach this action to has an account-domain configured, otherwise no link will be created.
account-domain
Fig. 91 Auto Create Account configuration dialog
The created account will get a unique ID, and will use the username of the incoming attributes. If the email setting is left empty, the user will be given an email in the form rnd-identifier@autogen.curity.se.
rnd-identifier@autogen.curity.se
When using auto create account, it is considered an error if the defined attributes are not present. If say email is configured to exist in the email attribute, for example, then the server will produce an error if there is no attribute with that name in the incoming attributes.