Auto Create Account

The auto create account action creates an account using the designated account manager if none exists. It is meant to be used when the user logs in using external authenticators, such as Facebook or Google, or with an authenticator that only has a credential manager, such as HTML form with an LDAP backend.

The purpose is to create a non-active account that can be used for linking and other purposes. In general, there is no need to auto-create accounts for foreign logins, but in some cases it’s needed. Auto Link Accounts is one of those.

Creating accounts

The action will look at the incoming username, and look for an account matching that. Since we are auto-creating, it will make sure that the account it finds is created using the same Authenticator as the current action is running on.

If the account is found, nothing is done. Otherwise it creates a new account, with a minimum set of attributes defined. Depending on the configuration it’s possible to populate email and phonenumber along with the account, but also add all other incoming attributes if add-extra-attributes is set to true.

By default the username, email and phone number attributes are retrieved from the subject attributes. However it is possible to change this source location by using the settings username-attribute-source, email-attribute-source, and phone-number-attribute-source. The alternative locations are the context attributes and the action attributes.

The account will be marked as active if the configured account-manager’s Account Verification Method is set to no-verification; otherwise it will be marked inactive.


An auto created account cannot be used to login with using an HTML form authenticator since it will be marked as inactive.


The following configuration options are available:

Configuration Mandatory Description
account-manager yes Where the account should be created.
username-attribute no Where username should be found in the incoming attributes. Defaults to “subject”.
username-attribute-source no Location where the username attribute is searched (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes.
email-attribute no Where email should be found in the incoming attributes. If not set, a fake email is used.
email-attribute-source no Location where the email attribute is searched (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes.
phone-number-attribute no Where phone number should be found in the attributes. If not set, it is not stored.
phone-number-attribute-source no Location where the phone number attribute is searched (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes.
add-extra-attributes no If set to true, all incoming attributes will be added as extra attributes in the account.
extra-attributes-source no Location where the extra attributes are retrieved from (subject-attributes, context-attributes, or action-attributes). Defaults to subject-attributes.
fail-on-conflicts no If set to true, any conflict when creating the account (or a link if the auto-create-link is enabled will cause the action to fail the authentication.
auto-create-link no If set to true, a link will be created, using the configured account-manager. The link will have as local account the newly created one, foreign account the subject and linking-domain the authenticator’s account-domain.


If you use the auto-create-link functionality, make sure the authenticator you attach this action to has an account-domain configured, otherwise no link will be created.


Fig. 97 Auto Create Account configuration dialog

Default Values in the account

The created account will get a unique ID, and will use the username of the incoming attributes. If the email setting is left empty, the user will be given an email in the form


When using auto create account, it is considered an error if the defined attributes are not present. If say email is configured to exist in the email attribute, for example, then the server will produce an error if there is no attribute with that name in the incoming attributes.