Menu
▾
▴
Re: [Unity-idm-discuss] Account acceptance and email confirmation workflow
|
From: Krzysztof B. <kb...@un...> - 2018-02-10 17:54:49
|
Hi Willem, W dniu 08.02.2018 o 10:35, Willem Elbers pisze: > Dear Krzysztof, > > we have been been noticing a pattern with some end-user being confused > with our current workflow where account acceptance and email > confirmation are running in parallel. > > Especially when accounts are accepted before the email address is > confirmed (sometime the confirmation email might end up in the spam > folder or the user ignored the email). If users try to login or reset > the password they get the generic error message "invalid username, > credential or external authentication failed". There is no indication > that the account is not active because of the unconfirmed email address. > > 1. Ideally we would like to switch to a sequential accept and confirm > workflow, where the email confirmation link is included in the > acceptance email. So (1) an admin accepts the account request, (2) this > triggers sending the acceptance email to the user with a confirmation > link included, (3) after confirming the email address the account is > ready to be used. Is such a workflow currently supported? If not we > would like to make this a feature request. OK, understood. No this is not possible currently. Do you use user's email as login? I.e. email identity is subject of confirmation? If so then it should be possible to achieve the above with the following feature: additional checkbox in registration form config: [ ] trigger email verification only after request acceptance Does it sound OK? > 2. Additionally the error message in this case be improved, so it is > clear to the user that confirmation is still required? I guess the > downside here is that this could be abused to leak information about > what accounts might exist or not. well, we can think about something like this but only if a proper password is provided (i.e. valid password and existing but not verified email as login). As a short term solution you can change the generic authN failure message to something better matching your needs. Thanks, Krzysztof |
