Menu
▾
▴
Re: [Unity-idm-discuss] Account acceptance and email confirmation workflow
|
From: Willem E. <wi...@cl...> - 2018-03-26 12:27:01
|
Dear Krzysztof, we are indeed using the users email as login. This checkbox in the registration form config sounds good. Please add this as a feature request. Do not however that we want to have the confirmation link included in the acceptance email in this case, so that the user only receives a single email. Best, Willem On 10/02/2018 18:54, Krzysztof Benedyczak wrote: > Hi Willem, > > W dniu 08.02.2018 o 10:35, Willem Elbers pisze: >> Dear Krzysztof, >> >> we have been been noticing a pattern with some end-user being confused >> with our current workflow where account acceptance and email >> confirmation are running in parallel. >> >> Especially when accounts are accepted before the email address is >> confirmed (sometime the confirmation email might end up in the spam >> folder or the user ignored the email). If users try to login or reset >> the password they get the generic error message "invalid username, >> credential or external authentication failed". There is no indication >> that the account is not active because of the unconfirmed email address. >> >> 1. Ideally we would like to switch to a sequential accept and confirm >> workflow, where the email confirmation link is included in the >> acceptance email. So (1) an admin accepts the account request, (2) this >> triggers sending the acceptance email to the user with a confirmation >> link included, (3) after confirming the email address the account is >> ready to be used. Is such a workflow currently supported? If not we >> would like to make this a feature request. > > OK, understood. No this is not possible currently. Do you use user's > email as login? I.e. email identity is subject of confirmation? > If so then it should be possible to achieve the above with the > following feature: additional checkbox in registration form config: > [ ] trigger email verification only after request acceptance > > Does it sound OK? >> 2. Additionally the error message in this case be improved, so it is >> clear to the user that confirmation is still required? I guess the >> downside here is that this could be abused to leak information about >> what accounts might exist or not. > well, we can think about something like this but only if a proper > password is provided (i.e. valid password and existing but not > verified email as login). > > As a short term solution you can change the generic authN failure > message to something better matching your needs. > > Thanks, > Krzysztof -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
