Submitted by Michel Bluteau
“I Agree” – A Simple Recipe for Identity Manager Self-Registration
It takes advantage of the iFrame gadget/portlet inherited from the days of NPS (Novell Portal Services), which is available from within User Application.
For our example, let’s assume that we want to provide a Self-Registration page for new users so they can create an account for themselves the first time they access Identity Manager. Identity Manager 3.5 allows for pages or portlets to be made public without requiring authentication. Also, let’s assume we want those new users to agree to the T&Cs before being able to access the Self-Registration service.
Setting Up Self-Registration
1. Under Portlet Admin, create a new instance of the Create portlet and name it Self-Registration. This is done by entering a unique name and clicking the Register button.
Figure 1: Creating a Self-Registration instance
2. Modify the settings so Requires Authentication is set to False. This will result in this new portlet being made available for non-authenticated users.
Figure 2: Setting “Requires Authentication” to False
3. Configure a Guest Username that will act as a LDAP Proxy User for creating the user objects. Refer to the documentation for more details.
Figure 3 – Configuring a Guest Username
4. You can also modify the Entity being used by the portlet, to control which objects can be created, and which attributes are being displayed.
Figure 4: Modifying the portlet Entity
5. To create a new Entity for our example, import my Entity using the file provided on the SelfRegisteredUser.xml page.
Figure 5: Creating a new Entity for the example
Here is the Self Registered User entity that allows for the customization of the Self-Registration portlet:
Figure 6: Self Registered User entity
6. Create a Virtual Entity for the Self-Registration portlet, as shown below.
Figure 7: Creating a Virtual Entity for the Self-Registration portlet
7. Create a new Page called Self-Registration, and put it in the Guest Pages category.
Figure 8: New Self-Registration page
8. Under Permissions, remove the checkmark for View Permission Set to Admin Only.
Figure 9: Permissions, checkmark removed
9. Under Arrange Content, add the iFrame portlet.
Figure 10: iFrame portlet added
Figure 11: Pointing the iFrame portlet to your form
In my example, I am using an instance of Tomcat(for iManager) to publish my Consent form. In practice, you could use an eCommerce web server solution, or any web server like Apache or IIS. You may want to use a server that can log these consents for audit purposes. If you decide to use Tomcat, you can just copy the form in /var/opt/novell/tomcat4/server/webapps/manager and access it with http://ip_address:port/manager/form1.html on Linux.
11. You can also modify the preferences for the iFrame portlet.
Figure 12: Modifying preferences for the iFrame portlet
Below is the code for the form1.html file; you can modify it with a text editor.
Accessing the Self-Registration Page
Let’s now try to access the Self-Registration page.
1. Access the default page for Identity Manager
(http://ip_address:port/IDM) and you will see that our new Guest page, Self-Registration, is now available.
Figure 13: Guest page, Self-Registration, now available
2. On the Corporate Policy form that appears, select Self-Registration.
Figure 14: Selecting Self-Registration
Note that the URL being displayed in the browser does not change, which makes it transparent for the end-user. It also obfuscates direct access to the Policy document/form or Self-Registration portlet. A Web Access Management solution such as Novell Access Manager can be used to block the URLs for the Policy form and Self-Registration portlet, while allowing access to the Identity Manager URL, if we want to go beyond obfuscation and truly secure the access. The iFrame portlet will still be able to access the form and portlet.
3. If you click Submit without adding the checkmark in the I Agree box, access is denied and a warning pop-up box is displayed.
Figure 15: Access is denied – no checkmark in “I Agree”
4. Accept the Terms and Conditions, then move to the Self-Registration page and create a new account.
Figure 16: Creating a new account on the Self-Registration page
5. Select a password for the new account.
Figure 17: Selecting a password for the new account
The figure below shows a new account created with a password in eDirectory. The user is now ready to log in to Identity Manager or other services requiring an account/authentication.
Figure 18: New account created with a password in eDirectory
Hopefully, this example will allow you to create your own Self-Registration page or other page, and it will force end-users to agree with T&Cs before accessing the service.
Don’t hesitate to provide me feedback from improvements or other ideas, or if you have questions. There is more than one way to accomplish this, so I am interested in obtaining your feedback.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.