Rate this page

Registration Authenticator

Schema URN
urn:pingidentity:scim:api:messages:2.0:RegistrationAuthenticationRequest

The Registration identity authenticator allows the end user to create a new account during the authentication process. This authenticator should be used with the Login flow.

Field Type Description
status string Indicates the authenticator state. Values are unavailable, ready, failure, or success.
registrableAttributes array An array of strings, consisting of attribute names that may be set by the auth UI during registration. Attribute names are expressed as SCIM paths.
registerResourceAttributes complex An object consisting of proposed attribute names and values for the user to be created. Attribute names are expressed as SCIM paths and must be found in the set of registrableAttributes.
passwordRequirements array An array of rules that must be satisfied by the new user’s password.

Password quality requirements

Password quality requirements are sets of rules enforced by the user store when setting a user’s password. These correspond to password validators in a Ping Identity Directory Server’s configuration.

Password quality requirement objects will always contain the type and description fields. Other fields may be present, depending on the type.

Field Type Description
type string The type of password requirement. See the table below.
description string A human-readable description of the password requirement.
requirementSatisfied boolean Whether or not a proposed password satisfied this password requirement. This field only appears if a proposed password has been rejected.
additionalInfo string A human-readable message explaining why a password change attempt failed. This field only appears if a proposed password has been rejected.

Possible password requirement types include:

Password requirement type Description
attributeValue The password value must not be present in another attribute of the user.
characterSet The password must contain at least a specified number of characters from one or more character sets defined by the password requirement.
haystack The password must satisfy a configurable requirement based upon the password haystacks concept.
length The password must meet a minimum/maximum length requirement.
regularExpression The password must match a configured regular expression.
repeatedCharacters The password may not contain a configured number of consecutive characters.
uniqueCharacters The password must contain a minimum number of unique characters.

The user store may also be configured with custom password requirements with other type values.

Registration

In its initial state, the Registration identity authenticator will provide a list of attributes that may be set when creating a new user. The auth UI is expected to present these to the end user using human-readable display names.

{
  "urn:pingidentity:scim:api:messages:2.0:RegistrationAuthenticationRequest": {
    "registrableAttributes": [
      "emails[type eq \"home\"].value",
      "name",
      "password",
      "phoneNumbers[type eq \"mobile\"].value",
      "userName"
    ],
    "passwordRequirements": [],
    "status": "ready"
  }
}

The auth UI submits a registration request by providing the new user attributes in the registerResourceAttributes field. The auth UI is expected to submit values using the correct data type; note how name is a complex attribute in the following example:

{
  "urn:pingidentity:scim:api:messages:2.0:RegistrationAuthenticationRequest": {
    "registrableAttributes": [
      "emails[type eq \"home\"].value",
      "name",
      "password",
      "phoneNumbers[type eq \"mobile\"].value",
      "userName"
    ],
    "registerResourceAttributes": {
      "emails[type eq \"home\"].value": "horselover@example.com",
      "name": {
        "givenName": "Horselover",
        "familyName": "Fat",
        "formatted": "Horselover Fat"
      },
      "password": "password",
      "phoneNumbers[type eq \"mobile\"].value": "555-555-5555",
      "userName": "horselover"
    },
    "passwordRequirements": [],
    "status": "ready"
  }
}

If the registration attempt succeeds, then the status field will be set to success:

{
  "urn:pingidentity:scim:api:messages:2.0:RegistrationAuthenticationRequest": {
    "registrableAttributes": [
      "emails[type eq \"home\"].value",
      "name",
      "password",
      "phoneNumbers[type eq \"mobile\"].value",
      "userName"
    ],
    "status": "success"
  }
}

Note that the end user will be considered logged in following a successful registration; there is no need to immediately prompt the end user for his or her username and password.