Chapter 4. User Management
This section describes the administration functions for managing users.
4.1. Searching For Users
If you need to manage a specific user, click on
Users in the left menu bar.
This menu option brings you to the user list page. In the search box you can type in a full name, last name, or email address you want to search for in the user database. The query will bring up all users that match your criteria. The
View all users button will list every user in the system. This will search just local Red Hat Single Sign-On database and not the federated database (ie. LDAP) because some backends like LDAP don’t have a way to page through users. So if you want the users from federated backend to be synced into Red Hat Single Sign-On database you need to either:
- Adjust search criteria. That will sync just the backend users matching the criteria into Red Hat Single Sign-On database.
User Federationtab and click
Sync all usersor
Sync changed usersin the page with your federation provider.
See User Federation for more details.
4.2. Creating New Users
To create a user click on
Users in the left menu bar.
This menu option brings you to the user list page. On the right side of the empty user list, you should see an
Add User button. Click that to start creating your new user.
The only required field is
Username. Click save. This will bring you to the management page for your new user.
4.3. User Attributes
Beyond basic user metadata like name and email, you can store arbitrary user attributes. Choose a user to manage then click on the
Enter in the attribute name and value in the empty fields and click the
Add button next to it to add a new field. Note that any edits you make on this page will not be stored until you hit the
4.4. User Credentials
When viewing a user if you go to the
Credentials tab you can manage a user’s credentials.
4.4.1. Changing Passwords
To change a user’s password, type in a new one. A
Reset Password button will show up that you click after you’ve typed everything in. If the
Temporary switch is on, this new password can only be used once and the user will be asked to change their password after they have logged in.
Alternatively, if you have email set up, you can send an email to the user that asks them to reset their password. Choose
Update Password from the
Reset Actions list box and click
Send Email. You can optionally set the validity of the e-mail link which defaults to the one preset in
Tokens tab in the realm settings. The sent email contains a link that will bring the user to the update password screen.
4.4.2. Changing OTPs
You cannot configure One-Time Passwords for a specific user within the Admin Console. This is the responsibility of the user. If the user has lost their OTP generator all you can do is disable OTP for them on the
Credentials tab. If OTP is optional in your realm, the user will have to go to the User Account Management service to re-configure a new OTP generator. If OTP is required, then the user will be asked to re-configure a new OTP generator when they log in.
Like passwords, you can alternatively send an email to the user that will ask them to reset their OTP generator. Choose
Configure OTP in the
Reset Actions list box and click the
Send Email button. The sent email contains a link that will bring the user to the OTP setup screen.
4.5. Required Actions
Required Actions are tasks that a user must finish before they are allowed to log in. A user must provide their credentials before required actions are executed. Once a required action is completed, the user will not have to perform the action again. Here are an explanation of some of the built-in required action types:
- Update Password
- When set, a user must change their password.
- Configure OTP
- When set, a user must configure a one-time password generator on their mobile device using either the Free OTP or Google Authenticator application.
- Verify Email
- When set, a user must verify that they have a valid email account. An email will be sent to the user with a link they have to click. Once this workflow is successfully completed, they will be allowed to log in.
- Update Profile
- This required action asks the user to update their profile information, i.e. their name, address, email, and/or phone number.
Admins can add required actions for each individual user within the user’s
Details tab in the Admin Console.
Setting Required Action
Required User Actions list box, select all the actions you want to add to the account. If you want to remove one, click the
X next to the action name. Also remember to click the
Save button after you’ve decided what actions to add.
4.5.1. Default Required Actions
You can also specify required actions that will be added to an account whenever a new user is created, i.e. through the
Add User button the user list screen, or via the user registration link on the login page. To specify the default required actions go to the
Authentication left menu item and click on the
Required Actions tab.
Default Required Actions
Simply click the checkbox in the
Default Action column of the required actions that you want to be executed when a brand new user logs in.
4.5.2. Terms and Conditions
Many organizations have a requirement that when a new user logs in for the first time, they need to agree to the terms and conditions of the website. Red Hat Single Sign-On has this functionality implemented as a required action, but it requires some configuration. For one, you have to go to the
Required Actions tab described earlier and enable the
Terms and Conditions action. You must also edit the terms.ftl file in the base login theme. See the Server Developer Guide for more information on extending and creating themes.
It is often useful for an admin to impersonate a user. For example, a user may be experiencing a bug in one of your applications and an admin may want to impersonate the user to see if they can duplicate the problem. Admins with the appropriate permission can impersonate a user. There are two locations an admin can initiate impersonation. The first is on the
Users list tab.
You can see here that the admin has searched for
jim. Next to Jim’s account you can see an impersonate button. Click that to impersonate the user.
Also, you can impersonate the user from the user
Near the bottom of the page you can see the
Impersonate button. Click that to impersonate the user.
When impersonating, if the admin and the user are in the same realm, then the admin will be logged out and automatically logged in as the user being impersonated. If the admin and user are not in the same realm, the admin will remain logged in, but additionally be logged in as the user in that user’s realm. In both cases, the browser will be redirected to the impersonated user’s User Account Management page.
Any user with the realm’s
impersonation role can impersonate a user. Please see the Admin Console Access Control chapter for more details on assigning administration permissions.
4.7. User Registration
You can enable Red Hat Single Sign-On to allow user self registration. When enabled, the login page has a registration link the user can click on to create their new account.
When user self registration is enabled it is possible to use the registration form to detect valid usernames and emails. To prevent this enable reCAPTCHA Support.
Enabling registration is pretty simple. Go to the
Realm Settings left menu and click it. Then go to the
Login tab. There is a
User Registration switch on this tab. Turn it on, then click the
After you enable this setting, a
Register link should show up on the login page.
Clicking on this link will bring the user to the registration page where they have to enter in some user profile information and a new password.
You can change the look and feel of the registration form as well as removing or adding additional fields that must be entered. See the Server Developer Guide for more information.
4.7.1. reCAPTCHA Support
To safeguard registration against bots, Red Hat Single Sign-On has integration with Google reCAPTCHA. To enable this you need to first go to Google Recaptcha Website and create an API key so that you can get your reCAPTCHA site key and secret. (FYI, localhost works by default so you don’t have to specify a domain).
Next, there are a few steps you need to perform in the Red Hat Single Sign-On Admin Console. Click the
Authentication left menu item and go to the
Flows tab. Select the
Registration flow from the drop down list on this page.
Set the 'reCAPTCHA' requirement to
Required by clicking the appropriate radio button. This will enable reCAPTCHA on the screen. Next, you have to enter in the reCAPTCHA site key and secret that you generated at the Google reCAPTCHA Website. Click on the 'Actions' button that is to the right of the reCAPTCHA flow entry, then "Config" link, and enter in the reCAPTCHA site key and secret on this config page.
Recaptcha Config Page
The final step you have to do is to change some default HTTP response headers that Red Hat Single Sign-On sets. Red Hat Single Sign-On will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to authorize Google to use the registration page within an iframe. Go to the
Realm Settings left menu item and then go to the
Security Defenses tab. You will need to add
https://www.google.com to the values of both the
Once you do this, reCAPTCHA should show up on your registration page. You may want to edit register.ftl in your login theme to muck around with the placement and styling of the reCAPTCHA button. See the Server Developer Guide for more information on extending and creating themes.