February 23, 2020 at 3:03 am #27676l.scorciaParticipant
Hi, I am using the Self Service user registration with the option ‘Email Verification’ – it works well and lets me know that the user is really the owner of the email address used to sign in. However after logging in users can change their address to something different and AM does not send a confirmation email to the new address before applying the change, possibly associating his account to other people’s email.
Is there anything that can be done to achieve this result?
Also, even if I remove the email attribute from the self-service, a skilled user could use the APIs to update his own profile. Can I completely prevent subsequent changes of the email attribute?
Thanks for your help,
LucaMarch 3, 2020 at 2:58 pm #27721Andy CoryParticipant
I think the logic behind this behaviour is that the user can change his email address after authenticating, meaning AM trusts he is who he says he is. During a registration there is no such trust. The AM self service flows are relatively simplistic – the answer from ForgeRock is likely to be that AM shouldn’t really be used for anything but the simplest identity management tasks, and a product like IDM should be used if the requirements are beyond the scope of AM.
You must be logged in to reply to this topic.