Flow to validate email on self service

This topic has 1 reply, 2 voices, and was last updated 4 months ago by Andy Cory.

  • Author
    Posts
  • #27676
     l.scorcia
    Participant

    Hi, I am using the Self Service user registration with the option ‘Email Verification’ – it works well and lets me know that the user is really the owner of the email address used to sign in. However after logging in users can change their address to something different and AM does not send a confirmation email to the new address before applying the change, possibly associating his account to other people’s email.
    Is there anything that can be done to achieve this result?
    Also, even if I remove the email attribute from the self-service, a skilled user could use the APIs to update his own profile. Can I completely prevent subsequent changes of the email attribute?

    Thanks for your help,
    Luca

    #27721
     Andy Cory
    Participant

    I think the logic behind this behaviour is that the user can change his email address after authenticating, meaning AM trusts he is who he says he is. During a registration there is no such trust. The AM self service flows are relatively simplistic – the answer from ForgeRock is likely to be that AM shouldn’t really be used for anything but the simplest identity management tasks, and a product like IDM should be used if the requirements are beyond the scope of AM.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?