Versions Compared

Version Old Version 7 New Version 8
Changes made by

Rodolfo Melia

Rodolfo Melia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.

On this page

Table of Contents

User registration fields

Per Keycloak realm

Field

Mandatory

Type

1

First name

Mandatory

Native to keycloak

2

Surname

Mandatory

Native to keycloak

3

Username

Mandatory

Native to keycloak

4

Email address

Mandatory

Native to keycloak.
Keycloak enforce uniqueness of email

5

Phone number

Recommended as mandatory

+CCC NNNNNNN
PENDING: can it be set as unique?

6

WhatsAppID

Optional

+CCC NNNNNNN

7

Preferred Language

Mandatory

additional field

8

User profiling
(Gender, Age, or Age range, Date of birth)

per realm Optional

additional field

9

Type of worker

per realmOptional

additional field
Drop down value values per realm

SHOULD IDEALLY BE BASED ON AN STANDARD CLASSIFICATION

10

Employee ID

per realmOptional

additional field

11

Health Unit

per realmOptional

additional field
Drop down value values per realm

12

City/Town

Optional

additional field
Drop down value values per realm

13

SubNational L2
(rename for each realm)per realm

Optional

additional field
Drop down value values per realm

14

SubNational L1
(rename for each realm)per realm

Optional

additional field
Drop down value values per realm

Information not collected:

  • Country: not necessary, as the user will be on a real that

Use of email

  • Expected for all users. Keycloak will enforce uniqueness within the Realm

  • For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validationFor manually created account or imported accounts, email will set to ‘verified’

Setting username

By realm - Keycloak enforces uniqueness

...

  • First Name + “.” + Last Name (rodolfo.melia)

  • Initial First Name + “.” + Last Name (r.melia)

  • Initial First Name + Last Name (rmelia)

Use of email

  • Expected for all users. Keycloak will enforce uniqueness within the Realm

  • For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validation

  • For manually created account or imported accounts, email will set to ‘verified’

Gender

if you ask for gender, consider a 3rd option for ‘do not with to disclose’

...

In general, we will setup Keycloak mirroring PSI’s authentication guidelines which can be summarised as detailed below.

...

Password guidelines
Status
colourGreen
title

...

prototyped on june 2023

  • 8 characters or more

  • Never expires

  • must include

    • one lower case,

    • one upper case,

      one number and

    • one special character

  • Not user name

  • Not email

Password recovery

Self-register

...

always enabled

2FA
Status
colourGreen
titleimplemented June 2023

  • Enrolment via FreeOTP, Google or Microsoft authenticator

  • valid for 30 days per application/device

    • Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.

...

  • Geo-limit: if IP is > 500 miles from previous login, request 2FA

Email verification
Status
colourGreen
titleimplemented June 2023

If a user list is imported, emails can be marked as verified.

If users self-register, they are expected to verify their email by following the link send at the time of account creation.

Phone Verification
Status
titleNOT IMPLEMENTED

If a user list is imported, phones can be marked as verified.

...