Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.
On this page
| Table of Contents |
|---|
User registration fields
Per Keycloak realm
Field | Mandatory | Type | |
|---|---|---|---|
| 1 | First name | Mandatory | Native to keycloak |
| 2 | Surname | Mandatory | Native to keycloak |
| 3 | Username | Mandatory | Native to keycloak |
| 4 | Email address | Mandatory | Native to keycloak. |
| 5 | Phone number | Recommended as mandatory | +CCC NNNNNNN |
| 6 | WhatsAppID | Optional | +CCC NNNNNNN |
| 7 | Preferred Language | Mandatory | additional field |
| 8 | User profiling | Optional | additional field |
| 9 | Type of worker | Optional | additional field SHOULD IDEALLY BE BASED ON AN STANDARD CLASSIFICATION |
| 10 | Employee ID | Optional | additional field |
| 11 | Health Unit | Optional | additional field |
| 12 | City/Town | Optional | additional field |
| 13 | SubNational L2 | Optional | additional field |
| 14 | SubNational L1 | Optional | additional field |
Information not collected:
Country: not necessary, as the user will be on a real that
Setting username
By realm - Keycloak enforces uniqueness
...
First Name + “.” + Last Name (rodolfo.melia)
Initial First Name + “.” + Last Name (r.melia)
Initial First Name + Last Name (rmelia)
Self Registration
(small custom dev)
Username: pre-populate based on a combination listed above
Validation: Will display an error is username is taken (or if possible as a number: rodolfo.melia1)
email account will need to be validated (see email section)
Use of email
Expected for all users. Keycloak will enforce uniqueness within the Realm
For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validation
For manually created account or imported accounts, email will set to ‘verified’
Gender
if you ask for gender, consider a 3rd option for ‘do not with to disclose’
F | Female |
M | Male |
Do not want to disclose |
Authentication guidelines
In general, we will setup Keycloak mirroring PSI’s authentication guidelines which can be summarised as detailed below.
Password guidelines
| Status | ||||
|---|---|---|---|---|
|
8 characters or more
Never expires
must include
one lower case,
one upper case,
one number and
one special character
Not user name
Not email
Password recovery
always enabled
Token validity
| Status | ||
|---|---|---|
|
Session values
- Online - 48 hrs
- Offline - 7 days
Account lockout
| Status | ||||
|---|---|---|---|---|
|
after 3 attempts
Wait increments of 1m, up to 15m
auto-reset: 12 hrs.
Expiration date
| Status | ||
|---|---|---|
|
If required, an account can be schedule to expire on a given date. This is used for consultants on short term contracts.
2FA
| Status | ||||
|---|---|---|---|---|
|
Enrolment via FreeOTP, Google or Microsoft authenticator
valid for 30 days per application/device
Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.
2FA optional
| Status | ||
|---|---|---|
|
Geo-limit: if IP is > 500 miles from previous login, request 2FA
Email verification
| Status | ||||
|---|---|---|---|---|
|
If a user list is imported, emails can be marked as verified.
If users self-register, they are expected to verify their email by following the link send at the time of account creation.
Phone Verification
| Status | ||
|---|---|---|
|
If a user list is imported, phones can be marked as verified.
...