Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.
...
Field | Mandatory | Type | |
|---|---|---|---|
| 1 | First name | Mandatory | Native to keycloak |
| 2 | Surname | Mandatory | Native to keycloak |
| 3 | Username | Mandatory | Native to keycloak |
| 4 | Email address | Mandatory | Native to keycloak. |
| 5 | Phone number | Recommended as mandatory | +CCC NNNNNNN |
| 6 | WhatsAppID | Optional | +CCC NNNNNNN |
| 7 | Preferred Language | Mandatory | additional field |
| 8 | User profiling | Optional | additional field |
| 9 | Type of worker | Optional | additional field SHOULD IDEALLY BE BASED ON AN STANDARD CLASSIFICATION |
| 10 | Employee ID | Optional | additional field |
| 11 | Health Unit | Optional | additional field |
| 12 | City/Town | Optional | additional field |
| 13 | SubNational L2 | Optional | additional field |
| 14 | SubNational L1 | Optional | additional field |
Information not collected:
Country: not necessary, as the user will be on a real that
...
realm that represent that country
Gender
if asking for gender, consider a 3rd option for ‘do not with to disclose’
F | Female |
M | Male |
Do not want to disclose |
Username
By realm - Keycloak enforces uniqueness
...
First Name + “.” + Last Name (rodolfo.melia)
Initial First Name + “.” + Last Name (r.melia)
Initial First Name + Last Name (rmelia)
Self Registration
(small custom dev)
Username: pre-populate based on a combination listed above
Validation: Will display an error is username is taken (or if possible as a number: rodolfo.melia1)
email account will need to be validated (see email section)
Use of email
Expected for all users. Keycloak will enforce uniqueness within the Realm
For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validation
For manually created account or imported accounts, email will set to ‘verified’
Gender
if you ask for gender, consider a 3rd option for ‘do not with to disclose’
...
F
...
Female
...
M
...
Male
...
Do not want to disclose
Email verification
| Status | ||||
|---|---|---|---|---|
|
If a user list is imported, emails can be marked as verified.
If users self-register, they are expected to verify their email by following the link send at the time of account creation.Authentication guidelines
In general, we will setup Keycloak mirroring PSI’s authentication guidelines which can be summarised as detailed below.
Password guidelines
Password complexity
| Status | ||||
|---|---|---|---|---|
|
8 characters or more
Never expires
must include
one lower case,
one upper case,
one number and
one special character
Not user name
Not email
Password expiration
We don’t recommend to set an expiry date to the password, as we use 2FA
Password recovery
always enabled
Token validity
| Status | ||
|---|---|---|
|
Session values
- Online - 48 hrs
- Offline - 7 days
Account lockout
| Status | ||||
|---|---|---|---|---|
|
after 3 attempts
Wait increments of 1m, up to 15m
auto-reset: 12 hrs.
Account Expiration
...
Date
| Status | ||
|---|---|---|
|
If required, an account can be schedule to expire on a given date. This is used for consultants on short term contracts.
...
Geo-limit: if IP is > 500 miles from previous login, request 2FA
...
Phone Verification
| Status |
|---|
...
|
...
|
If a user list is imported, emails phones can be marked as verified.
If users self-register, they are expected to verify their email phone by following the link send entering the SMS sent to them at the time of account creation.
...
Self Registration
| Status | |
|---|---|
|
...
If a user list is imported, phones can be marked as verified.
...
|
Username: pre-populate based on the selected combination (see username section)
Validation: Will display an error is username is taken (or if possible as a number: rodolfo.melia1)
email account will need to be validated (see email section)