Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.

User registration fields

Field

Mandatory

Type

1

First name

Mandatory

Native to keycloak

2

Surname

Mandatory

Native to keycloak

3

Username

Mandatory

Native to keycloak

4

Email address

Mandatory

Native to keycloak.
Keycloak enforce uniqueness of email

5

Phone number

Recommended as mandatory

+CCC NNNNNNN
PENDING: can it be set as unique?

6

WhatsAppID

Optional

+CCC NNNNNNN

7

Preferred Language

Mandatory

additional field

8

User profiling
(Gender, Age, or Age range, Date of birth)

per realm

additional field

9

Type of worker

per realm

additional field
Drop down value per realm

10

Employee ID

per realm

additional field

11

Health Unit

per realm

additional field
Drop down value per realm

12

City/Town

Optional

additional field
Drop down value per realm

13

SubNational L2
(rename for each realm)

per realm

additional field
Drop down value per realm

14

SubNational L1
(rename for each realm)

per realm

additional field
Drop down value per realm

Information not collected:

  • Country: not necessary, as the user will be on a real that

Use of email

  • Expected for all users. Keycloak will enforce uniqueness within the Realm

  • For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validation

  • For manually created account or imported accounts, email will set to ‘verified’

Setting username

By realm - Keycloak enforces uniqueness

A combination of first name and last name can be used, but must be consistent across the realm accounts

  • First Name + “.” + Last Name (rodolfo.melia)

  • Initial First Name + “.” + Last Name (r.melia)

  • Initial First Name + Last Name (rmelia)

Gender

if you ask for gender, consider a 3rd option for ‘do not with to disclose’

F

Female

M

Male

Do not want to disclose

Self Registration

  • Auto-suggested based on a combination listed above (small custom dev)

  • Will display an error is username is taken (or if possible as a number: rmelia2)

  • email account will need to be validated (see email section)

Authentication guidelines

In general, we will setup Keycloak mirroring PSI’s authentication guidelines which can be summarised as detailed below.

PSI’s Password guidelines IMPLEMENTED JUNE 2023

  • 8 characters or more

  • Never expires

  • must include

    • one lower case,

    • one upper case,

      one number and

    • one special character

  • Not user name

  • Not email

Password recovery

Self-register

PSI' 2FA IMPLEMENTED JUNE 2023

  • Enrolment via FreeOTP, Google or Microsoft authenticator

  • valid for 30 days per application/device

    • Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.

2FA optional NOT IMPLEMENTED

  • Geo-limit: if IP is > 500 miles from previous login, request 2FA

Email verification IMPLEMENTED JUNE 2023

If a user list is imported, emails can be marked as verified.

If users self-register, they are expected to verify their email by following the link send at the time of account creation.

Phone Verification NOT IMPLEMENTED

If a user list is imported, phones can be marked as verified.

If users self-register, they are expected to verify their phone by entering the SMS sent to them at the time of account creation.

  • No labels