Although each realm can have variations in what information we collect., or what authentication process is setup, there is a minimum set of recommendations that should be follow in each realm setup.
On this page
User registration fields
Per Keycloak realm
Field | Mandatory | Type | |
|---|---|---|---|
| 1 | First name | Mandatory | Native to keycloak |
| 2 | Surname | Mandatory | Native to keycloak |
| 3 | Username | Mandatory | Native to keycloak |
| 4 | Email address | Mandatory | Native to keycloak. |
| 5 | Phone number | Recommended as mandatory | +CCC NNNNNNN |
| 6 | WhatsAppID | Optional | +CCC NNNNNNN |
| 7 | Preferred Language | Mandatory | additional field |
| 8 | User profiling | Optional | additional field |
| 9 | Type of worker | Optional | additional field SHOULD IDEALLY BE BASED ON AN STANDARD CLASSIFICATION |
| 10 | Employee ID | Optional | additional field |
| 11 | Health Unit | Optional | additional field |
| 12 | City/Town | Optional | additional field |
| 13 | SubNational L2 | Optional | additional field |
| 14 | SubNational L1 | Optional | additional field |
Information not collected:
Country: not necessary, as the user will be on a realm that represent that country
Gender
if asking for gender, consider a 3rd option for ‘do not with to disclose’
F | Female |
M | Male |
Do not want to disclose |
Username
By realm - Keycloak enforces uniqueness
A combination of first name and last name can be used, but must be consistent across the realm accounts
First Name + “.” + Last Name (rodolfo.melia)
Initial First Name + “.” + Last Name (r.melia)
Initial First Name + Last Name (rmelia)
Expected for all users. Keycloak will enforce uniqueness within the Realm
For self-created accounts, users will receive an email that they need to open an visit the suggested URL for email validation
For manually created account or imported accounts, email will set to ‘verified’
Email verification
IMPLEMENTED JUNE 2023
If a user list is imported, emails can be marked as verified.
If users self-register, they are expected to verify their email by following the link send at the time of account creation.Authentication guidelines
In general, we will setup Keycloak mirroring PSI’s authentication guidelines which can be summarised as detailed below.
Password guidelines
Password complexity PROTOTYPED ON JUNE 2023
8 characters or more
Never expires
must include
one lower case,
one upper case,
one number and
one special character
Not user name
Not email
Password expiration
We don’t recommend to set an expiry date to the password, as we use 2FA
Password recovery
always enabled
Token validity NOT IMPLEMENTED
Session values
- Online - 48 hrs
- Offline - 7 days
Account lockout IMPLEMENTED EARLY AUG 2023
after 3 attempts
Wait increments of 1m, up to 15m
auto-reset: 12 hrs.
Account Expiration Date NOT IMPLEMENTED
If required, an account can be schedule to expire on a given date. This is used for consultants on short term contracts.
2FA
IMPLEMENTED JUNE 2023
Enrolment via FreeOTP, Google or Microsoft authenticator
valid for 30 days per application/device
Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.
2FA optional NOT IMPLEMENTED
Geo-limit: if IP is > 500 miles from previous login, request 2FA
Phone Verification
NOT IMPLEMENTED
If a user list is imported, phones can be marked as verified.
If users self-register, they are expected to verify their phone by entering the SMS sent to them at the time of account creation.
Self Registration PROTOTYPED AUG 2023
Username: pre-populate based on the selected combination (see username section)
Validation: Will display an error is username is taken (or if possible as a number: rodolfo.melia1)
email account will need to be validated (see email section)