Configuring and Using Self-Service Registration 7-3 ■ Disabled user: If your user account is disabled, then you are not allowed to log in. 5. If your password has expired, then the Change Password page is displayed. You are not allowed to proceed to the main page of the console without changing the password. Enter a new password and click Apply. 6. If the system configuration property Force to set questions at start up is set to Yes, then the login flow checks if you have set the required challenge responses on your profile. If not, then the form to set the challenge responses is displayed. If you have the challenge responses set, or if the configuration property is set to No, then this step is skipped. In the form, set the challenge responses, and then click Submit. Alternatively, you can click Remind Later if you want to defer setting challenge questions and continue with login to Oracle Identity Manager Self Service. If you attempt to access an Oracle Identity Manager UI page other than login and you are not already logged in, then you are redirected to the login page. Follow the login instruction provided in this section to log on to Oracle Identity Manager. Tip: Soft locking a user because of maximum login failures can be configured in Oracle WebLogic. This configuration is independent of the maximum login attempt configuration in Oracle Identity Manager and determines when and for what time user is to be soft locked. By default, the maximum login failures for a user to soft lock by WebLogic is five consecutive login failures because of incorrect passwords, and duration for locking is 30 minutes. You can modify this configuration by navigating to the following location in the WebLogic Administrative Console: Home , Security Realms, myrealm, User Lockout in WLS Console Therefore, if you try to login to Oracle Identity Manager Administrative and User Console with correct username and incorrect password for more than five times and less than 10 times, then your account is soft locked by WebLogic Security Realms, but remains unlocked in Oracle Identity Manager. Although your account is enabled and unlocked in Oracle Identity Manager, you cannot login for 30 minutes even by entering correct password, and your account cannot be unlocked before the configured time, for example 30 minutes. If you try incorrect password for more than 10 times, your account will be locked by both WebLogic and Oracle Identity Manager. As a result, if Oracle Identity Manager administrator resets or unlocks the account, it is still soft locked by WebLogic and you cannot login till 30 minutes expire. Note: The PCQ.FORCE_SET_QUES system property with name Force to set questions at startup indicates whether or not the challenge questions are required to be set on first logon. If setting challenge questions is not required, then the Remind Later button is displayed. On clicking this button, you can log in to the Administrative and User Console without setting the challenge questions. 7-4 Oracle Fusion Middleware Users Guide for Oracle Identity Manager Following successful login, you will then be redirected to the original page you tried to access. 7. After you log in for the first time, the Change Password page is displayed. This is because you must change your password after logging in for the first time. Change the password, and login again.

7.1.2 Submitting Registration Requests

Oracle Identity Manager requires you to register yourself with identity to Oracle Identity Manager to perform certain tasks on Oracle Identity Manager Self Service. To register yourself in to Oracle Identity Manager:

1. In Oracle Identity Manager Administrative and User Console login page, click

Register . The Basic information page of User Registration wizard is displayed. 2. Enter first name, middle name, last name, and email in the respective fields and click Next. The Login Information and Security Information page is displayed. The UI does not allow you to enter more than the allowed number of characters. The maximum length for the values entered during self-registration is specified as 80 characters for First Name, Middle Name, Last Name, and Common Name and 382 characters for the Display Name. If any other attributes are added on the self-service UI by modifying the Self-Register User request dataset, then the values will not be validated explicitly. The field on the UI will allow only as many characters to be entered as specified in the length field of the UI. There is no restriction on the characters that can be entered in each of these fields. The input for each of these fields can contain any special characters, such as hash and percentage . Email should be provided as per the pattern mentioned against system property XL.EmailValidationPattern. If the email is inappropriate, the UI gives an error Invalid e-mail ID. Please enter a valid email ID. If the email Id specified is already used by any other user in the system, the UI gives an error Email ID email id is already taken. Please enter a different Email ID. Note: The XL.ForcePasswordChangeAtFirstLogin system property is no longer used in Oracle Identity Manager 11g Release 1 11.1.1. Therefore, forcing the user to change the password at first login cannot be configured. By default, the user must change the password: ■ When the new user is logging in to Oracle Identity Manager for the first time ■ When the user is logging in to Oracle Identity Manager for the first time after the password has been reset by the administrator ■ When the users password has expired Note: The information required in the User Registration wizard is governed by the Self-Register User request dataset. See Step 1: Creating a Request Dataset for the Resources in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about request datasets. Configuring and Using Self-Service Registration 7-5

3. In the Select a User ID and Password section, enter user login, password and

confirm password. The password entered will be subjected to a password policy. On the next page, the password policy is shown adjacent to the password fields. If the password does not satisfy the criteria of the password policy, the UI gives an error defining the criteria required to be satisfied. Refer Password Management on page 1-3 for detailed information about password policy. If you do not enter the password, then the system generates the password automatically and emails it to the email address that you entered in the first page of the User Registration page.

4. In the Set your Challenge Questions and Answers section, select the challenge

questions and set an answer for each question. The challenge questions and answers are checked for: ■ distinct challenge questions not selected ■ distinct answers not specified for the challenge questions If either of theses conditions are detected, then an error is displayed.

5. Click Register. You are provided a tracking ID for the registration request that

can used for tracking the request. Note: ■ The registration form is prepopulated with attributes from self-registration templates. ■ The Administrator can create custom registration forms by specifying a custom registration template name in the URL link. The URL link that the user uses will then determine the template and form used during registration. Therefore, multiple registration forms can be supported via multiple URL links. For registration, the URL link can either be configured on the UI or included in the e-mail requesting the user to register. Note: ■ Challenge questions and answers are asked if the attribute for this is defined in the template for self registration. ■ All Oracle Identity Manager deployments do not support self-registration. This is especially true of internal deployments that manage the identities of employees and contractors, where the identities are added through reconciliation and not self-registration. ■ Oracle Identity Manager provides the Is Self-Registration Allowed system property to enable self registration. The Register link is always displayed on the unauthenticated self-service console. If the property is set to False, then clicking on the Register link gives an error, Self registration is not allowed. If it is set to True, then self registration is allowed. 7-6 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

7.1.3 Tracking Registration Requests

You can track your request to register as an identity in Oracle Identity Manager. If the current status indicates success, then you can go to the Oracle Identity Manager Administrative and User Console, and then enter your username and password to log in to the Oracle Identity Manager Self Service. To track your registration:

1. In Oracle Identity Manager Administrative and User Console login page, click

Track Registration . The Request Status page is displayed.

2. In the Tracking ID field, enter the tracking ID that was assigned to your

registration request. Then click Submit. The Self-Registration Status page is displayed with the following details: ■ Request ID ■ Request submission date When the request is submitted and approval is not done, the date shown is the request submission date. In all cases, the date always reflects the last update date. ■ Current status Every self-registration request that is submitted has to go through approvals for it to be processed completely. See Approval Levels in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for details about different approval levels. If a user tracks the current status of the request, the status is shown with a description of the stage the request is in. The status would be one of the following: Pending: This state indicates that the request is submitted and the approval is pending. In case of default approval, the following status message is displayed: Obtaining request-level approval for registration. The manager needs to approve this request. If the request level approval is pending. Once the request level approval is obtained, the following status message is displayed: Obtaining operation-level approval for registration. Rejected: This state indicates that the request is rejected during approval. The description indicates the reason of rejection. In case of default approval levels, if the request got disapproved at the request approval level, the following status message is displayed: Request approval rejected for registration. If the request gets disapproved at the operation approval level, the follow- ing status message is displayed: Operation approval rejected for registration. Completed: This state indicates that the request is completed. If all the approvals have been provided and the request is successfully completed, the following status message is displayed: The registration request is completed.