Enabling username/password

Please follow these steps to enable MyOwnIdP in the Connectis Identity Broker for Username/Password:
  • Choose which identifier you want to use for your users, for instance a username or an email address.

  • Choose which user attributes you want to store in the user profile and receive in the login response.

  • Choose a password policy. You can set up a minimal password length, forbid the user to select a password that has been used as the last X passwords, and set up a character set policy (e.g. demand request digits, capitalised and non-capitalised letters and symbols).

  • Choose an account locking policy. We support two levels of account locking: Soft lock (which will be lifted after some time) and hard lock (which can only be lifted by support employees).

    • Incorrect password attempts for soft lock: Number of times a user can use an incorrect password before being soft-locked.

    • Number of soft lock before hard lock.

    • Soft lock duration in minutes.

  • Choose if you want the passwords to expire after a given number of days, or whether you want them to be perpetual.

  • Choose if you want to enable the password reset flow for forgotten passwords. This functionality requires that the users’ email addresses are stored in the user profiles. If you want to enable this, send an email to [email protected] with message, subject, and address. The email will be text-only.

Account registration functionality (optional)

When email addresses are used as login tokens, you can optionally enable Account Registration. Send an email to [email protected] if you want to enable Account Registration. Please include the following information:

  • Whether you want to enable pre-registration. Without pre-registration, every user that provides a valid email address can create an account. With pre-registration enabled, you control who can make accounts, because only users who are pre-registered in the Attribute Provider can create accounts.

  • This involves two emails. Please provide the text you want to register for both emails:

    • Account successfully registered: It includes a link that, once clicked, allows the user to set up a password for his/her account.

    • Account already registered/cannot register: Error message.

MyOwnIdP migration/provisioning

We provide a REST API to provision new users and facilitate migration of user accounts. Contact [email protected] to receive a copy.

User attributes

You can create user accounts in the attribute provider by creating resources with either one of these attributes filled. These attributes will be used by the user as the login field: Username login: urn:myownidp:authenticate:Username:username email address / X509 Login: urn:myownidp:authenticate:EmailAddress:emailAddress BSN Login: urn:digid:BSN:bsn

Important: The forgotten password functionality or account creation requires that an email is sent to the end user’s email address. As a consequence, urn:myownidp:authenticate:EmailAddress:emailAddress needs to be available for that specific user if you want to use the forgotten password functionality.

If you want to allow your end users to log in with username, you can provision the attribute "urn:myownidp:authenticate:Username:username", but if you also want them to be able to reset their password using the forgotten password functionality, then you need to provision "urn:myownidp:authenticate:EmailAddress:emailAddress" as well.

To provision attributes to the attribute provider, you can ask for the attribute provider API documentation with examples via [email protected].

Password manager

We provide another REST API to allow you to manage the passwords of your users. You can request the full API documentation with examples via [email protected].

You can either use the migration endpoint (allowing you to set the passwords with their current hashed version) or the manage endpoint, which allows you to set the password from a plain text. You can also perform password management operations by using that API and force a password change after the next login.