Instructions for

On this page

Self-service registration

Identity Engine

Note: In proxy model architectures, where a server-side application using the Embedded SDK is used as a proxy between client applications and Okta servers, a request context for the client applications is required. Security enforcement is expected to be based on the client request context's IP address and user agent. However, since these values are currently being derived from the server application rather than the client, this enforcement is not available. As a result, network zones or behaviors that drive their conditions based on these request context values (geolocation, IP Address, or user agent) will not work until we can find a solution to the issue.

Self-service registration allows users to sign up to an application themselves. In this use case, the user must register with a password, email, and/or phone factors. You must first enable the self-service registration option for your app in the Okta org and then build the self-service registration flow in your app.

Learning outcomes

  • Configure your Okta org for self-service registration.
  • Set up the password, email, and/or phone authentication factors.
  • Set up and send a verification email during new user registration.

What you need

Sample code

Configuration updates

Before you can build the self-registration flow in your app, you must configure the Okta org to accept self-registration with the password, email, and/or phone factors. See Set up your Okta org for a multifactor use case to set up the password, email, and phone factors in your Okta org.

Password and email factors

In addition to setting up the authentication factors, you also need to configure the following in your Okta org:

  1. Update the profile enrollment default policy
  2. Set the Email and Phone authenticators as optional enrollment factors

Create a profile enrollment policy

Create a policy for self-registration:

  1. Open the Admin Console for your org.
  2. Go to Security > Profile Enrollment to view the current Profile Enrollment policies.
  3. Click Add Profile Enrollment Policy.
  4. Enter a policy Name, and click Save.
  5. Click the pencil icon next to your new policy.
  6. In the Profile Enrollment section, verify Self-service registration is set to Allowed.
  7. Click Manage apps.
  8. Click Add an App to This Policy.
  9. Click Apply next to your app.
  10. Clcik Close.

Note: See Managed Profile Enrollment policies (opens new window) for additional profile enrollment policy options.

Set the Email and Phone authenticators as optional enrollment factors

  1. Go to Security > Authenticators to view the available authenticators.
  2. On the Authenticators page, click the Enrollment tab.
  3. In Default Policy, click Edit.
  4. Under the Effective factors section of the Edit Policy dialog box, set both email and phone authenticators to optional for enrollment:
    • Set Email Authentication to Optional.
    • Set Phone Authentication to Optional.
  5. Click Update Policy.

Summary of steps

Integration steps

Send a confirmation email during new user registration with only the password factor required

Even when only the password factor is required for an Okta application, you can still send a confirmation email.

Set up

In this scenario, the org is set up in the following manner:

  1. The org is initially configured following the steps described in Set up your Okta org for a multifactor use case.

  2. The application's authentication policy is updated for only the password factor. In the Admin Console, the AND User must authenticate with field is set to Password.

  3. The Email verification field in the profile enrollment's Default Policy is set to Required before access is granted. You can find the profile enrollment configuration by navigating to Security > Profile Enrollment.

  4. The Initiate login URI field is set to the sign-in URI in the application settings. By setting this value, the email verification link for new user enrollment redirects the user to the URL provided in the Initiate login URI field.

Flow behavior

During new user registration, there are no factors required other than the password. However, email verification is set to Required in the profile enrollment configuration. In this case, the user is sent an email using the following email template: Registration - Activation.

The user clicks the link in the activation email and is redirected to the sample app's home page.