Activate User and User Attribute Process
Content
- Overview
- Multiple Process Orchestration
- ULM User Entity and AuthN ID Status
- Process Invocation
- Common Use Scenarios
- Process Flow
- App Settings
- User Journey Flow Diagram
- API Walkthroughs
- Error Codes
- Revision History
Overview
This Process defines how a user verifies and activates their ULM User ID (and/or one of its entity attributes). In other words, this Process activates a new user, or it activates a new authentication identifier (authN ID) that a user registers and adds to their ULM User ID.
Multiple Process Orchestration
Most user journeys are facilitated by a single Process. Conversely, there are some cases where ULM orchestrates and links two or more Processes to complete a given journey.
The Activate User (and User Attribute) Process completes a user journey initiated by a preceding process, typically in cases where the user opts to (or needs to) navigate away from the client UI, and then resume their interactions with ULM from a separate point of entry (e.g., a redirect URL in a verification email).
ULM User Entity and AuthN ID Status
ULM is built on top of a user-centric and entitlement-specific data model of ULM data entities. Each ULM entity is defined by a set of default and extensible attributes. Some of the extensible attributes are simple string values, and others are more complex arrays (i.e., list of objects that make up a single attribute).
Like all ULM entities, the User entity has a default or "top level" status attribute. All of a user's registered authN IDs are stored one level down inside the attributes array, and each authN ID has its own status.
When the GET /session/token API redeems an action token to invoke the Activate User Process, the token is contextually aware so that it knows what attribute(s) need to be updated.
Process Invocation
Unlike most ULM Processes, Activate User cannot be invoked with the Process Start API. Instead, the GET session/token API invokes this Process when it redeems an action token generated by a previous Process.
Possible API variations of calling the Process include the following:
GET session/token?token={token}
- The user completes a Process.
- The Process generates an action token and sends a clickable or tappable link in an email or SMS. The link includes a redirect URL back to the client application, and the action token value is appended to the URL string.
- Once the user clicks/taps the link, they are redirected back to the client.
- The client then takes the token value to call GET /session/token?token={token value} to trigger the Activate User Process.
GET session/token?customToken={OTP}&pkat={PKAT}
- The user completes a Process.
- The Process generates and sends a receives a short, custom One Time Passcode in an email or SMS. The Process also returns a pkat to the front-end client.
- The front-end client prompts the user to enter their code to verify who they are.
- Once the user enters their code, the client then takes the OTP and the PKAT to call GET /session/token?customToken={otp}&pkat{pkat} to trigger the Activate User Process.
Common Use Scenarios
The following use cases commonly involve the Activate User Process.
- A new, anonymous user onboards with their email or mobile. They then verify (activate) their email/mobile, and fully activate their User ID at the same time.
- A new, anonymous user onboards with their social account. However, they change the email/mobile sent back by the social provider. They then verify (activate) the new email/mobile, and fully activate their User ID at the same time.
- An existing, authenticated user registers a new email or mobile. They then verify (activate) the new email/mobile, and can now use it for authentication.
- An existing, authenticated user updates a current email or mobile with a new one. They then verify (activate) the new email/mobile. The old email/mobile is removed from the User ID.
Process Flow
These tables describe the Process at a high level.
| Active User and/or User Attribute | |||
|---|---|---|---|
| Actors | Front-end user, Client Application, ULM Cloud, Email Service or SMS Service, ULM User entity. | ||
| Pre-Conditions | The User ID (i.e., ULM User entity) exists in ULM, but the user has not yet verified their email or mobile | ||
| User may be currently anonymous to ULM. ULM recognizes the user once they redeem the token. | |||
| Basic Flow | This flow follows the Onboard User with Email and Mobile Process. | ||
| 1 | Once the user submits their info to ULM, they then receive an email or SMS with an action token (clickable link, OTP, or both). | ||
| 2 | The user invokes this Process through one of two methods: | ||
| a | They manually enter the OTP into client UI (if the client prompts them for a code). | ||
| b | They click (or tap) the verification link in their email/SMS. | ||
| 3 | ULM redeems the token, and verifies that the user is coming in from the standard onboarding flow. | ||
| 4 | ULM verifies the the email/mobile and changes the authN ID attribute status from activating to activated. | ||
| 5 | ULM changes the ULM User entity status from activating to activated. | ||
| 6 | ULM automatically authenticates the user. | ||
| Post-Conditions | The User ID is now fully activated. | ||
| The user's email address or mobile number is now a valid authentication identifier (or authN ID). | |||
| The user can now authenticate with this authN ID and password. | |||
| Error Messages | The user can now authenticate with this authN ID and password. | ||
| Action token expired. | |||
| Active User and/or User Attribute - Alt. Flow 1 | |||
|---|---|---|---|
| Alt. Flow 1 | This flow follows the Add or Update User Email/Mobile Process. | ||
| 1 | Once the user submits their desired authN ID, they then receive an email or SMS with an action token (clickable link, OTP, or both) | ||
| 2 | The user then invokes the Process through one of two methods: | ||
| a | They manually enter the OTP into client UI (if the client prompts them for a code). | ||
| b | They click (or tap) the verification link in their email/SMS. | ||
| 3 | ULM redeems the token, and verifies that the user is coming in from the Add or Update Email/Mobile flow. | ||
| 4 | ULM fully activates a new email/mobile, or updates an existing email/mobile, based on the following criteria: | ||
| a | The email/mobile currently has a pending status. This means an existing email/mobile is being updated (as opposed to a new email being added to the User entity). ULM changes the email/mobile's status from pending to activated. If the replaced email/mobile was the user's primary notification channel, then this setting carries over to the updated email/mobile. | ||
| b | The email/mobile currently has an activating status. This means it is a new email/mobile being added to the ULM User entity. ULM changes the new email/mobile's status from activating status to activated. | ||
| 5 | ULM automatically authenticates the user. | ||
| Notes: - If a new email/mobile is added to the User ID, then a notification is sent to that new channel. - If the primary email/mobile was updated, then a notification is also sent to the email/mobile that is being replaced. The notification indicates that this email/mobile that has been removed from ULM. - If the current/primary email or mobile is replaced, then ULM invalidates all other sessions (e.g., for remember me/auto-login) except for the current one. |
|||
| Post-Conditions | The new or updated email/mobile is activated as a authentication identifier (authN ID). | ||
| The user can now authenticate with this authN ID and password. | |||
| If a previous email or mobile was replaced, then that email/mobile is removed from the ULM User entity. | |||
| Error Messages | User not found (i.e., the user ID referenced in the token no longer exists). | ||
| Action token expired. | |||
| Edge Case |
|---|
| If a user successfully onboards and authenticates into ULM with their social account, and then selects to add an additional authN IDs to their User ID, the Activate User Process will first prompt the user to supply a password before it verifies the new authN ID.
The user must set a password on their ULM User ID if they want to have more than one authN ID registered to their User ID. |
| Active User and/or User Attribute - Alt. Flow 2 | |||
|---|---|---|---|
| Alt. Flow 2 | This flow follows the Onboard with Social Account flow, after the social provider delivers user info to ULM. | ||
| 1 | (Conditional) ULM sends an action token to the user's email/mobile in one of the following scenarios: | ||
| a | The user changes the email/mobile value returned by the social provider. | ||
| b | The social provider does not return an email/mobile. Therefore, the user must provide and verify a contact channel. | ||
| Notes: - If the social provider returns an email/mobile, and the user simply confirms that email/mobile, then ULM trusts that the provider has validated the contact channel. In that scenario, the Activate User Process is not invoked. Instead, the Onboard & Authenticate User with Social Process completes user registration and full activation. |
|||
| 2 | The user then invokes the Process through one of two methods: | ||
| a | They manually enter the OTP into client UI (if the client prompts them for a code). | ||
| b | They click (or tap) the verification link in their email/SMS. | ||
| 3 | ULM redeems the token, and verifies that the user is coming in from the Social Onboarding flow. | ||
| 4 | ULM registers both the social media ID and email/mobile as attributes on the ULM User entity. | ||
| 5 | ULM automatically authenticates the user. | ||
| Post-Conditions | The ULM User ID is fully activated and associated to the social account. | ||
| The user can now authenticate with that social account. | |||
| The user-supplied email/mobile is now a valid authentication identifier (or authN ID). | |||
| The user can optionally add a password to their User ID with the Update Password process. | |||
| Error Messages | User not found (i.e., the user ID referenced in the token no longer exists). | ||
| Action token expired. | |||
| Active User and/or User Attribute - Alt. Flow 3 | |||
|---|---|---|---|
| Alt. Flow 3 | A customer calls into the operator's business call center, and requests help with onboarding. | ||
| 1 | A customer service representative (CSR) assists a customer over the phone. They enter customer's first name, last name, and email/mobile in the respective CRM. | ||
| Notes: - The CSR can provide any additional user details to be stored as attributes on the User entity. - The CSR can not provide a password for the new User entity. - The CSR can use the ULM Care UI to create the new ULM User ID. - Alternatively, the operator's proprietary CRM can also invoke one of ULM's REST APIs for User provisioning. |
|||
| 2 | ULM creates the ULM User entity, and registers the authN ID and attribute on the entity. The authN ID has an activating status. | ||
| 3 | ULM sends an action token to email/mobile provided by the CSR. | ||
| 4 | The user invokes the Activate User Process through one of two methods: | ||
| a | They manually enter the OTP into client UI (if the client prompts them for a code). | ||
| b | They click (or tap) the verification link in their email/SMS. | ||
| 5 | ULM looks up and locates the User ID based on the token data. | ||
| 6 | ULM prompts the user to set a password. | ||
| 7 | The user provides a password. | ||
| 8 | ULM verifies the password, changes both the ULM User entity status and authN ID status from activating to activated. | ||
| Post-Conditions | The ULM User ID is fully activated, and their email/mobile is now a valid authN ID. | ||
| The user can log into ULM with this authN ID and a password. | |||
| Error Messages | User not found (i.e., the user referenced in the OTP token). | ||
| Action token expired. | |||
App Settings
Out of the box, this Process includes the following application settings. These configurable settings modify and control the Process behaviour.
| Application Settings | Default Settings | |
|---|---|---|
| Password Complexity Rules | Defines the minimum criteria for an acceptable password. Configuration points include: - Whether or not to require at least one uppercase (A-Z) character - Whether or not to require at least one lowercase (a-z) character - Whether or not to require at least one numeric (0-9) character - The minimum password length |
A-Z: Enabled a-z: Enabled 0-9: Enabled Minimum length: 8 |
See the edge case under Alt Flow 1 above for context of where and how a password prompt may come into effect with this Process.
User Journey Flow Diagram
The Activate User Process concludes a variety of different user journeys. See the Journey Flow diagrams for the following Processes for an idea of how this Process fits into those journeys:
- Onboard User with Email & Mobile
- Onboard & Authenticate User with Social Account
- Add/Update Email, Mobile, or Alias
- Authenticate User (if the user attempts to sign in with an unverified or activating authN ID)
API Walkthroughs
The following section provides guided walkthroughs of the Activate User Process.
Activate User ID with OTP Scenario
A separate process sends an OTP to the user (and sends a PKAT to the client application UI). The client application prompts the user for that OTP.
Request
The Session Token API initiates the Process, and uses the OTP the PKAT as URL parameters:
| GET /session/token?customToken=12345&pkat=ZZZZ |
|---|
<no body>
|
Response
If the token is valid, the Process starts, activates the User ID (and/or the user's authN ID), and returns a 200 HTTP status code.
| Response Body |
|---|
{
"processId": "0c931a26-61df-4ed4-8121-592e0cf8c3dc",
"lastStep": true,
"runtimeId": 5014,
"userId": 6040,
"UserAuthenticated": true
}
|
The Process also authenticates the user (if they are not already authenticated).
Response Parameters
| Parameters | Description |
|---|---|
| processId | The unique identifier for this instance of the Process. |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. |
| runtimeId | Identifier of the ULM Runtime entity currently associated to the ULM User entity.
About Runtime Entities: Upon user creation or authentication, ULM Cloud looks for a JRUNTIMEID cookie in the end user's browser or application. If no cookie is found, ULM creates a Runtime Entity with a unique ID and associates it to the user during the login phase. ULM will generate and pass a corresponding JRUNTIMEID cookie for clients to store and return with subsequent requests. |
| userId | The unique identifier of the current user. |
| userAuthenticated | Boolean that indicates if the user was authenticated into ULM. |
Activate AuthN ID with Link Scenario
A separate process sends a clickable verification link to the user (and sends a PKAT to the client application UI). The link includes a redirect URL back to the client, and the action value appended to the URL. The client application prompts the user to go to their email/mobile to verify it.
Request
The user clicks the verification link, which then redirects them back to the client. The Session Token API initiates the Process and uses the token value as a URL parameter:
| GET /session/token?value=28965cc4-6b5f-4f41-aba4-7dfef2432fee |
|---|
<no body>
|
Response
If the token is valid, the Process starts, activates the authN ID, and returns a 200 HTTP status code:
| Response Body |
|---|
{
"processId": "0c931a26-61df-4ed4-8121-592e0cf8c3dc",
"lastStep": true,
"runtimeId": 5014,
"userId": 6040,
"userAuthenticated": true
}
|
The Process also authenticates the user (if they are not already authenticated).
Response Parameters
| Parameters | Description |
|---|---|
| processId | The unique identifier for this instance of the Process. |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. |
| runtimeId | Identifier of the ULM Runtime entity currently associated to the ULM User entity.
About Runtime Entities: Upon user creation or authentication, ULM Cloud looks for a JRUNTIMEID cookie in the end user's browser or application. If no cookie is found, ULM creates a Runtime Entity with a unique ID and associates it to the user during the login phase. ULM will generate and pass a corresponding JRUNTIMEID cookie for clients to store and return with subsequent requests. |
| userId | The unique identifier of the current user. |
| userAuthenticated | Boolean that indicates if the user was authenticated into ULM. |
Activate AuthN ID with Link, Password Required
A user onboards into ULM successfully with their social account. Therefore, they have a verified authN ID but no password. The user decides to add a another authN ID to their user profile, and that Process sends a clickable verification link to the user (and sends a PKAT to the client application UI). The link includes a redirect URL back to the client, and the action value appended to the URL. The client application prompts the user to go to their email/mobile to verify it.
However, in this scenario, the Process prompts for a required password before it completes its task. This is because a user must set a password before they are allowed to have more than one authN ID.
Initial Request
The user clicks the verification link, which then redirects them back to the client. The Session Token API initiates the Process and uses the token value as a URL parameter:
| GET /session/token?value=28965cc4-6b5f-4f41-aba4-7dfef2432fee |
|---|
<no body>
|
Initial Response: Prompt for Password
If the token is valid, the Process starts and prompts the user to set a password:
| Response Body |
|---|
{
"processId": "c8f337af-5cf1-4958-bdc2-e83fb942c8fd",
"processName": "onboard.ActivateUserAndAttribute.v1.0",
"stepName": "CreateCredentialPrompt",
"lastStep": false,
"displayMessage": "Please set a password",
"parameters": {
"credential": "String"
},
"output": {
"activatedAuthenticationIdentifier": {
"type": "EMAIL",
"value": "email@amdocs.com"
},
"userDisplayName": "Jane Smith",
"newUser": false
}
}
|
Response Parameters
| Parameters | Description | ||
|---|---|---|---|
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| stepName | Name of the specific step that the Process is currently on. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| displayMessage | Optional message that the UI can display to the end user. | ||
| parameters | Object that contains the data that was requested in the previous Process response | ||
| credential | The user's desired password. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| activatedAuthenticationIdentifier | Object that contains the target authN ID to be activated. | ||
| type | The authN ID type (e.g. e-mail or phone number). | ||
| value | The actual authN ID value. | ||
| userDisplayName | User's display name (first and/or last name). | ||
| newUser | Boolean that indicates if the user is new to ULM Cloud and is being activated for the first time. False if the user is activating a new Authentication Identifier to an existing ULM ID. | ||
Next Request: User Provides Password
The user enters their desired password, and the client passes that info to the Process with the Process Step API.
| PUT /process/step |
|---|
{
"processId": "c8f337af-5cf1-4958-bdc2-e83fb942c8fd",
"parameters": {
"credential": "Test_test1!13"
}
}
|
Request Parameters
| Parameters | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data that was requested in the previous Process response. | |
| credential | The desired password. | |
Final Response: Success
If the password passes validation, the Process activates the authN ID, and returns a 200 HTTP status code:
| Response Body |
|---|
{
"processId": "0c931a26-61df-4ed4-8121-592e0cf8c3dc",
"lastStep": true,
"runtimeId": 5014,
"userId": 6040,
"userAuthenticated": true
}
|
The Process also authenticates the user. Going forward, the user can now authenticate with this authN ID and password.
Response Parameters
| Parameters | Description |
|---|---|
| processId | The unique identifier for this instance of the Process. |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. |
| runtimeId | Identifier of the ULM Runtime entity currently associated to the ULM User entity.
|
| userId | The unique identifier of the current user. |
| userAuthenticated | Boolean that indicates if the user was authenticated into ULM. |
Error Codes
Below is a comprehensive list of potential error codes that may be returned during the execution of this Process.
Common Error Code
Process-Specific Error Codes
| HTTP Status | Format | ULM Error Code | Field | Description |
|---|---|---|---|---|
| 404 | operation error | user-not-found | n/a | If the user associated with the provided OTP has been removed. |
| 400 | validation error | NotEmpty | credential | Provided value must not be empty. |
| 400 | validation error | NotWeakPassword | credential | Password given must pass the password complexity rules. |
Revision History
| Version | Description |
|---|---|
| 2020.09 | Added this topic. |