Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Externalized authorization
Identity broker
Mobile identity
Mobile SDK
API references
Release notes and FAQ
Integrations

All

All

Credential store

Email address management

IDAAS core
Tenants and brands
Identity store and data model
SCIM API
- SCIM schemas
- SCIM user management
- SCIM user attributes
- SCIM API versions
Credential store
- Email address management
- Password management
- Password migration
Tokens
- Access tokens
- ID tokens
- Refresh tokens
- Access token API
- Token introspection API
Authentication
- Client authentication methods
- Step-up authentication
- Custom authenticators
- Authentication FAQ
Custom registration
- Custom registration examples
- QR registration example
- Stateless custom registration
- Custom registration API v1
- Custom registration v2
- Back-channel communication API
OAuth 2.0 and OpenID Connect
- OAuth 2.0 and OpenID Connect API
- Proof Key for Code Exchange
- Dynamic client registration API
- OAuth client authentication methods
- Device flow
- OAuth OIDC error handling
- OAuth 2.0 and OpenID Connect setup
- OpenID Connect
- OpenID Connect authentication
- OpenID Connect scopes and claims
- User claims and attributes
- OpenID provider configuration
- ID token encryption
- iFrame session monitoring
  - Relying party iFrame
  - End session API
  - Session management APIs
- Relying party examples
- OAuth endpoints
- Discovery API
- JSON Web Key Set API
- User information API
- OAuth configuration
- OAuth consent API
Web clients
- Web clients API
- Migration of web clients with hashed secrets
- Resource owner password credentials
Web hooks
- Web hooks configuration API
API rules
Notification API
Event store
- Audit events
- Audit log
- Events API
- Excluded events
- Security events
Securing resources
User session API
User management
Uniquely identify guests
Email overview

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
IDAAS core
Credential store
Email address management

Email address management

The OneWelcome Identity Platform uses email addresses for the following use cases:

Login
Password reset, including the request and execution
Notifications
Looking up a user using Service Desk
Viewing a user's email address with Service Desk
Providing the email address to a service provider using a SAML assertion or OAuth attribute

Primary email address

In the OneWelcome Identity Platform, the primary email address is the unique email address that is associated with a user.

The OneWelcome Identity Platform uses the primary email address for the following:

Identifier: The primary email address is often used as the username for login and password reset requests.
Password reset: A link is sent to the primary email address, which indirectly gives the recipient access.
Notifications: Identity related notifications are sent to the primary email address.

The primary email address is considered a credential:

It is often used as a unique identifier for logins.
It is typically used for password reset. The account owner is the only person who can set a new password using this method, because email accounts enforce their own passwords.

Secondary email addresses

The OneWelcome Identity Platform also provides the option to store additional, secondary email addresses. However, you cannot use non-unique email addresses for notifications or password reset emails.

Adding a secondary email address provides the following benefits:

A secondary email address can be changed to primary at a later time.

Secondary email addresses create a 360-degree view of the user, which is helpful in the Customer Identity and Access Management (CIAM) context. They facilitate linking an identity to email correspondence that happens out-of-band.

Email address format

The OneWelcome Identity Platform follows these specifications for email addresses, with the exception of the quoted forms, which are rarely used in practice:

RFC 5322
RFC 5321
A more readable form is provided in RFC 3696 and the associated errata.

The format of email addresses is local-part@domain:

The local-part has a maximum of 64 of the following characters:
- alphabetic characters
- digits
- special characters (! # $ % ' * + - / = ? ^ _ . { | } ~)
The period cannot be used to start or end the local-part, nor can two or more consecutive periods be used. Email addresses that contain backslashes are rejected.
The domain has a maximum of 255 characters. Depending on your configuration, the self-registration and self-service interfaces can whitelist or blacklist email domains.

Email verification

The OneWelcome Identity Platform initiates a verification process for any email address that is not verified. To verify that an email address is unique, the OneWelcome Identity Platform applies the following logic:

The combination of tenant and primary email address is unique for accounts that have been activated.
The combination of tenant and primary email address does not have to be unique for email addresses that are pending verification. For example, this might be the case during registration or activation. An unverified email address gets allocated to an account when the legitimate user of that account is able to confirm their primary email address. Malicious users might create accounts using an email address that they cannot confirm. This should not prevent legitimate users from creating and confirming their email address.
If an email address originates from a social media account,like Facebook, during social registration (or social account linking), the OneWelcome Identity Platform considers the email address to be verified by the social media platform and does not initiate the verification process. The point of social registration is to provide the user with a registration process that is as lean as possible.
A primary email address can have a type (home, work, other), according to the SCIM attribute definition.
An email address can be primary only if it has been successfully verified.
Verified email addresses can be primary or not primary.
Verified email addresses can be unique but this is not required.

How email addresses are set

Users can set their email addresses through the following processes:

Account registration
Account activation
Viewing, changing, adding, or deleting email addresses using self-service
Adding the email address with social registration

Email addresses can also be retrieved, updated, added, and deleted using the SCIM API.

On this page

OneWelcome Identity Platform

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com