Configuring user self-sign-up

The internal identity provider used by PhariaAI, Zitadel, provides a self-service registration flow. This allows users to sign up for an account without the need for an administrator to create an account for them.

During this flow, the user signs up for an account by providing their email address and a password. They then receive a verification email to confirm their email address and complete the registration process.

We recommend to filter the email addresses to only allow users with specific domains to sign up.


Prerequisites

  • The flag pharia-iam.config.adminEnableZitadelManagement was enabled during the installation of PhariaAI. See IAM configuration.

  • You have an email provider that you can use to send verification emails.

Configuring an email provider

To enable self-sign-up, you must configure an email provider in Zitadel for it to send verification emails to users who sign up for an account. You can select a preconfigured email provider or specify any other email provider, as long as it supports SMTP or API-based email sending.

Open the Zitadel console

  1. Navigate to the Zitadel console at https://login.<YOUR_CONFIGURED_DOMAIN> and log in with your initial user account.

  2. If you land on the info page of your admin account, navigate to https://login.<YOUR_CONFIGURED_DOMAIN>/ui/console or click the logo in the top left corner. If this has no effect, you probably logged in with the wrong account.

Configure an email provider

  1. Click Default settings on the top right.

  2. Navigate to the Email Providers section.

  3. Select the desired email provider and follow the instructions.

Enabling user self-registration

Open the Zitadel console

  • Return the main screen by clicking the logo at the top left corner of the Zitadel console.

Enable self-sign-up and domain discovery for the Pharia organisation

  1. In the Organization field, select Pharia:

    Zitadel: select Pharia as organisation

  2. In the Settings tab, open Login Behavior and Security.

  3. Activate the options User Registration allowed and Domain Discovery allowed in the Login Form section:

    Zitadel: enable self-sign-up

  4. Click Save.

  5. Open the Verified domains page.

  6. If the email domain of your company is not already in the Verified domains list, add it by clicking New:

    Zitadel: verified domains

Enable allowed domain check on user sign-up

  1. In the Actions tab, click New to create a new action.

  2. Give the action the same name as the function defined in the action, which in this example is filterRegistration.

  3. Copy the code below and paste it into the action editor. Note that you need to replace the example domains with the domains you want to allow for sign-up; you can also add more domains if required.
    (For further information on how to write actions, see the Zitadel documentation.)

  4. Disable the box Allowed To Fail.
    Disabling this checkbox generates a warning, because any coding errors (for example) can prevent users from registering. However, as we specifically want to prevent registration by users with a unacceptable domain, we can dismiss the warning.

  5. Close the warning message.
    You should now see something like this:

    Zitadel: create an action

  6. Click Add.

  7. In the Flows section, click to open the Flow Type dropdown menu, and select External Authentication.

  8. Click Add Trigger.

  9. Select the Trigger Type Pre Creation.

  10. Select the action you just created:

    Zitadel: set action trigger

  11. Click Save.

Code for domain-check action

/**
** Only allow users with a given domain to register
 *
** Flow: Internal Authentication or External Authentication, Trigger: Pre creation
 *
** @param ctx
** @param api
 */
 function filterRegistration(ctx, api) {
 let validDomains = ["domain1.com", "domain2.com"];
 let isValid = false;
 for (const domain of validDomains){
 if (ctx.v1.user.human.email.endsWith("@" + domain)) {
 isValid = true;
 break;
 }
 }
 if (!isValid){
 throw "email needs to be from domain " + validDomains.join(", ");
 }
 }

Configuring default roles for self-sign-up users

To access resources in PhariaAI, each user must be assigned at least one role (see Access control: User roles and permissions). You can configure the default roles to be assigned to self-sign-up users on their first login.

Set up role assignment

  1. In the Zitadel console, navigate to the Actions tab.
    The Scripts table on this page contains a default action called assignDefaultRole.

  2. In the Flows section, click to open the Flow Type dropdown menu, and select Internal Authentication.

  3. Click Add Trigger.
    The Create an Action window appears.

  4. In the Trigger Type menu, select Post Creation.

  5. In the Actions menu, select the assignDefaultRole action.

  6. Click Save.

The factory setting of the assignDefaultRole action is to assign the AssistantUser role (granting access to PhariaAssistant) to new users. To change this, you need to edit the values in pharia-iam.config.defaultRolesForLogin.

The pipeline for user self-sign-up will look something like this:

Zitadel: user self-sign-up pipeline