Skip to main content
Version: 3.102.8

Create User

Admin creates user with preset password. User receives login link via email.

Purpose and Benefits

What is User Creation?

User creation allows administrators to directly create user accounts in cidaas with admin-set passwords. Unlike invitations, created users are immediately active and searchable in the system, making this ideal for automated provisioning and bulk imports.

Key Benefits

BenefitDescription
Immediate ActivationUser account is created and searchable immediately - no registration step required
Admin ControlAdmin sets initial password, enabling automated provisioning and bulk imports
Backend AutomationPerfect for system-to-system integration and bulk user imports
Client login pageinitiate_login_uri sends the user to your app login page to start OAuth2 with fresh state, nonce, and code_verifier (PKCE)
Email/SMS TemplatesUSER_CREATED and USER_CREATED_VERIFY; initiate_login_uri is the target for {{login_link}} in USER_CREATED
Instant AccessUser can login immediately with provided credentials
Password SecurityOption to force password change on first login (need_reset_password) for enhanced security

When to Use User Creation

  • Backend Automation: Import users from external systems (HR, CRM, etc.)
  • Bulk Provisioning: Create multiple users programmatically
  • Automated Onboarding: System-generated accounts for new employees
  • Migration: Import existing user databases
  • Admin-Managed Accounts: When admin needs to control initial passwords

Quick Comparison

AspectCreate UserInvite User
Password Set ByAdmin (set in request)User (during registration)
User Action RequiredLogin onlyRegistration + Login
User StatusCreated immediatelyCreated only after registration
Use CaseAutomated provisioning, bulk importsTeam onboarding, customer invitations
SearchableImmediately searchableOnly after registration

Prerequisites

Before creating users:

User Creation Flow

The following sequence diagram illustrates the complete user creation process from creation to user login:

Flow Steps Explained

  1. Admin Creates User

  2. User Account Created

    • User account is created immediately with sub (unique identifier)
    • User is immediately searchable in user search APIs
    • Groups and roles are assigned during creation
    • If need_reset_password: true, password reset is configured for first login
  3. Login Link Generation (when notify_user is true)

    • If initiate_login_uri is in the request, it is the target URL for {{login_link}} in USER_CREATED for:
      • Email (primaryType: email) when email_verified is true
      • SMS (primaryType: sms)
    • Users assigned to CIDAAS_ADMINS receive {tenant}/admin-ui as the login link in email, not initiate_login_uri
    • If initiate_login_uri is omitted, cidaas builds a /authz-srv/authz URL from client_id, redirect_uri, and response_type
    • redirect_uri must match a URI registered on the app
    • Set response_type to a value from the app's configured response_types (see App management or Get Client by Client ID); if omitted, code is used as the default
    • If an email notification is sent and email_verified is false, USER_CREATED_VERIFY uses {{verify_link}} from an authorization URL instead
  4. Notification Sent

    • Channel is determined by primaryType (email, sms, or username; defaults to email when the user has an email address)
    • USER_CREATED (email with email_verified: true, or SMS): {{login_link}} targets initiate_login_uri or a built authz URL; includes password
    • USER_CREATED_VERIFY (email with email_verified: false): includes {{verify_link}} for account verification
    • Template variables: {{name}}, {{login_link}} or {{verify_link}}, {{password}}, {{account_name}}
  5. User Logs In

    • User clicks login link (redirects to client login page from initiate_login_uri)
    • Client generates OAuth2 parameters (state, code_verifier for PKCE) client-side
    • User enters credentials and completes OAuth2 flow
    • If need_reset_password: true, user is forced to change password on first login

Important Create User Fields

FieldRequiredDescriptionExample
userEntity.emailYes*User email address[email protected]
userEntity.mobile_numberYes*User mobile number+491234567890
userEntity.usernameYes*Usernamejohndoe
userEntity.passwordConditionalUser password (required unless generate_password: true)SecurePass123!
userEntity.given_nameNoUser's first nameJohn
userEntity.family_nameNoUser's last nameDoe
userEntity.userStatusNoUser status (default: VERIFIED)VERIFIED or PENDING
userEntity.email_verifiedNoEmail verification statustrue
userEntity.groupsNoGroups and roles to assign[{groupId: "CIDAAS_USERS", roles: ["USER"]}]
userEntity.need_reset_passwordNoForce password change on first logintrue
client_idNoApp client IDuuid-here
redirect_uriNoApp redirect URI used in the welcome notification login link; must match a redirect_uri on the apphttps://yourapp.com/callback
response_typeNoOAuth2 response type for the generated login link; must be one of the app's configured response_types (defaults to code)code
primaryTypeNoWelcome notification channel: email, sms, or username (defaults to email when email is present)email
notify_userNoSend welcome email/SMS (default: true)true
generate_passwordNoAuto-generate passwordtrue
initiate_login_uriRecommendedClient login page URL — see belowhttps://yourapp.com/login

Note: At least one identifier (email, mobile_number, or username) is required.

initiate_login_uri

Recommended when notify_user is true.

  • Configure on the app in app settings. This ensures the client can generate OAuth2 parameters (state, code_verifier for PKCE) client-side for seamless login after user creation.
  • Becomes {{login_link}} in USER_CREATED (verified email or SMS).
  • If omitted, cidaas builds an authz URL from client_id, redirect_uri, and response_type.
  • USER_CREATED_VERIFY (email_verified: false) uses {{verify_link}}.

Important Details

Required Permissions

  • Scope: cidaas:users_write
  • Roles: admin, secondary_admin, or user_create (in CIDAAS_ADMINS group)

Field Validations

  • At least one identifier must be provided: email, mobile_number, or username
  • Password must meet password policy requirements (unless generate_password: true)
  • Email format must be valid (if provided)
  • Mobile number format must be valid (if provided)
  • Groups must exist and be allowed in app settings
  • redirect_uri must match a URI configured on the app when used for login links in notifications
  • Custom fields must be configured in Field Settings

User Status

  • User account is created immediately with status VERIFIED (or as specified)
  • User is immediately searchable in user search APIs
  • User can login immediately with provided credentials

Create User Notification Templates

When notify_user is true, cidaas sends a USER_CREATED or USER_CREATED_VERIFY notification (email or SMS per primaryType).

Template Key: USER_CREATED

Used when:

  • Email (primaryType: email) and email_verified is true
  • SMS (primaryType: sms)

Template Variables:

  • {{name}} - User's full name
  • {{login_link}} - Login URL in the notification. Built from initiate_login_uri when provided in the request, or from client_id, redirect_uri, and response_type as a /authz-srv/authz URL.
  • {{password}} - User's password
  • {{account_name}} - Organization/tenant name
  • {{user_name}} - Email or mobile number

Locale Support:

  • Set via Accept-Language HTTP header (e.g., Accept-Language: de)
  • Templates are localized based on user's locale

Template Key: USER_CREATED_VERIFY

Used when notify_user: true, email notification (primaryType: email), and email_verified is false.

Template Variables:

  • {{name}} - User's full name
  • {{verify_link}} - Account verification URL
  • {{password}} - User's password
  • {{account_name}} - Organization/tenant name

What the User Receives

  • Personalized email/SMS with their name
  • Clickable login link (or verification link if email not verified)
  • Password (if not auto-generated, password is included)
  • Account/organization name

Webhooks and Facts

When users are created, fact events (webhooks) are sent:

Event Types

  • ACCOUNT_CREATED_WITH_CIDAAS_IDENTITY: User created with self provider (email/password)
  • ACCOUNT_CREATED_WITH_SOCIAL_IDENTITY: User created with social provider
  • ACCOUNT_CIDAASIDENTITY_ADDED: Additional cidaas identity added (for subsequent identities)
  • ACCOUNT_SOCIALIDENTITY_ADDED: Additional social identity added (for subsequent identities)

Fact Event Structure

  • Object Type: users
  • Object ID: The sub (unique user identifier)
  • Webhook Attributes: ["provider", "requestId", "sub"]
  • Use Case: Track user creation events, monitor onboarding, integrate with external systems

The sub allows you to:

  • Link webhook events to specific users
  • Track which user triggered each event
  • Monitor user lifecycle in external systems

Groups & Roles

Assigning Groups

  • Assign Groups: Groups assigned during creation
  • App Settings: Groups must be allowed in app settings (operations_allowed_groups)
  • User Status: User account is immediately active and searchable

Required Roles

OperationRequired Roles
Create Useradmin, secondary_admin, user_create

Field Configuration

System Fields

Stored in Identity object:

  • given_name, family_name
  • email, mobile_number
  • username

Custom Fields

Stored at account level:

Related: Account Structure

Admin Dashboard: Create User

Required Roles: admin, secondary_admin or user_create

Create Admin User

  1. Navigate to Users > Create User
  2. Select Admin usertype
  3. Enter identifiers (email, mobile, or username)
  4. Set password (or generate automatically)
  5. Configure groups and roles
  6. Click Create User

Result: User receives email with login link and password.

Create Normal User

  1. Navigate to Users > Create User
  2. Select User usertype
  3. Select client app (redirect URL auto-filled)
  4. Enter identifiers
  5. Configure user info and groups
  6. Click Create User

Result: User receives email with login link and password.

Technical Integration

EndpointMethodDescriptionLink
Create UserPOSTCreate a new user with admin-set passwordPOST /users-srv/user/create/byadmin
TopicDescriptionLink
Invite UserUser sets password during registrationInvite User
Register UserSelf-service registrationRegister User
Update AccountModify user profileUpdate Account
User GroupsAccess controlUser Groups
Account StructureUser data modelAccount Structure
info
Need Support?

Please contact us directly on our support page or reach out to cidaas support at [email protected].