Self-Registration can be useful for external users. And a process that allows for validation of the e-mail address before activating the account is adding a layer of confidence versus who the requester is.
Here is a simple example that you can customize to meet your needs.
First let's look at the Self-Registration validation process.
Figure 1: Welcome Page for IdM 4(RBPM).
Figure 2: Self-Registration page.
Figure 3: Account is disabled upon Self-Registration account creation.
Figure 4: User receives e-mail via e-mail address typed in the self-registration form. The e-mail includes validation link.
Figure 5: User is directed to web form for activating the account. Additionally, the user must agree to the Terms & Conditions, otherwise account will not be activated.
Figure 6: Once user agrees to the Ts&Cs(checkbox is checked) account will be activated.
Figure 7: User can now login to IdM and other auto-provisioned apps(via IdM drivers).
First, you need to configure Self-Registration in IdM. You can follow these instructions: TID: 3002868 - How to allow anonymous users to self register to the User Application Portal
N.B. You need to grant trustee write rights(All attributes rights) at the OU level to the Public user.
Then you need a Null or Loopback driver to:
Figure 8: Null Driver rule that disables the user, generate a unique key, and send the e-mail.
Figure 9: Null driver rule that watches for account validation.
Figure 10: Null driver filter.
The zip download includes and export of the ECMA MD5 hash function, the Null Driver policy, and the war archive that includes the jsp form for e-mail validation.
N.B. I am using the admin account to write the attribute in the vault using the jsp form, but for a real deployment, a special account with only access to the single attribute selected would be appropriate.
For the war, I just deployed it on JBoss which I also use to run IdM(RBPM). You can access the JBoss console using http://idm_server_address:port (admin/admin is default).
Figure 12: Deploying war on JBoss.