Steps to recreate:
- Create user via API with a password, with “activate=false”
- Activate user using the API with “sendemail=true”
- Users receives the activation email with an activate button
- User clicks on the button, but receives this:
- User’s email address is validated and they are optionally prompted to provide the missing security Q&A
- Set activate=true when provisioning the user OR use sendemail=false when activating the user; BUT this means we aren’t validating their email address, which is a necessary security requirement for our system
I’ve got to be honest, this whole activation process seems a lot messier than I would have expected. Why is the verification of the email address (which I would assume is a common requirement from other customers) baked so tightly into Welcome wizard?