Configuration: Identity

1 Setup Checklist
- 1.1 1. Planning Tasks
- 1.2 2. Infrastructure Tasks
- 1.3 3. Identity Tasks
- 1.4 4. Commerce Tasks
2 Prerequisite Tasks
- 2.1 Planning Tasks
- 2.2 Infrastructure Tasks
- 2.3 Identity Tasks
  - 2.3.1 Settings
    - 2.3.1.1 Required Identity Settings
    - 2.3.1.2 Optional Identity Settings
  - 2.3.2 Language Strings
  - 2.3.3 Identity Theming
  - 2.3.4 Email Template Customization
  - 2.3.5 (Optional) Configure Multiple Store-Fronts and Identity
- 2.4 Commerce Tasks
  - 2.4.1 1. Install and Enable the Identity Plugin in Aspenware Commerce
  - 2.4.2 2. Enable reCAPTCHA for the Identity Plugin (optional)

Setup Checklist

1. Planning Tasks

1. Planning Tasks
Complete the Identity Implementation Worksheet after meeting with your Aspenware representative to kick off the implementation and send it to your Aspenware representative. Required	Prerequisite
2. Infrastructure Tasks
Set Up Azure Architecture Required Set Up SSL and DNS for Identity URL required Set Up Email for Integration required Add your GTM ID for Google Analytics tracking and configure GTM according to documentation (coming soon) optional Set Up Twilio for Integration optional Terms and Conditions configuration optional	Prerequisite
3. Identity Tasks
Configure Settings and Language Strings required Required Identity Settings Email Template Customization Settings Create Account/Claim Account Settings General Messaging and Hard-Coded Error Messages Login Page Language Strings Reset Password Page Language Strings Create Account Page Language Strings Claim Account Language Strings Force Password Reset Language Strings	Prerequisite
Configure Theming for Identity Required Configure Multiple Store-Fronts and Identity optional	PREREQUISITE
4. Commerce Tasks
Install and Enable the Identity Plugin in Aspenware Commerce required Enable reCAPTCHA for the Identity Plugin (optional) optional	detailed setup

Prerequisite Tasks

Planning Tasks

Complete the Identity Implementation Worksheet after meeting with your Aspenware representative to kick off the implementation and send it to your Aspenware representative

Infrastructure Tasks

Set Up Azure Architecture
Identity requires Azure setup to create the web application and database and encryption keys in the Azure Key Vault. The Identity App Service can and should exist within the App Service Plan that also hosts Commerce and Arrival App Services. The Identity database stores configuration for the Aspenware Identity application. This database can consistently be set to an s3 service level under normal and increased traffic times. One database is used for both production and test.
- Identity may be integrated into the same version of Unity utilized by Commerce and Arrival if applicable. The Unity server needs to be able to accept inbound traffic from Identity. Aspenware will work with you on security measures to ensure required traffic for Identity to work is allowed.
Set Up SSL and DNS

Aspenware also recommends that your resort use a custom domain for the Identity app, such as IIS Windows Server. This will also require Secure Sockets Layer (SSL) setup and DNS entry. If you don’t have Aspenware Commerce, you’ll also want to set up a custom FQDN and SSL for Unity as well, Commerce customers will already have SSL and DNS for Unity configured. The process to set up SSL and DNS for Identity will be very similar to the process to configure SSL for Commerce detailed in this guide: How to generate .pfx file for new/renewed SSL cert. Work with your Aspenware representative to upload this and also to set up SSL renewal annual reminders.

Set Up Email for Integration

NOTE: Aspenware Identity currently supports email integration with Sendgrid and Inntopia Marketing Cloud. For information and comparison of Sendgrid and Inntopia Marketing Cloud and for assistance setting up the service in Aspenware Commerce, see the “Email/Tax Service Setup” section in the Ecommerce Setup Checklist.

Ensure that you have set up service with your chosen email provider and securely share the required API keys and additional fields with your Aspenware Representative.

(Optional) Set up GTM for Google Analytics Tracking

See Google Analytics for Identity and Arrival for information and a configuration guide for this feature.

(Optional) Set Up Twilio for custom SMS phone number Integration

Aspenware integrates with Twilio to send an SMS message to customers in order to claim their account through Identity. A code is generated and sent via the Twilio integration to the customer, who will then enter the code in AW Identity to access their account. This is relevant to customers who do not have Authentication profiles in RTP.

By default, Aspenware uses a standard Twilio account that sends codes with the phone number (720) 815-4121.

Although not required, if your resort desires a custom number for Twilio communications, Aspenware can integrate with individual Twilio accounts. For setup, we will need Twilio Account SID, Account API Token, and the From Number. Contact your Aspenware Representative for assistance with this. For assistance setting up the service in Aspenware Commerce, see Setting Up Twilio. You’ll securely share the required API keys and additional fields with your Aspenware Representative.

Identity Tasks

Settings

The following settings are configurable in Identity and must be set at the Identity client level (configurable per external applications). These cannot be controlled through an Admin interface and must be done by the Aspenware Dev Ops team, contact your Aspenware representative to update these settings.

Required Identity Settings

Setting	Values	Description

Setting	Values	Description
Require Account Verification	True/False	If an account is found, if TRUE, guest will be texted or emailed a code to verify that they are allowed to claim the account, if FALSE, the guest will be able to create an authentication profile on a found account with no verification required.
Require Address Verification	True/False	Customers creating an account will enter a zip code, enabling Identity to more accurately match a new account to a potential existing account.
Check Pass Media For Find User	True/False	If TRUE, guest can login using their pass media or RFID number. If FALSE, login with pass number is disabled. If set to true, there are language strings that should be setup to reflect that this is allowed for guests as well.
GTM ID	GTM- XXXX	Supply Aspenware with your GTM ID
Age Limit	13 is the default	Age limit for guests to create accounts
Password Expired Enabled	True/False	When set to TRUE this setting will enforce a password reset for all users logging in through identity with an RTP password date change of today (automatically set in Azure) minus the “PasswordChangeDays” set below. If FALSE, guests will never be forced to reset their password.
Password Change Days	750 is the default	Only needed if PasswordExpiredEnabled is True. This setting subtracts the number of days from today’s date to determine how recently users must have changed their password in order not to force a reset. For example, if set to 7, any user who has created their account or reset their password in the past week will not be sent down the password reset flow.
Password Lockout Enabled	True/False	When set to TRUE this setting will enforce password lockout.
Failed Password Lockout Duration (Minutes	# of MInutes	The number of minutes that the guest will be locked out after triggering the password lockout.
Failed Password Lockout Attempts	#	The number of attempts a guest is allowed to enter an incorrect password before being locked out.

Optional Identity Settings

(Optional)Marketing Email Opt In/Out

Contact your Aspenare Representative to discuss implementing this feature. Determine the following configuration options:

Should the checkbox be unchecked by default forcing the guest to check the box to receive marketing emails, or should the checkbox be preselected forcing the guest to uncheck the box if they do not want to receive marketing emails.
What do you want the copy to be? By default, it reads “Opt into marketing emails.”

{
    "STORE URL GOES HERE(do not include protocol ie: https://)": [
        {
            "id": 1,
            "isConsented": false,
            "isConsentedDefaut": true,
            "showCheckBox": true,
            "showConsentText": true,
            "showConsentLink": false,
            "checkedRequired": false,
            "consentText": "Opt into marketing emails",
            "consentLinkUrl": "empty",
            "consentLinkText": "empty",
            "customApiActions": [
                {
                    "customApiActionTypeId": 3,
                    "apiUrl": "",
                    "apiHeaders": {},
                    "apiPostPayload": {}
                },
                {
                    "customApiActionTypeId": 4,
                    "apiUrl": "",
                    "apiHeaders": {},
                    "apiPostPayload": {}
                }
            ]
        }
    ]
}

(Optional/Restricted)Loyalty Program Enrollment

If you license Aspenware’s Loyalty module within Commerce and Unity, a checkbox can be configured to opt guests into a Loyalty program, updating their loyalty program enrollment status in RTP|One. In order to complete this configuration, please collect the following below and work with your Aspenware representative to implement. Include all the required copy and links. Be sure to include your preference for the default setting (checked or unchecked for each T&C setting.)

Copy for Link and Link for Modality - Example: Click here to read terms. (embedded link: Home - My Terms and Conditions ) The following can be customized by sending the desired copy to your Aspenware Representative.
- Consent Text - i.e. "Enroll in Boyne Rewards."
- Consent Link URL - i.e. "https://www.[yourresort].com/terms.html "
- Consent Link Text - i.e. "Click here to read terms and conditions."

HINT: The following HTML elements are supported in checkbox labels:

 <a> 

href and the target attributes on an <a> tag. This means that <a href=”google.com” target=”_blank”>Google</a> will render as a working link.

Additionally, , , , and  can be used to format labels with bold or italics if desired.  and  can be used to break up the content or force line breaks.

Any tags or attributes not listed above will not render. They will be stripped out of the HTML before the content is rendered to the page. This is to ensure that nobody is inserting <script> tags or other elements that could lead to security risks or broken layouts.

The following settings need to be configured as well, depending on how you want the Terms and Conditions features to behave. Again, please let your Aspenware Representative know your preferences and answers to the following settings so we can properly configure your environment.
1. Do you wish to display the Loyalty enrollment checkbox?
2. Will there be a link within the text next to the checkbox?
3. Is enrolling required to proceed with Create Account and/or Login?
4. Should the consent checkbox be pre-selected by default or un-checked?

IMPORTANT: These checkboxes should only be enabled if Loyalty is configured for your store. This checkbox will only appear if a customer who is logging in does not already have a loyalty sign-up. By clicking the box and accepting, the guest would enroll in the program. In subsequent logins, the loyalty program enrollment would not appear.

Language Strings

Most language strings within Identity are configurable. These language strings are updated using a JSON file and will be defined during the implementation process of Identity. Most language strings can retain default values, however, the following language strings are recommended for customization. View a full list of language strings.

General Messaging and Hard-Coded Error Messages

Login	no string	No email profile.	If a user tries to log in and they do not have an email profile, this error is appended to the call services language string.
Description	String Resource	Current Value	Placement
Several pages	identity.footer.returntologin	Return to login [URL]	Bottom of various identity screens
Login	no string	Multiple email profiles.	If a user tries to log in and they have multiple email profiles, this error is appended to the call services language string.

Login Page Language Strings

String Resource	Current Value	Placement
account.login.description	Please sign in or create an account.	Displays beneath page title, is a collapsed and invisible if no text is entered.
account.login.signin	Sign In	Displays on top of login page.
account.login.loginoptions	Email, Username, or Pass ID	Displays above line where user types in username, email, or pass ID
account.login.validation.invalid	Email, Username, or Pass ID is invalid.	Displays beneath username entry field when continue button is selected but no characters entered in username field
account.login.validation.callservices	We’ve encountered a problem logging you in. Please contact customer service at ###-###-####.	Displays beneath username entry field when email profile matches up with multiple authIDs
account.login.callservices.noemailprofile	We’ve encountered a problem logging you in. Please contact customer service at ###-###-####. Error: Account has no email profile.	Displays beneath username entry field when user has a username that is not an email and has no email profile. Error: var message = string.Empty; if(account.Status == "UserAccountExistsWithNoEmail") { message = "Missing email profile."; }else if(account.Status
account.login.newuser	New user?	Displays above login field and below Sign In.
account.login.createaccount	Create an account [URL]	Follows “New user?”
account.login.password.signin	Sign In
account.login.password.description	Enter your password below. If you forget your password reset it by selecting 'Reset password'	Displays beneath page title, messaging is collapsed and invisible if no text is entered.
account.login.password.password	Password	Displays beneath customer username and above password entry field.
account.login.callservices.noemailprofile	We’ve encountered a problem logging you in. Please contact customer service at ###-###-####. Error: Account has no email profile.	Displays beneath username entry field when user has a username that is not an email and has no email profile. Error: var message = string.Empty; if(account.Status == "UserAccountExistsWithNoEmail") { message = "Missing email profile."; }else if(account.Status
account.create.informationmissing	We found your account but DOB information to claim it is missing. Please contact us to help claim your account.	Displays on login when a guest does not have a DOB defined in the POS.

Reset Password Page Language Strings

String Resource	Current Value	Placement
account.forgotpassword.description	To reset your password, please enter your email or username and select continue."	Displays beneath title, if no description is entered area is collapsed.
account.forgotpassword.username	Email or username	Displays beneath description above entry field.
account.forgotpassword.validation.success	Success! An email and link for resetting your password has been sent to this address.	Displays beneath email.username field after password reset email is sent.
account.forgotpassword.validation.invalid	Invalid email address, please try again.	Displays beneath email.username field if invalid entry.

Create Account Page Language Strings

String Resource	Current Value	Placement
account.create.createaccount	Create an Account	This is the heading on top of the Create Account page.
account.create.description	Already have an account?	Displays beneath page title. Text area is collapsed if no text is entered.
account.create.accountexists.signin	Sign in [URL]	This is the active url after “Already have an account” text.
account.create.email	Email	This is the first line of create account (becomes username; required).
account.create.email.validation	Field is required.	Displays validation response if email is not entered.
account.create.firstname	First Name	This is the second line of create account (required).
account.create.firstname.validation	Field is required.	Displays validation response if first name is not entered.
account.create.lastname	Last Name	This is the same line as First Name (required).
account.create.lastname.validation	Field is required.	Displays validation response if last name is not entered.
account.create.dateofbirth	Date of Birth	This is third line of create account (required).
account.create.dateofbirth.validation	Field is required.	Displays validation response if DOB is not entered.
account.create.phone	Phone	This is the fourth line of create account (required).
account.create.phone.validation	Field is required.	Displays validation response if phone number is not entered.
account.create.postalcode	Postal Code	This is the fifth line of create account (required).
account.create.postalcode.validation	Field is required.	Displays validation response if postal code is not entered.
account.create.password	Password	This is the sixth line of create account (required).
account.create.password.validation	Field is required.	Displays validation response if password is not entered.
account.create.confirmpassword	Confirm Password	This is the seventh line of create account (required).
account.create.confirmpassword.validation	Field is required.	Displays validation response if confirm password is not entered.
account.create.validation	Unable to create account.	Displays beneath “Create” button if account cannot be created. Hard coded meaningful message will display appended.
account.create.informationmissing	We found you but additional information is required to create an account. Please contact ###-###-#### or email ___@ ___.com to recover your account	Displays below email field.
account.create.underage	You must be {0} years of age to register.	Displays below email field. By adding {0} into the language string, it will be replaced with the Age Limit

Claim Account Language Strings

Description	String Resource	Current Value	Placement
Claim Account → Select Account page	account.claim.selectaccount	Select Account	Title displays at top page.
Claim Account → Select Account page	account.claim.description	We found two or more accounts that match information you entered. Please select an account to continue.	Description displays beneath title. If no text is entered, this text box will collapse.
Claim Account → Select Account page	account.claim.select	Select Account	Displays beneath description and above selection dropdown.

Description	String Resource	Current Value	Placement
Claim Account → Verify Account page	account.claim.verify	Verify Account	Title displays at top of page.
Claim Account → Verify Account page	account.claim.verify.description	We found a matching account. Please select a delivery method for your verification code.	Description displays beneath title. If no text is entered, this text box will collapse.
Claim Account → Verify Account page	account.claim.select	Select Account	Displays beneath description and above selection dropdown.

Description	String Resource	Current Value	Placement
Claim Account → Verify Code page	account.claim.verifycode.verifycode	Verify Code	Title displays at the top of page.
Claim Account → Verify Code page	account.claim.verifycode.description	Please enter the code that was sent to your account.	Description displays beneath title. If no text is entered, text box collapses.
Claim Account → Verify Code page	account.claim.verifycode.verificationcode	Verification Code	Displays beneath description and above verification code text entry field.

Description	String Resource	Current Value	Placement
Claim Account → Create Login page	account.claim.createlogin	Create Login	Title displays at the top of page
Claim Account → Create Login page	account.claim.createlogin.description	Your account has been verified. Please enter email and establish password to claim your account and login.	Description displays beneath title. If no text is entered, text box collapses.
Claim Account → Create Login page	account.claim.createlogin.email	Email (Username)	Displays beneath description and above email (username) entry field.
Claim Account → Create Login page	account.claim.createlogin.password	Password	Displays beneath email and above password entry field.
Claim Account → Create Login page	account.claim.createlogin.confirmpassword	Confirm Password	Displays beneath password and above confirm password entry field.
Claim Account → Create Login page	account.claim.createlogin.password.strongpassword	Password must contain at least 6 characters, a lower case character, an upper case character, at least one digit, and a non-alphanumeric character.	Displays beneath password entry field.
Claim Account → Create Login page	account.claim.createlogin.password.required	Password required.	Displays in red beneath password entry field if no password is entered.
Claim Account → Create Login page	account.claim.createlogin.confirmpassword.required	Confirm password required.	Displays in red beneath confirm password entry field if no confirm password is entered.
Claim Account → Create Login page	account.claim.createlogin.password.match	Confirm password must match password.	Displays in red beneath confirm password entry field if passwords do not match.
Claim Account → Create Login page	account.setprofile.enterpassword	Please fill in your information below to claim your account.

Force Password Reset (Only if setting PasswordExpirationEnabled is true) Language Strings

String Resource	Current Value	Placement
account.login.resetpassword	Reset password	Displays at bottom of login page
account.forgotpassword.forgotpassword	Forgot Password	Displays top of reset password page
account.forgotpassword.description	To reset your password, please enter your email or username and select continue."	Displays beneath title, if no description is entered area is collapsed.
account.forgotpassword.username	Email or username	Displays beneath description above entry field.
account.forgotpassword.validation.success	Success! An email and link for resettning your password has been sent to this address.	Displays beneath email.username field after password reset email is sent.
account.forgotpassword.validation.invalid	Invalid email address, please try again.	Displays beneath email.username field if invalid entry.
account.resetpassword.resetpassword	Reset Password	Title displays when user taken from email link to reset password page.
account.resetpassword.description	Please enter and confirm password below.	Description displays beneath reset password title, if no text is entered, description box collapses.
account.resetpassword.password	Password	Displays beneath description above password field.
account.resetpassword.confirmpassword	Confirm Password	Displays above confirm password field.
account.resetpassword.validation.invalid	Password must contain at least 6 characters, a lower case character, an upper case character, at least one digit, and a non-alphanumeric character.	Displays beneath password fields if entry is invalid.
account.passwordexpired.passwordexpired	Password Expired
account.passwordexpired.description	Your current account password has expired. To reset your password, please enter your email or username and select continue.
account.passwordexpired.username	Email or username
account.passwordexpired.validation.success	Success! An email and link for resetting your password has been sent to this address.	Message appears beneath user email entry if reset email sent successfully.
account.passwordexpired.validation.invalid	Invalid email address, please try again.	Message appears beneath user email entry if reset email unable to be sent.

String Resource

Current Value

Placement

account.lockout.remainingattempts

(NOTE: This string is for the number of login attempts remaining before the user is locked out.)

You have {0} remaining attempts.

(NOTE: Be sure to include the {0}, as it is the placeholder token for the number of remaining attempts.)

account.lockout.lockedout

(NOTE: This is a message notifying the user that they will be locked out for X minutes.)

Your account has been locked for {0}.

(NOTE: Be sure to include the {0}, as it is the placeholder token for the number of minutes.)

Identity Theming

When using Identity, your client folder will include a background image and your logo image. Horizontal logo images are recommended when using the Identity application. In addition to language strings (listed above), the following components may be configured by resorts upon implementing Identity. All other UI features default to the application.

Background
1. Background Image
2. Background Overlay (for text readability)
Logo (long and wide logos work best)
1. Logo URL
2. Logo Sizes for Mobile, Tablet, and Desktop
Primary Color (Buttons, Mobile Header Bar)
Button Details
1. Button Color
2. Button Radius (rounding)
3. Button Hover Color
4. Button Font Weight (Bold, Normal, etc)
5. Button Font Size
6. Button Letter Spacing
Font Details
1. Heading Font Color
2. Body Font Color
3. Link Font Color
4. Link Hover Font Color
5. A single custom font can be supported for those who use CSS to import their custom fonts. Font customizations will apply to the Identity application, but the email font will be standardized as Helvetica for all customers. Supply the font URL to your Aspenware Representative, similar to the example below:

Email Template Customization

Both Identity password emails and verification code emails have standard email templates for forgot password emails and account verification emails. Email templates can be customized to include the resort's logo, links to the resort website, resort address in the email footer, and the resort name.

Setting	Description	Specs

Setting	Description	Specs
Resort LogoUrls	Web-based URL of logo - this setting determines determines what logo displays in the email.
ResortEmailFooters	This setting determines what footer text displays in the email.	Typically used for address, phone number and/or contact email.
ResortNames	This setting determines what resort name displays in the email.	(i.e. Peak Resort)
ResortUrls	This setting determines where the user is taken if they click the logo in the email.	(i.e. http://aspenware.com )

(Optional) Configure Multiple Store-Fronts and Identity

Aspenware Commerce can be configured to have multiple store-fronts operating from a single backend admin instance, where product configuration for the shop is done. Each storefront can have its own look and feel, language strings, custom domain, settings, products, and more. Similarly, Identity can be configured to work with multiple storefronts. A single instance of Identity can also be configured to work with multiple completely separate Aspenware Commerce stores, so that if you are logged in to one store you are logged into others, however, there are some limitations around what can be customized across store-fronts or unique shops for Identity.

If using the same Identity across multiple storefronts and/or stores, the custom URL across the single instance of Identity must remain constant. For example, Boyne Resorts uses a single Identity across all of its 7 resorts, so http://shop.bigskyresort.com redirects to http://id.boyneresorts.com but guests coming to this page from the Big Sky shop or Arrival see a Big Sky branded experience and language strings that correspond to Big Sky.

Other limitations include language strings, if two stores are operating out of a single Aspenware Commerce Instance, i.e. they share an admin backend, then they can have unique branding, but the language strings must remain the same across the stores. If two stores use the same Identity but have separate Aspenware Commerce admin instances, they can have unique brands AND language strings. For example, Boyne Mountain and Boyne Highlands, sister resorts in Michigan also use the same Identity as the other Boyne Resorts (http://id.boyneresorts.com), however, these two storefronts share a single Aspenware Commerce Admin, so the Identity language strings for these two store-fronts are shared. In the image below, the items in yellow are shared across the store front’s views of identity, and the items in blue are unique.

Commerce Tasks

1. Install and Enable the Identity Plugin in Aspenware Commerce

To begin using Identity, you must install, configure, and activate the Identity plugin. To do so, follow the steps below:

Find and install the Identity Plugin
1. In the Aspenware Commerce admin panel go to Configuration > Local Plugins
2. Search the list for ExternalAuth Methods : Identity Authentication
3. Select Install.
4. Once installation is complete, select Restart application to apply changes at the top of the page.

Configure Identity External Authentication
1. Go to Configuration > External Authentication
  1. If the Identity plugin has been successfully installed you will see it on the admin screen.
2. Select Configure.
  1. Enter your OpenID, ClientID, and OpenID ClientSecret (these are created and provided by Aspenware).
  2. In the Authority to use when connecting to OpenID field enter the web address (URL) that will be using Identity.
  3. Select Save.
3. Return to the External Authentication Admin page and select Edit.
  1. Select the check box under the Is active column then select Update.

2. Enable reCAPTCHA for the Identity Plugin (optional)

The reCAPTCHA v3 API helps resorts detect abusive traffic without user interaction. Instead of showing a CAPTCHA challenge (as with older versions), reCAPTCHA v3 returns a score. Resorts can then choose the most appropriate action for their websites according to this score. Because scores are determined by monitoring user interaction on your site, Aspenware recommends implementing reCAPTCHA as soon as possible (and across all available interactions) to begin site monitoring. In addition to disabling such monitoring at any time, reCAPTCHA v3 thresholds can also be adjusted in the reCAPTCHA admin dashboard to be more or less tolerant of risky activities and related actions. See below for instructions on how to enable reCAPTCHA v3 on Aspenware Identity.

In order to use reCAPTCHA v3 you will need to register your site and get your reCAPTCHA public and private keys.

Go to https://www.google.com/recaptcha/admin/create and follow the steps to register your site

Work with your Aspenware Representative (support@aspenware.com) to configure reCAPTCHA for Identity. You will need to provide them with the following THREE configuration elements:
- 1. Site Key and Secret Key you obtained from Google upon adding reCAPTCHA.
- 2. The desired locations on which you would like reCAPTCHA v3 to monitor. Options include Create Account, Login, Recover Account, Password Reset and Claim Account. Aspenware recommends resorts enable reCAPTCHA v3 to all locations for the maximum benefit.
- 3. The ReCaptcha v3 Score Threshold number to begin monitoring your site.