Customize UIs
When you integrate your applications with your Identity Cloud tenant, you must consider how to manage the journey and account (end user UI) pages that your end users will use.
To customize the UIs, Identity Cloud provides many user interface (UI) integration options.
The one you choose will be based on a combination of the following factors:
-
Hosting: Do you want to host your own UI?
-
Application platform: Do you only need to support web applications, or do you also need to support native applications?
-
Theming: How much control do you want over the look and feel of the UI?
-
Journey flow: Do you want to redirect end users to a central UI or embed a UI into each application?
For a quick take on these factors against each of the UI options, refer to the summary below.
Journey flows
Journey flows define the sign-in experience for end users. Identity Cloud offers two journey flows:
| Not every UI integration option supports centralized or embedded journey flows. Refer to comparision of UI options for more information. |
Centralized journey flows
Centralized journey flows are when end users are redirected to another login page and are an increasingly familiar sign-in experience to end users. They are considered a security best practice. For Identity Cloud, this means all information within the authentication process takes place entirely within Identity Cloud.
An example of a centralized journey flow is Google G Suite, where a user is redirected to the same authentication page no matter which application they are trying to access.
Click to display an example
The following video shows a centralized journey flow with ForgeRock SDKs:
Centralized journey flows are possible using all UI options.
Embedded journey flows
Embedded journey flows offer a more traditional sign-in experience, as end users are not redirected outside an application.
Embedded journey flows are not considered to be a security practice for the following reasons:
-
Individual applications having access to end user’s credentials.
-
Individual applications having access the authorization grant.
-
Each application must follow best security practices during the sign-in experience.
Click to display an example
The following video shows an embedded journey flow with ForgeRock SDKs:
Embedded journey flows are not recommended, but are possible using the self-hosted Login UI or SDKs.
UI options
The following UI options are available:
-
Identity Cloud hosted pages - Use readily available UIs for your login and end-user screens.
-
Self-hosted pages - Host your own login and end-user screens.
-
ForgeRock SDKs - Use SDKs for web, Android, or iOS applications. Integrate the SDK into Identity Cloud using REST APIs.
Identity Cloud hosted pages
Identity Cloud provides out-of-the-box (OOTB) UI screens for login UIs (journeys) and end-user pages (Identity Cloud End User UI). This is the easiest option for a UI integration as the capabilities are readily available.
Hosted pages provide customization for:
-
End-user journey pages, such as login, registration, and password reset
-
End-user account pages, such as user profile attributes and the actions end users can take in the Identity Cloud End User UI.
The UI layout is fixed, but can be themed per realm. You can add company logos and change button, link, and background colors. The UI supports web applications but not native applications.
This option is useful if you have limited theming needs or want to quickly try new registration or authentication flows without integrating them into an application.
This option only lets you use centralized journey flows in your applications. Additionally, this is the only option that supports SAML journey flows that use Identity Cloud as the IDP.
| ForgeRock does not support the use of Identity Cloud hosted pages in embedded journey flows. Specifically, embedding hosted pages in HTML frames is not supported. |
ForgeRock Identity Platform end-user and login UIs (self-hosted)
In this option, you self-host the end-user UIs, the login UIs, or both, and configure them to use your Identity Cloud tenant.
This option offers flexibility if you want to customize the layout of the UIs or customize the theming beyond what the default hosted pages provide. The UIs support web applications but not native applications.
This option also lets you use both centralized and embedded journey flows in your applications.
For background information about the platform end-user and login UIs, refer to Platform UIs.
ForgeRock SDKs
For background information about ForgeRock SDKs (SDKs), refer to ForgeRock SDKs.
In this option, you use the SDKs to develop your own custom UI for web, Android, or iOS applications. You then integrate it with your Identity Cloud tenant using the REST API.
Each SDK provides an out-of-the-box UI module that allows you to prototype your custom UI; however, it is only provided as a starting point, and it is not intended for production use.
This option offers maximum flexibility if you want to customize the behavior, layout, and theming of the UI, or want to support Android and iOS applications. It requires a higher level of technical skill than the other options.
SDKs can use centralized and embedded journey flows.
Comparison of UI options
| UI | App Platform | Theming | Journey Flows | Notes |
|---|---|---|---|---|
Identity Cloud hosted pages |
Web |
Limited |
Centralized |
|
Platform end-user and login UIs |
Web |
No limitation |
Centralized or embedded |
|
SDKs |
Web, Android, iOS |
No limitation |
Centralized or embedded |
|