Self-Service End User UI

This chapter includes the steps that you would take to verify functionality from an end user point of view. Some of the options described in this chapter can be used to help support compliance with the General Data Protection Regulation (GDPR).

For information about customizing the End User UI, see the Github repository: ForgeRock/end-user-ui.

Localizing the End User UI

The End User UI is configured in US English. For more information on how to localize and modify the messages in the End User UI, see the following section of the ForgeRock Identity Management (End User) repository on " Translations and Text".

Change the End User UI Path

By default, the End User UI is registered at the root context and is accessible at the URL https://localhost:8443. To specify a different URL, edit the project-dir/conf/ui.context-enduser.json file, setting the urlContextRoot property to the new URL.

For example, to change the End User UI URL to https://localhost:8443/exampleui, edit the file as follows:

"urlContextRoot" : "/exampleui",

Alternatively, to change the End User UI URL in the Admin UI, follow these steps:

  1. Log in to the Admin UI.

  2. Select Configure > System Preferences, and select the Self-Service UI tab.

  3. Specify the new context route in the Relative URL field.

Provide a Logout URL to External Applications

By default, an End User UI session is invalidated when a user clicks on the Log out link. In certain situations, external applications might require a distinct logout URL to which users can be routed, to terminate their UI session.

The logout URL is #logout, appended to the UI URL; for example, https://localhost:8443/#logout/.

The logout URL effectively performs the same action as clicking on the Log out link of the UI.

Privacy: My Account Information in the End User UI

While end users can find their information in the End User UI, you can use REST calls and audit logs to find the same information. Some of the information in this section, such as Trusted Devices and UMA-based sharing, might require integration with ForgeRock Access Management (AM), as described in the Platform Setup Guide.

What the enduser sees upon log in to the End User UI depends on which features are configured.

  • When you log in to the End User UI, you'll be taken to the IDM Profile page (), with at least the following information under settings:

    • Account Security

    • Preferences

    • Account Controls

  • You'll see at least a Dashboard () and a Profile icon () in the left hand pane. If you've configured UMA as described in "Configure UMA, Trusted Devices, and Privacy", you'll also see a Sharing icon (). To see descriptions with each icon, select the Menu icon ():

    Icons in the End User UI
    Icons in the Left-Pane of the End User UI

  • When you add features described earlier in this chapter, you'll see additional options in the profile page, as described in the following table:

    Information in the End User Profile Page
    Account SecurityPassword and Security Questions, default"Configure Security Questions"
    Social Sign-inLinks to Social Identity Provider AccountsSocial Registration
    Authorized ApplicationsApplications that can access an account"Authorized Applications"
    Trusted DevicesBased on system and browser"Configuring Trusted Devices on IDM"
    PreferencesDefault"Configure User Preferences"
    Personal Data SharingProvides control"Personal Data Sharing"
    Account ControlsIncludes collected account data (Default)"Account Controls"

Personal Information

End users can find their account details in the End User UI, by selecting the Profile icon () > Edit Personal Info. By default, user information includes at least the following properties: Username, First Name, Last Name, and Email Address.

Each user can modify this information as needed, as long as "userEditable" : true for the property in your project's managed.json file. For more information, see "Create and Modify Object Types".

& Security

Under this tab, end users can change their passwords. They can also add, delete, or modify security questions, and link or unlink supported social identity accounts. For more information, see "Configure Security Questions" and Social Registration.


The preferences tab allows end users to modify marketing preferences, as defined in the managed.json file, and the Managed Object User property Preferences tab. For more information, see "Configure User Preferences".

End users can toggle marketing preferences. When IDM includes a mapping to a marketing database, these preferences are sent to that database. This can help administrators use IDM to target marketing campaigns and identify potential leads.

Trusted Devices

A trusted device uses AM's Device ID (Match) and Device ID (Save) authentication modules, as described in the AM Authentication and Single Sign-On Guide. When such modules are configured (see "Configuring Trusted Devices on IDM"), end users can add such devices the first time they log in from a new location.

During the login process, when an end user selects Log In, that user is prompted for a Trusted Device Name. Users see their added devices under the Trusted Devices tab.

A trusted device entry is paired with a specific browser on a specific system. The next time the same end user logs in from the same browser and system, in the same location, that user should not be prompted to enter a trusted device again.

End users can remove their trusted devices from the tab.

Authorized Applications

The Authorized Applications section is specific to end users as OAuth 2 clients. and reflects the corresponding section of the AM Self-Service dashboard, as described in the following section of the AM OAuth 2.0 Guide on: User Consent Management.

Personal Data Sharing

This section assumes that as an administrator, you've followed the instructions in "Configure Privacy and Consent" to enable Privacy & Consent.

End users who see a Personal Data Sharing section have control of whether personal data is shared with an external database, such as one that might contain marketing leads.

The managed object record for end users who consent to sharing such data is shown in REST output and the audit activity log as one consentedMappings object:

"consentedMappings" : [ {
   "mapping" : "managedUser_systemLdapAccounts",
   "consentDate" : "2017-08-25T18:13:08.358Z"

If enabled, end users will see a Personal Data Sharing section in their profiles. If they select the Allow link, they can see the data properties that would be shared with the external database.

This option supports the right to restrict processing of user personal data.

Account Controls

The Account Controls section allows end users to download their account data (in JSON format), and to delete their accounts from IDM.


When end users delete their accounts, the change is propagated to external systems by implicit sync. However, it is then up to the administrator of the external system to make sure that any additional user information is purged from that system.

To modify the message associated with the Delete Your Account option, refer to the section about Translations in the README of the public ForgeRock Identity Management (End User) Git repository. Find the translation.json file, search for the deleteAccount code block, and edit the information.

The options shown in this section can help meet requirements related to data portability, as well as the right to be forgotten.

Read a different version of :