Self-service end user UI
This topic includes procedures to verify functionality from an end user point of view. Some options described can be used to help support compliance with the General Data Protection Regulation (GDPR).
For information about customizing the End User UI, see the Github repository: ForgeRock/end-user-ui.
Localize the end user UI
The End User UI is configured in US English. For more information on how to localize and modify the messages in the End User UI, see Translations and Text.
Change the end user UI path
By default, the End User UI is registered at the root context and is accessible at the URL https://localhost:8443
. To specify a different URL, edit the project-dir/conf/ui.context-enduser.json
file, setting the urlContextRoot
property to the new URL.
For example, to change the End User UI URL to https://localhost:8443/exampleui
, edit the file as follows:
"urlContextRoot" : "/exampleui",
Alternatively, to change the End User UI URL in the admin UI, follow these steps:
-
Log in to the admin UI.
-
From the navigation bar, click Configure > System Preferences, and select the Self-Service UI tab.
-
Specify the new context route in the Relative URL field.
-
Click Save.
Provide a logout URL to external applications
By default, an End User UI session is invalidated when a user clicks on the Log out link. In certain situations, external applications might require a distinct logout URL to which users can be routed, to terminate their UI session.
The logout URL is #logout
, appended to the UI URL; for example, https://localhost:8443/#logout/
.
The logout URL effectively performs the same action as clicking on the Log out link of the UI.
Privacy: my account information in the End User UI
While end users can find their information in the End User UI, you can use REST calls and audit logs to find the same information. Some of the information in this section, such as Trusted Devices and UMA-based sharing, might require integration with ForgeRock Access Management (AM), as described in the Platform Setup Guide.
What the end user sees upon log in to the End User UI depends on which features are configured.
-
When you log in to the End User UI, you’ll be taken to the IDM Profile page , with at least the following information under the Settings tab:
-
Account Security
-
Preferences
-
Account Controls
-
-
At a minimum, the left panel displays the Dashboard and Profile buttons. If you’ve configured UMA as described in UMA, trusted devices, and privacy, you’ll also see a Sharing button. To see descriptions, click the Menu button:
-
When you add features, additional options display on the profile page:
Information in the End User Profile Page Title Description Section Account Security
Password and Security Questions, default
Social Sign-in
Links to Social Identity Provider Accounts
Authorized Applications
Applications that can access an account
Trusted Devices
Based on system and browser
Preferences
Default
Personal Data Sharing
Provides control
Account Controls
Includes collected account data (Default)
Personal information
To view account details in the End User UI, a user clicks the Profile button > Edit Personal Info. By default, user information includes at least a Username, First Name, Last Name, and Email Address.
Each user can modify this information as needed, as long as "userEditable" : true
for the property in your project’s managed.json
file. For more information, see Create and Modify Object Types.
Sign-In & security
Under this tab, end users can change their passwords. They can also add, delete, or modify security questions, and link or unlink supported social identity accounts. For more information, see Security questions and Social registration.
Preferences
The preferences tab allows end users to modify marketing preferences, as defined in the managed.json
file, and the Managed Object User property Preferences tab. For more information, see Configure User Preferences.
End users can toggle marketing preferences. When IDM includes a mapping to a marketing database, these preferences are sent to that database. This can help administrators use IDM to target marketing campaigns and identify potential leads.
Trusted devices
A trusted device uses AM’s Device ID (Match) and Device ID (Save) authentication modules, as described in the AM Authentication and Single Sign-On Guide. When such modules are configured (see Configuring Trusted Devices on IDM), end users can add such devices the first time they log in from a new location.
During the login process, when an end user selects Log In, that user is prompted for a Trusted Device Name. Users see their added devices under the Trusted Devices tab.
A trusted device entry is paired with a specific browser on a specific system. The next time the same end user logs in from the same browser and system, in the same location, that user should not be prompted to enter a trusted device again.
End users can remove their trusted devices from the tab.
Authorized applications
The Authorized Applications section is specific to end users as OAuth 2 clients. and reflects the corresponding section of the AM Self-Service dashboard, as described in the following section of the AM OAuth 2.0 Guide on: User Consent Management.
Personal data sharing
This section assumes that as an administrator, you’ve followed the instructions in Privacy and consent to enable Privacy & Consent.
End users who see a Personal Data Sharing section have control of whether personal data is shared with an external database, such as one that might contain marketing leads.
The managed object record for end users who consent to sharing such data is shown in REST output and the audit activity log as one consentedMappings
object:
"consentedMappings" : [ {
"mapping" : "managedUser_systemLdapAccounts",
"consentDate" : "2017-08-25T18:13:08.358Z"
}
If enabled, end users will see a Personal Data Sharing section in their profiles. If they select the Allow link, they can see the data properties that would be shared with the external database.
This option supports the right to restrict processing of user personal data.
Account controls
The Account Controls section allows end users to download their account data (in JSON format), and to delete their accounts from IDM.
When end users delete their accounts, the change is propagated to external systems by implicit sync. However, it is then up to the administrator of the external system to make sure that any additional user information is purged from that system. |
To modify the message associated with the Delete Your Account
option, refer to the section about Translations in the README of the public ForgeRock Identity Management (End User) Git repository. Find the translation.json
file, search for the deleteAccount
code block, and edit the information.
The options shown in this section can help meet requirements related to data portability, as well as the right to be forgotten.