ForgeRock Identity Platform 7.2

User self-service overview

User Self-Service lets your users create and manage their own accounts, while giving you control over what features are available and how they work. With the platform, this is done using authentication trees, either through the AM admin UI, or through the Platform Admin UI. Because this service uses both AM and IDM to work, it requires the platform to function.

While it is possible to configure authentication trees in both the AM admin UI and the Platform Admin UI, the Platform Admin UI is recommended:

  • The Platform Admin UI includes the ability to easily duplicate an existing tree, making it easier to experiment with new flows without changing the behavior of the current tree.

  • Some tree-level configuration is not currently available from the AM admin UI, such as setting the IDM object type you are interacting with, stored in the identityResource property in your tree object. This defaults to managed/user; to work with a different managed object (managed/devices, for example), this will need to be set either through the REST API, or the Platform Admin UI.

One case where you may wish to use the AM admin UI instead, is to configure trees in different realms.

Before continuing with this documentation, make sure you have successfully configured the platform. There are several methods you can use to set up the platform:

  • Configure and set up the platform using Kubernetes. More information about setting up the ForgeRock Identity Platform with Kubernetes can be found in the ForgeOps documentation.

  • Alternatively, manually configure the platform integration between AM and IDM. More information is found in Deployment overview.

This documentation references some sample authentication trees that have been created to demonstrate various features of self-service. Depending on your configuration method, these trees may already be included. If they aren’t already present, or you deleted the trees and wish to re-create them, these sample trees can found in included with AM. For more information about adding these trees to the platform, see Configure authentication trees.

This documentation focuses on the platform implementation of user self-service. To use the IDM-specific or AM-specific implementations, see the instructions in the IDM self-service reference and the AM user self-service documentation.

Authentication trees and self-service

The following nodes were created specifically for use in self-service flows, although you can also use them in other authentication flows:

Nodes requiring the ForgeRock Identity Platform

Since User Self-Service is built using authentication trees, nearly any authentication node included with AM can be used in your self-service flow. The following nodes are not compatible with platform-based self-service, however:

Nodes incompatible with ForgeRock Identity Platform

If you are using a third-party node from the ForgeRock Marketplace, check with the developer for compatibility.

The following sample trees are available:


The sample Registration tree describes a basic registration flow, where the user is prompted to provide several profile attributes, then attempts to create the user and log the user in. You can find this tree in AM samples in root/AuthTree/PlatformRegistration.json. More information is covered in User self-registration. For more information about configuring registration to include social identity providers, see Social authentication.


The sample Login tree describes a basic login flow, where the user is prompted to provide a username and password, then passed to a progressive profile tree before being logged in. You can find this tree in AM samples in root/AuthTree/PlatformLogin.json. More information about modifying the Login tree is covered in Login with self-service. For more information about including social identity providers in a Login tree, see Social authentication.

Progressive Profiles

The sample Progressive Profile tree is called by the Login tree sample. It checks the login count to see if further action is needed. If no action is required, it returns to the Login tree to complete logging in. If the specified number of logins is reached, it instead checks to see if user preferences have been set, and if not, prompts the user to set those preferences. It then returns to the Login tree to finish logging in. You can find this tree in AM samples in root/AuthTree/PlatformProgressiveProfile.json. For more information about using progressive profiling, see Progressive profile.

Password Reset

The Password Reset sample tree provides a method for users to reset their password by providing their email and answering some security questions. If the questions are answered correctly, the user is emailed a password reset link, which they must click to proceed. They are then presented with a password prompt to enter a new password. You can find this tree in AM samples in root/AuthTree/PlatformResetPassword.json. For more information, see Password reset.

Forgotten Username

The Forgotten Username sample tree gives users a method to recover their username by entering an email address. If the email address is associated with a user account, the account’s username will be emailed to the user. The email includes a link to log in, which will take the user through the Login tree. You can find this tree in AM samples in root/AuthTree/PlatformForgottenUsername.json. For more information, see Username recovery.

Update Password

The Update Password sample tree lets users change their passwords. The tree assumes that the user has already logged in successfully. It checks the user’s session data and, if the session is valid, prompts the user to update their password. You can find this tree in AM samples in root/AuthTree/PlatformUpdatePassword.json. For more information, see Password updates.

There is a small naming difference, depending on which method you used to set up the platform. If you are using ForgeOps, the names of the trees will be as listed above. If you manually set up the platform and are loading the trees from the AM samples, the names will have Platform prefixed to the tree names (for example, PlatformRegistration, or PlatformForgottenUsername). The trees and behavior are the same, just with different names.

Copyright © 2010-2024 ForgeRock, all rights reserved.