FAQ
ForgeRock Identity Cloud

FAQ: Identity Cloud hosted End User UI

Last updated Jan 17, 2023

The purpose of this FAQ is to provide answers to commonly asked questions regarding the ForgeRock Identity Cloud hosted End User UI.

Frequently asked questions

Q. How do I add Account Controls to the end user's Profile page?

A. You can configure the Identity Cloud hosted End User UI to display Account Controls on the Profile page. This allows end users to download or delete their own account data. By default, Account Controls are hidden from end users.

To display Account Controls on the Profile page:

  1. In the Identity Cloud admin UI, go to Hosted Pages.
  2. Click the theme that is being used as the realm default.
  3. Go to Account Pages > Layout and select Account Controls.
  4. Click Save.

Account Controls are now displayed on the Profile page. 

Q. How do I remove the Edit Personal Info button from the end user's Profile page?

A. By default, the Identity Cloud hosted End User UI displays the Edit Personal Details button on the Profile page. This allows end users to edit personal information such as their last name, address, email address, and telephone number. You can configure the Identity Cloud hosted UI to hide the Edit Personal Details button if you do not want to allow end users to edit their own personal details.

To hide the Edit Personal Info button from the Profile page:

  1. In the Identity Cloud admin UI, go to Hosted Pages.
  2. Click the theme that is being used as the realm default.
  3. Go to Account Pages > Layout and deselect Personal Information.
  4. Click Save.

The Edit Personal Info button is no longer displayed on the Profile page.

Q. How do I stop end users updating specific details in their Profile such as username?

A. You can make individual user profile attribute(s) not viewable or editable if required. When you do this, the selected properties cannot be changed by the user via the End User UI or REST API calls.

See How do I prevent users viewing and editing their profile attributes in the End User UI for Identity Cloud or IDM (All versions)? for further information. 

Q. Why is a different login journey displayed when an end user logs out of the Profile page?

A. The login journey displayed when an end user clicks Sign out from the Profile page is the default login journey configured for that realm. See Default end user journey for further information. You can change the default login journey in the realm to control which login journey is displayed.

If the user logged in with a non-default login journey, then they will see a different login journey when they log out. The login journey being used is shown in the authIndexValue parameter in the login URL.

Q. Can end users add a picture to their Profile page?

A. Yes, end users can add an image or photo to their Profile page in the Identity Cloud hosted End User UI by clicking the camera icon on the Profile page and entering the URL to where the image is hosted. Profile pictures must be either .png or .jpg format, and should have equal width and height.

The URL entered for the image is stored in the Profile Image (profileImage) property, which exists by default in most tenants. If this property is missing, you should raise a ticket via Backstage to request it is added.

Q. Can I configure the hosted end user UI to redirect users to a specific URL after they sign out?

A. Yes. You can specify the URL that end users are redirected to after they log out, by adding an optional claim called post_logout_url to the OIDC ID token that is issued during an OIDC flow. To do this you'll need to edit the OIDC Claims Script in Identity Cloud, as follows:

  1. In the Identity Cloud admin UI, go to Scripts > Auth Scripts > OIDC Claims Script.
  2. Edit the script:
    • In the utils.setScopeClaimsMap section, add the post_logout_url claim to an existing scope. This section would look similar to this if you added the claim to the fr:idm:* scope:utils.setScopeClaimsMap( {        profile: [             'name',             'family_name',             'given_name',             'zoneinfo',             'locale'         ],         email: ['email'],         address: ['address'],         phone: ['phone_number'],         'fr:idm:*': ['post_logout_url']     });
    • In the utils.setClaimResolvers section, add mapping details for the post_logout_url claim including the URL where you want to redirect users on logout. This section would look similar to this (with comments removed) if you were redirecting users to https://example.com:utils.setClaimResolvers({        name: utils.getUserProfileClaimResolver('cn'),         family_name: utils.getUserProfileClaimResolver('sn'),         given_name: utils.getUserProfileClaimResolver('givenname'),         zoneinfo: utils.getUserProfileClaimResolver('preferredtimezone'),         locale: utils.getUserProfileClaimResolver('preferredlocale'),         email: utils.getUserProfileClaimResolver('mail'),         address: utils.getAddressClaimResolver(             utils.getUserProfileClaimResolver('postaladdress')         ),         phone_number: utils.getUserProfileClaimResolver('telephonenumber'),         post_logout_url: function (requestedClaim) {             return '<https://example.com>';         }     });

The post_logout_url claim will be added to all clients that request the scope specified in the utils.setScopeClaimsMap section (the fr:idm:* scope in this example).

  1. Click Save and Close.
  2. Go to Native Consoles > Access Management > Services > OAuth2 Provider > Advanced OpenID Connect and make sure the Always Return Claims in ID Tokens option is enabled.

End users are now redirected to the specified URL after logout or session termination. 

See Also

Identity Cloud Hosted Pages

How do I prevent users viewing and editing their profile attributes in the End User UI for Identity Cloud or IDM (All versions)?

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.