Access Management 7.3.2

Configure user self-service

You can configure the user self-service features to use email address verification, which sends an email containing a link for user self-registration and forgotten password reset via AM’s email service. You can also send the forgotten username to the user by email if configured.

To configure user self-registration and password recovery in the ForgeRock Identity Platform, refer to the ForgeRock Identity Platform self-service documentation.

The following table summarizes the high-level tasks required to configure the user self-service features:

Task Resources

Create encryption and signing keys

The user self-service features require a key pair for encryption and a signing secret key. Create one of each for each instance of user self-service you plan to configure.

Configure a user self-service instance

Each realm requires its own instance.

Configure user self-service security

Configure at least one security method for each feature:

  • Configure the email service to send an email to users that are registering, or users that are resetting their passwords.

  • Configure knowledge-based questions that users must answer to reset their passwords.

  • Configure Google reCAPCHA to protect any of the user self-service features from bots.

Configure user self-service features

Configure the features that your environment requires.

Create a user self-service instance

  1. In the AM admin UI, go to Realms > Realm Name > Services and select Add a Service.

  2. Select User Self-Service from the list of possible services.

  3. Populate the values of the Encryption Key Pair Alias and the Signing Secret Key Alias properties with the names of the key pair aliases in your JCEKS keystore.

    Note that the name of the demo keys shows with a gray color; that does not mean the fields are filled in.

    For example, if you are using the demo keys in the default keystore.jceks file, set the properties as follows:

    • Encryption Key Pair Alias to selfserviceenctest.

    • Signing Secret Key Alias to selfservicesigntest.

      The demo key aliases are for test or evaluation purposes. Do not use them in production environments. To create new key aliases, see Create self-service key aliases.

  4. Enable the user self-service features.

  5. Select Create.