IDM 7.4.1

Self-service end user UI

This topic includes procedures to verify functionality from an end user point of view. Some options described can be used to help support compliance with the General Data Protection Regulation (GDPR).

For information about customizing the End User UI, refer to the Github repository: ForgeRock/end-user-ui.

Localize the end user UI

The End User UI is configured in US English. For more information on how to localize and modify the messages in the End User UI, refer to Translations and Text.

Change the end user UI path

By default, the End User UI is registered at the root context and is accessible at the URL https://localhost:8443. To specify a different URL, edit the project-dir/conf/ui.context-enduser.json file, setting the urlContextRoot property to the new URL.

For example, to change the End User UI URL to https://localhost:8443/exampleui, edit the file as follows:

"urlContextRoot" : "/exampleui",

Alternatively, to change the End User UI URL in the admin UI, follow these steps:

  1. Log in to the admin UI.

  2. From the navigation bar, click Configure > System Preferences, and select the Self-Service UI tab.

  3. Specify the new context route in the Relative URL field.

  4. Click Save.

Provide a logout URL to external applications

By default, an End User UI session is invalidated when a user clicks on the Log out link. In certain situations, external applications might require a distinct logout URL to which users can be routed, to terminate their UI session.

The logout URL is #logout, appended to the UI URL; for example, https://localhost:8443/#logout/.

The logout URL effectively performs the same action as clicking on the Log out link of the UI.

Privacy: my account information in the End User UI

While end users can find their information in the End User UI, you can use REST calls and audit logs to find the same information. Some of the information in this section, such as Trusted Devices and UMA-based sharing, may require integration with ForgeRock Access Management (AM), as described in the sample platform setup documentation.

What the end user sees upon log in to the End User UI depends on which features are configured.

  • When you log in to the End User UI, you’ll be taken to the IDM Profile page , with at least the following information under the Settings tab:

    • Account Security

    • Preferences

    • Account Controls

  • At a minimum, the left panel displays the Dashboard and Profile buttons. If you’ve configured UMA as described in UMA, trusted devices, and privacy, you’ll also refer to a Sharing button. To see descriptions, click the Menu button:

    endUserIcons

  • When you add features, additional options display on the profile page:

    Information in the End User Profile Page
    Title Description Section

    Account Security

    Password and Security Questions, default

    Social Sign-in

    Links to Social Identity Provider Accounts

    Authorized Applications

    Applications that can access an account

    Trusted Devices

    Based on system and browser

    Preferences

    Default

    Personal Data Sharing

    Provides control

    Account Controls

    Includes collected account data (Default)

Personal information

To view account details in the End User UI, a user clicks the Profile button > Edit Personal Info. By default, user information includes at least a Username, First Name, Last Name, and Email Address.

Each user can modify this information as needed, as long as "userEditable" : true for the property in your project’s managed.json file. For more information, refer to Create and Modify Object Types.

Sign-In & security

Under this tab, end users can change their passwords. They can also add, delete, or modify security questions, and link or unlink supported social identity accounts. For more information, refer to Security questions and Social registration.

Preferences

The preferences tab allows end users to modify marketing preferences, as defined in the managed.json file, and the Managed Object User property Preferences tab. For more information, refer to Configure User Preferences.

End users can toggle marketing preferences. When IDM includes a mapping to a marketing database, these preferences are sent to that database. This can help administrators use IDM to target marketing campaigns and identify potential leads.

Trusted devices

A trusted device uses AM’s Device ID (Match) and Device ID (Save) authentication modules, as described in the AM Authentication and Single Sign-On Guide. When such modules are configured (see Configuring Trusted Devices on IDM), end users can add such devices the first time they log in from a new location.

During the login process, when an end user selects Log In, that user is prompted for a Trusted Device Name. Users refer to their added devices under the Trusted Devices tab.

A trusted device entry is paired with a specific browser on a specific system. The next time the same end user logs in from the same browser and system, in the same location, that user should not be prompted to enter a trusted device again.

End users can remove their trusted devices from the tab.

Authorized applications

The Authorized Applications section is specific to end users as OAuth 2 clients. and reflects the corresponding section of the AM Self-Service dashboard, as described in the following section of the AM OAuth 2.0 Guide on: User Consent Management.

Personal data sharing

This section assumes that as an administrator, you’ve followed the instructions in Privacy and consent to enable Privacy & Consent.

End users who refer to a Personal Data Sharing section have control of whether personal data is shared with an external database, such as one that might contain marketing leads.

The managed object record for end users who consent to sharing such data is shown in REST output and the audit activity log as one consentedMappings object:

"consentedMappings" : [ {
   "mapping" : "managedUser_systemLdapAccounts",
   "consentDate" : "2017-08-25T18:13:08.358Z"
}

If enabled, end users will refer to a Personal Data Sharing section in their profiles. If they select the Allow link, they can see the data properties that would be shared with the external database.

This option supports the right to restrict processing of user personal data.

Account controls

The Account Controls section allows end users to download their account data (in JSON format), and to delete their accounts from IDM.

When end users delete their accounts, the change is propagated to external systems by implicit sync. However, it is then up to the administrator of the external system to make sure that any additional user information is purged from that system.

To modify the message associated with the Delete Your Account option, refer to the section about Translations in the README of the public ForgeRock Identity Management (End User) Git repository. Find the translation.json file, search for the deleteAccount code block, and edit the information.

The options shown in this section can help meet requirements related to data portability, as well as the right to be forgotten.