Configure a User Management Profile#
The configuration of a User Management profile is divided into four pages:
- General → General settings of the profile.
- Data Sources → Configure data sources used to store users and associated resources.
- Endpoints → View and manage the SCIM and GraphQL endpoints.
- Account Settings → Configure settings related to user accounts, such as which authenticators will be used for self-service actions.
General Settings#
This section contains general settings for the User Management profile.
General#
Max Returned Search Results#
The maximum number of results returned for search requests in SCIM endpoints. Set to 0 to allow unlimited number of results.
API Authentication#
Realm#
The realm to use when reporting an unauthenticated request in a HTTP-response. When no value is configured, the name of the User Management profile is used as realm.
Expose Detailed Error Messages#
Expose detailed error messages in the server responses whenever possible. By default, in case of failures due to external services or internal errors, the server returns a generic error message to avoid accidentally exposing sensitive information. It’s recommended to disable this setting in production environments.
OAuth Service#
The OAuth profile that will be used to protect the API endpoints. All requests to the API need an access token issued by the selected OAuth profile.
Authorization#
Authorization Manager#
The authorization manager to authorize access to API endpoints exposed by this profile. If no authorization manager is configured, all requests will fail with an unauthorized access error. Visit the Authorization Managers page for more general information about authorization managers.
When an Authorization Manager is configured to manage authorization policies on the User Management Service, the
configured oauth-service must use the same user-account-data-source as the User Management Service so that
authorization decisions may succeed. This is not currently enforced by configuration.
GraphQL Schema#
Additional attributes added to the GraphQL schema. See the section about GraphQL Custom Attributes for more information.
Data Sources#
User Accounts and User Devices#
User Data Source#
The main purpose of the User Management Service is to show user account information.
Therefore the profile needs to be configured with a User Account Data Source. This is the data source where primary accounts are stored.
There are two options, either select an account-manager, or data-sources directly. The first is needed when
using the GraphQL API as it allows the system to find related Linked Accounts. The account-manager option is also needed when configuring
settings on the Account Settings page.
When selecting an account manager the system uses that to determine what data sources to use.
GraphQL is only fully supported for JDBC, MongoDB and SCIM 2.0 data sources. DynamoDB is partially supported.
Allow Username Updates#
The User Management profile can be configured to allow/disallow changing an account’s username via update requests submitted to
the User Management APIs. This setting is by default set to false, meaning that any request which contains a username update is rejected.
When the User Management profile is also configured to manage user credentials, username updates become even more delicate, as
credentials may be managed separately from the main user account data. In such cases, the system needs to propagate the username
update to the configured Credential Manager to ensure that its data source is in sync with the main account data, which, depending
on the capabilities of the Credential Manager’s data source, may not always be possible. However, if the Allow Username Updates option
is enabled, the system will always accept username updates, even if a Credential Manager is not configured or if its data
source does not support updating credential usernames.
If this feature is really required, the system administrator should ensure that the different parts of the setup support it. The system will log warning messages if it encounters a configuration that may lead to data inconsistency. Note that most data sources bundled with the Curity Identity Server support this scenario. Refer to the Data Sources section for more details.
Credentials#
When the option Enable Password Management is enabled, user credentials can also be managed via the User Management profile.
Namely, it is possible to set passwords when creating and updating accounts. If that option is disabled, the server rejects
account creation and updates that include passwords.
When password management is enabled, some operations require specific capabilities on the Credential Manager’s data source,
namely account updates with username changes and account deletion. Most data sources bundled with the Curity Identity Server
support these scenarios.
Since version 10.0.0 of the Curity Identity Server username updates and account deletion are not supported when the configured Credential Manager uses a legacy credential data source.
Password Validation Procedure#
Consider using a Credential Policy in the configured Credential Manager.
When Enable Password Management is enabled, a Password Validation Procedure can be selected for validating the user password.
More about how to configure the validation procedure could be found in the developer guide for validation procedures .
function result(context) {
var MIN = 8;
var MAX = 12;
var errors = {};
var password = context.getProvidedPassword();
if (password.length < MIN) {
errors.password = 'Password too short';
}
if (password.length > MAX) {
errors.password = 'Password too long';
}
return errors;
}OAuth Delegations#
The data-source where all the tokens are stored. This is so the User Management profile can provide the token information (not
the tokens themselves) that belongs to a user via the delegations endpoint. This means that and admin can revoke and
view tokens issued for a specific user.
Buckets#
Data source where buckets are stored. Setting this value will enable GraphQL operations to manage buckets.
Attributes#
Configure attribute data sources for the User Management profile. Attribute data sources are mapped to SCIM namespaces and will be automatically called to add attributes to an account.
Endpoints#
Two endpoints can be exposed by the User Management profile:
- SCIM 2.0 Endpoint (type
um-api) → The SCIM 2.0 API endpoint which allows access toUsers,DevicesandDelegations - GraphQL Endpoints (type
um-graphql-api) → The GraphQL API endpoint.
The SCIM enpoint is exposed by default (when a new User Management profile is created). The GraphQL endpoint can be added on the Endpoints page.
Account Settings#
Some functionality of the User Management profile depends on specific authenticators and authentication actions. As an example:
- The ability to create Passkeys devices, available via the GraphQL interface, requires knowing which Passkeys authenticator instance will be used to validate those Passkeys.
- The ability to manage the account Opt-In MFA state, also available via the GraphQL interface, requires knowing which Opt-In MFA action instance is being used. Action configuration settings, such as the state location (account or bucket) and the configured factor, are needed by the User Management profile to correctly provide this functionality.
Due to this, a User Management profile has the following optional configuration settings:
TOTP authenticator#
The TOTP authenticator from the linked authentication service that will be used in GraphQL operations. All verified TOTP devices will be usable only with this authenticator. The Account Manager configured in this authenticator must be the same as the one configured in the User Management profile.
HTML Form authenticator#
The HTML Form authenticator from the linked authentication service that will be used in GraphQL operations. This authenticator will be used to process password resets or account activations that will be requested via the GraphQL API. The Account Manager configured in this authenticator must be the same as the one configured in the User Management profile.
Passkeys authenticator#
The Passkeys authenticator from the linked authentication service that will be used in GraphQL operations. This authenticator will be used to process passkey registration requests that will be requested via the GraphQL API. The Account Manager configured in this authenticator must be the same as the one configured in the User Management profile.
Opt-In MFA action#
The Opt-In MFA authentication action from the linked authentication service that will be used in GraphQL operations. This action will be used to process requests related to the configuration of Opt-In MFA action (e.g. registering a factor, opt-out, etc.). The Account Manager configured in this action must be the same as the one configured in the User Management profile.