User Configuration

This page describes all configuration fields available when creating or editing a user account in IdentitySuite.

User

This tab defines the core identity and access settings for the user. It includes personal details, credentials, and lockout configuration.

  • First Name / Last Name: Optional fields used for display and personalization.
  • Email: Primary contact and login identifier for the user.
  • Email Confirmed: Indicates whether the email has been verified. Toggle manually for administrative confirmation.
  • Phone Number: User’s primary mobile contact, used for SMS notifications and phone‑based authentication.
  • Phone Number Confirmed: Indicates whether the phone number has been verified. Can be toggled manually for administrative confirmation.
  • Password / Confirm Password: Initial credentials for the user. Password visibility can be toggled during input.
  • Lockout Enabled: Enables lockout policy for repeated failed login attempts.
  • Lockout End: Optional date/time until which the user remains locked out.
  • Access Failed Count: Tracks the number of consecutive failed login attempts.

Roles

This tab lists all roles defined in the system. Roles represent permission groups or access levels that can be assigned to users. Each role can be individually activated or deactivated for the selected user using toggle switches.

  • Role Assignment: Enables or disables the user's membership in each available role.
  • Dynamic Role List: The list reflects all roles currently registered in the system, including custom roles.
  • Immediate Effect: Changes to role assignment are applied immediately upon saving and affect access control logic.

Claims

This tab allows you to define a list of claims associated with the user. Claims represent structured identity attributes that can be used in tokens, authorization decisions, or application logic.

  • Key: Selected from a predefined list of supported claim types, including standard OpenID fields (e.g. given_name, email, role).
  • Value: Free-form input that defines the actual value of the claim for the user.
  • Action: Use the add button to insert new claims. Claims can be edited or removed as needed.
  • Token Inclusion: Claims may be included in issued tokens depending on scope configuration and client settings.

Clients

This tab displays the list of clients the user has authorized. Each entry represents an authorization — the record of consent granted by the user to a specific client application, including the scopes and permissions that were approved.

Understanding Authorizations vs Tokens

An authorization represents the consent relationship between a user and a client. It is the root from which tokens are issued. Revoking an authorization invalidates that consent and, depending on server configuration, may prevent the client from obtaining new tokens on behalf of the user.

A token (access token or refresh token) is a concrete credential derived from an authorization and used by the client to access protected resources. Revoking an authorization does not automatically invalidate already-issued tokens unless Authorization Entry Validation is enabled in the server configuration — in that case, every token validation check will also verify that the parent authorization is still active.

If you need to immediately invalidate all active tokens for a specific client regardless of the authorization status, use the token revocation action available in the Security tab of the client configuration.

Fields
  • Application Name: Identifies the client application the user has authorized.
  • Creation Date: Timestamp of when the authorization was first granted.
  • Status: Indicates whether the authorization is currently valid or has been revoked.
  • Type: Specifies whether the authorization is temporary (tied to a single flow) or permanent (persisted across sessions).
  • Scopes: Lists the permissions granted to the client, such as openid, profile, email, roles or offline_access.
  • Revoke: Revokes the user's authorization for the client. The user will need to re-authorize the client on their next access attempt.
Note: if Authorization Entry Validation is not enabled, already-issued tokens may remain valid until their natural expiration even after revoking the authorization. To force immediate token invalidation for a client, navigate to Applications → Clients, open the client and use the revocation action in the Security tab.

Informations

This tab displays read-only metadata about the user account. These details are useful for auditing, diagnostics, and understanding how the user interacts with the system.

  • User Id: Globally unique identifier for the user.
  • Login Providers: Lists the authentication providers used by the user (e.g. Google, Local).
  • Two-Factor Authentication: Indicates whether 2FA is enabled or disabled for the account.
  • Passkey: Shows whether passkey-based authentication is active.
  • Created On: Timestamp of when the user account was created.
  • Last Updated: Timestamp of the most recent modification to the user profile.