The Phase Two Admin Portal allows you to offer self-management of User Profile and Organization features to your customers from within your application with almost no code. A portal link can be generated in your application that will take a logged in user to the Admin Portal. The appropriate configuration to activate the Admin Portal are installed by default. You can customize style and visibilty of the portal using the information in the following sections
In the Styles->Portal section of the admin UI, it is possible to configure user access to portions of the portal. This has the effect of limiting the self-management functionality that is available to your users. The sections that can be toggled are:
- Profile View and edit profile information such as first name, last name and email. View and edit credentials, linked account, and manage authenticated sessions.
- Password update Update password.
- 2FA create/update Add and remove 2FA mechanisms like OTP and WebAuthn.
- Device activity View and terminate active authentication sessions.
- Linked accounts View, create and remove links with social and other identity providers.
- Organizations View and (conditionally) edit details of organizations for which a user is a member.
- Details View and edit organization profile information.
- Members View and manage organization members and their roles. Invite new members.
- Invitations Invite new members.
- Domains Add and verify email domains for SSO login.
- SSO Create and update SSO connections to organization identity provider.
- Events View events related to organization member activity.
Currently, the logo and favicon set in the general styles section will be used when rendering the portal in order to preserve your branding.
Additionally, you can override three colors used in the portal, and optionally override the entire CSS. See the Admin Portal source code for details for overriding the stylesheet.
Access to components in the admin portal is dictated by the User's roles, both globally and within their organization.
Profile access requires the User to have the following
account Client roles. These are granted to all Users by default, so you don't need to change anything unless you wish to revoke these roles. These roles can be managed in the Users section of the Admin UI by selecting the User you wish to edit and navigating to their Role mapping tab.
- Details - requires
view-profileto view, and
manage-accountto change profile data
- Security - requires
manage-accountto change credentials, and
manage-account-linksto add or change any social or brokered logins
Access to each of the Organization components is controlled by the User's member roles within the organization. There are no organization default roles, so you must grant these to Users after they are created and added to the organization. Member roles can be managed in the Organizations section of the Admin UI by selecting the Organization you wish to manage, finding the User in the Members tab, and managing their roles using the context menu on the right.
- Details: requires
view-organizationto view, and
- Members & Invitations: requires
view-membersto see members, and
manage-membersto remove or edit them
view-rolesto see member roles
view-invitationsto see pending invitations, and
view-rolesto invite new users
manage-identity-providersto use the SSO setup wizards and view/remove Identity Providers
If you choose to build functionality like the Admin Portal into your application to create a more unified experience, or to build it into native or mobile applications, you can use the APIs for User and Organization management.
- Organization API
- User Account API - This is a undocumented Keycloak API. We have linked to an unofficial OpenAPI spec file.
Listening for changes
Once the user has made changes to their details, they seamlessly return to your application. You can be informed of changes by using audit webhooks.
📄️ Portal Link
The hosted account management experience can be easily linked to from your application. Branding is automatic using the same variables for customizing the login UI.