Hosted Login configuration reference

Configuring Hosted Login, and understanding what these configuration settings actually do.


Hosted Login configuration reference

  • Authorization rules
    Specify conditions that must be met before a user can log in. For example, you might prevent a user from logging on unless that user is at least 21 years old.

  • Supported mobile phone regions and calling codes
    Can a user enter a phone number for Lesotho, or for the Turks and Caicos Islands? Here’s where you’ll find out.

  • Default user schema
    A reasonably-detailed look at the attributes found in a Hosted Login-compatible schema.

  • Transactional email sources
    When a user receives an Identity Cloud-generated email, you might wonder: 1) which email did that user actually get, and, 2) why exactly did they get it? Here are your answers, at least when it comes to emails sent (or not sent) as part of two-factor authentication.

  • Cookies and local storage
    Cookies and local storage entries used by Hosted Login.

  • When 2FA is required
    OK, two-factor authentication is enabled, the user has an untrusted device and a valid authentication session, and the prompt parameter is set to none. Does the user have to go through 2FA? You’ll find answers to questions like that in this article.

  • Default 2FA messages
    The default text of your two-factor authentication text messages.

  • Application client settings
    Each OpenID Connect clients needs to be associated with an application client. Equally important, there are a number of settings that need to be configured in that application client.Take a peek at this article for more information.

  • Supported languages and locales
    Language and locale settings supported for use in Hosted Login. And yes, Klingon (tlh) is one of those supported languages.

  • View userinfo information
    Retrieve the information copied to the userinfo endpoint following a successful authentication.

  • Logout from Hosted Login
    End a user’s Hosted Login session without invalidating their access and refresh tokens.


Related videos