keycloak-scim/server_admin/topics/users/credentials.adoc

63 lines
3.2 KiB
Text

[[_user-credentials]]
=== User Credentials
When viewing a user if you go to the `Credentials` tab you can manage a user's credentials.
.Credential Management
image:{project_images}/user-credentials.png[]
The credentials are listed in a table, which has the following fields:
Position::
The arrow buttons in this column allows you to shift the priority of the credential for the user, with the topmost credential having the highest priority.
This priority determines which credential will be shown first to a user in case of a choice during login. The highest priority of those available to the
user will be the one selected.
Type::
This shows the type of the credential, for example `password` or `otp`.
User Label::
This is an assignable label to recognise the credential when presented as a selection option during login. It can be set to any value to describe the
credential.
Data::
This shows the non-confidential technical information about the credential. It is originally hidden, but you can press `Show data...` to reveal it for a
credential.
Actions::
This column has two buttons. `Save` records the value of the User Label, while `Delete` will remove the credential.
==== Creating a Password for the User
If a user doesn't have a password, or if the password has been deleted, the `Set Password` section will be shown on the page.
.Credential Management - Set Password
image:images/user-credentials-set-password.png[]
To create a password for a user, type in a new one. Click on the `Set Password` button after you've typed everything in.
If the `Temporary` switch is on, this new password can only be used once and the user will be asked to change their password after they have
logged in.
If a user already has a password, it can be reset in the `Reset Password` section.
Alternatively, if you have <<_email, email>> set up, you can send an email to the user that asks
them to reset their password. Choose `Update Password` from the `Reset Actions` list box and click `Send Email`. You can optionally
set the validity of the e-mail link which defaults to the one preset in `Tokens` tab in the realm settings.
The sent email contains a link that will bring the user to the update password screen.
Note that a user can only have a single credential of type password.
==== Creating other credentials
You cannot configure other types of credentials for a specific user within the Admin Console. This is the responsibility of the user.
You can only delete credentials for a user on the `Credentials` tab, for example if the user has lost an OTP device, or if a credential
has been compromised.
===== Creating an OTP
If OTP is conditional in your realm, the user will have to go to the User Account Management service to re-configure a new
OTP generator. If OTP is required, then the user will be asked
to re-configure a new OTP generator when they log in.
Like passwords, you can alternatively send an email to the user that will ask them to reset their OTP generator. Choose
`Configure OTP` in the `Reset Actions` list box and click the `Send Email` button. The sent email
contains a link that will bring the user to the OTP setup screen. You can use this method even if the user already has an OTP credential,
and would like to set up some more.