The Hosted Login Default User Schema

The following tables provide information about the default schema employed by the user entity type, the entity type included with each new Identity Cloud application (and, as such, each new Hosted Login implementation). Although you can add new attributes to the schema, Akami strongly recommends that you do not remove any of the default attributes: in some cases, at least, removing attributes can disable Hosted Login functionality. For example, if you remove the legal acceptances plural then you won't be able to employ the authorization.rules.legal_accepted authorization rule.

The new default schema differs from previous Identity Cloud schemas in at least two ways:

  • A number of user profile attributes (database fields) – including such attributes as  profiles.profile.bodyType.hairColor, profiles.profile.turnOffs, profiles.profile.happiestWhen, profiles.profile.scaredOf – have been removed from the schema. By removing these seldom-used attributes, the current schema contains about one-fourth the number of attributes found in the previous schema.

    But what if you need the profiles.profile.turnOffs attribute? That’s fine: you can add attributes to your schema anytime you want.

  • ·A handful of new attributes – accountDeleteRequestTime, consents.marketing.granted, etc. – have been added to the schema. These new attributes are typically used with Hosted Login. 

Let’s take a closer look at the attributes found in the new user schema.



Default Attributes

Back to top


Attributes (and attribute values) that the Identity Cloud automatically adds to all new user profiles. These attributes are added when a user profile is created, and the attribute values can never be changed: if a user is given the uuid 3580bf7c-0a73-4bc0-9636-b4193f810e74 then that user will always have the uuid 3580bf7c-0a73-4bc0-9636-b4193f810e74.

Attribute Name

Type

Description

id

string

Simple, and globally-unique, identifier for the user account. For example:

13

In case you’re wondering, “globally unique” means that the id is unique within the given entity type. If you have more than one entity type, however, the same id could be used in each of those entity types. For example, entity types A, B, C, and D could each have a user with the id 13.

uuid

string

Universally-unique identifier for the user account. For example:

3580bf7c-0a73-4bc0-9636-b4193f810e74

A “universally unique” attribute means that the value can only be assigned to a single user. For example, out of all the millions of user accounts in the Akamai Identity Cloud, only one of those accounts can have the uuid 3580bf7c-0a73-4bc0-9636-b4193f810e74.

created

string

Date and time that the user account was created. For example:

2020-01-22 19:29:08.923204 +0000

lastUpdated

string

Date and time that the user profile was last updated. For example:

2020-01-22 19:29:08.923204 +0000

Note that, each time a user logs on, the lastUpdated attribute is updated; that’s because the act of logging on changes the value of the lastLogin attribute, and that counts as an update to the user profile.

If you need to make a change to a user profile but don't want to update the lastUpdated attribute, you can do so by using an API client that has been assigned the metadata feature. This type of client can only be created by Akamai.



Top Level Attributes

Back to top


Top-level attributes are “stand-alone” attributes: attributes that are not part of a plural or object. To refer to one of these attributes, use the attribute name: accountDataRequestTime, accountDeleteRequestTime, birthday, etc.

Attribute Name

Type

Description

accountDataRequestTime

dateTime

Date and time that a user requested a copy of their user profile data. For example:

2020-01-22 19:29:08.923204 +0000

This attribute helps organizations comply with article 15 of European Union’s General Data Protection Regulation (GDPR). 

By default, accountDataRequestTime is set to a null value. When a user clicks the Send Me My Data button, data is not automatically sent to that user. Instead, the attribute value is updated to the date and time the request was made. Organizations need to periodically search for non-null instances of the accountDataRequestTime attribute and then send the user the requested data.

accountDeleteRequestTime

dateTime

Date and time that a user requested that their user account and all its associated data be deleted. For example:

2020-01-22 19:29:08.923204 +0000

This attribute helps organizations comply with article 17 of European Union’s General Data Protection Regulation (GDPR). 

By default, accountDeleteRequestTime is set to a null value. When a user clicks the Delete My Data button, the user profile is not automatically deleted. Instead, the attribute value is updated to the date and time the request was made. Organizations need to periodically search for non-null instances of the accountDeleteRequestTime attribute and then delete the account as requested.

birthday

date

User’s date of birth. For example:

1989-12-19

For OpenID Connect users, this attribute is returned by the birthdate  claim.

deactivateAccount

dateTime

Date and time when the account was deactivated. For example:

2020-01-22 19:29:08.923204 +0000

Deactivating an account only prevents the user from logging on; it does not delete or otherwise change user data. To reactivate the account, simply set deactivateAccount to a null value.

It's important to note that putting any datetime value in this attribute instantly deactivates the account. Among other things, that means that you can't schedule an account for deactivation. For example, suppose today is November 5, 2020 and you want to deactivate an account on January 1, 2021. Consequently, you enter the following deactivation date:

2021-01-02 00:00:00.000000 +0000

However, as soon as you save the user profile the account will immediately be deactivated. That's because, any time a user tries to authenticate, Hosted Login only checks to see if a value of some kind has been entered for the deactivateAccount attribute. If it has, then the user is denied access regardless of the actual date that was entered. In other words, if you want this user to be able to log on until January 1, 2021 then you must wait until January 1, 2021 to update the deactivateAccount attribute and deactivate the account. Putting in a datetime value of January 1, 2021 will not cause Hosted Login to delay deactivation. It just doesn't work that way.

We should also point out that Hosted Login doesn’t provide a way for a user to deactivate his or her account: accounts can be deleted, but not deactivated. However, Hosted Login does respect the deactivateAccount attribute. If a user tries to log on with a deactivated account their login will be denied with following message:

User account is deactivated.

display

json

Placeholder attribute used for data that can be made publicly available; all data stored in this attribute must be formatted using JSON (JavaScript Object Notation). For example:

{"nickname": "K-Man"}

displayName

string

Name by which the user wants to be referred to. For example:

Karim Nafir

This attribute is returned by the preferred_username  claim.

email

string

User’s primary mail address. For example:

karim.nafir@mail.com

This attribute is returned by the email  claim.

emailVerified

dateTime

Date and time when the user’s primary email address was verified. For example:

2020-01-22 19:29:08.923204 +0000

Any timestamp indicates that the email address has been verified. A null value means that the address has not been verified.

This attribute is returned as a Boolean value (true or false) for the email_verified claim.

externalId

string

Placeholder attribute for storing an identifier returned from an external source (e.g., a Customer Relationship Management system). For example:

KN-07121967

familyName

string

Surname (last name) of the user. For example:

Nafir

Note that users can have more than one last name:

Williamson Smith

This attribute is returned by the family_name claim.

fullName

string

User’s full name, including all titles and suffixes, and ordered according to the user’s locale and preferences. For example:

Dr.Karim Nafir, Jr.

This attribute is returned by the name claim.

gender

string

User’s preferred gender. For example:

male

Note that you are not limited to male and female when assigning a value to this attribute: the gender attribute accepts any string value.

This attribute is returned by the gender claim.

givenName

string

Given name (first name) of the user. For example:

Karim

Note that users can have more than one first name:

Sue Ann

This attribute is returned by the given_name claim.

lastLogin

dateTime

Date and time that the user was last authenticated. For example:

2020-01-22 19:29:08.923204 +0000

middleName

string

Middle name of the user. For example:

Alexander

Note that users can have more than one middle  name:

Robert Williams

This attribute is returned by the middle_name claim.

mobileNumber

string

Phone number for the user’s cellphone or other mobile device. For example:

+155509031935

mobileNumberVerified

dateTime

Date and time when the user’s mobile phone number was verified. For example:

2020-01-22 19:29:08.923204 +0000

password

password

User’s password. Note that the password value will be null if the user only authenticates by using third-party identity providers. If you are viewing user information in Console, the user’s password will always be shown as a set of asterisks:

*****

If you use the /entity endpoint to return the user password, you’ll get back a hashed version of that password:

"password": {
    "value": "$2a$10$6n9/1ns5RPTA8GZe8bkl0
Onc63dprlhOzdpjk3CERedzA78CNbntW",
"type": "password-bcrypt"
    },

The password type will vary depending on the hashing algorithm used to store the password.



Clients Plural

Back to top


The clients plural tracks the different API clients that a user has employed when being authenticated. When referring to an individual attribute, be sure to use the full attribute path: clients.clientId, clients.firstLogin, etc.

Attribute Name

Type

Description

clientId

string

Unique identifier of the Identity Cloud API client used to help authenticate the user. For example:

tebr9hf28fa4grpe3c9qpz4xdaehbjn3

firstLogin

dateTime

Date and time when the user was first authenticated using this Identity Cloud API client. For example:

2020-01-22 19:29:08 +0000

lastLogin

dateTime

Date and time when the user was last authenticated using this Identity Cloud API client. For example:

2020-01-22 19:29:08 +0000

name

string

Name of the Identity Cloud API client used when authenticating the user. For example:

US Logins

Id

string

Unique identifier of the Identity Cloud API client for this user. For example:

1018





Consents Object

Back to top


Tracks the consent agreements used in your organization, and indicates whether the user agreed to any of those consents. By default the schema includes a single marketing object provisioned as part of the consents object. That means that, to refer to an individual attribute, you’ll need to use syntax like this: consents.marketing.granted. The consents object is required in order to implement the authorization.rules.consents authorization rule.

Attribute Name

Type

Description

clientId

string

Unique identifier of the API client in use when the consent was last modified. For example:

tebr9hf28fa4grpe3c9qpz4xdaehbjn3

context

string

Activity underway when the consent was changed. For example:

profileUpdate

granted

Boolean

Boolean value indicating whether or not the user accepted the consent. For example:

true

type

string

Type of consent. The Identity Cloud supports two types of consent: explicit and implicit. An explicit consent means that the user was specifically given the option to agree or disagree to having their personal information collected, used, or disclosed.

By comparison, implicit consent is not directly given but is, instead, inferred from your actions. For example, if you give an organization the right to use your personal information for marketing purposes, it is reasonable to assume that you have implicitly given them the right to send you marketing email. 

For example:

explicit

updated

dateTime

2020-01-22 19:29:08 +0000




Legal Acceptances Plural

Back to top

Tracks the legal agreements used in your organization as well as whether a user has  accepted any of those agreements. To refer to an individual attribute, use syntax like this: legalAcceptances.dateAcceptedThe legalAcceptances plural is required in order to implement the authorization.rules.legal_accepted authorization rule.

Attribute Name

Type

Description

clientId

string

Unique identifier of the API client in use when the user accepted a legal document. For example:

tebr9hf28fa4grpe3c9qpz4xdaehbjn3

dateAccepted

dateTime

Date and time when a legal document was accepted by the user. For example:

2020-01-22 19:29:08 +000

legalAcceptanceId

string

Unique identifier for a legal document. For example:

termsOfService-v1

id

string 

Unique identifier for this legal acceptance, for this user. For example:

2948




Photos Plural

Back to top


Maintains information about the photos used in a user profile. To refer to an individual attribute, use syntax like this: photos.value.

Attribute Name

Type

Description

type

string

Type of photo (large, thumbnail, etc.). For example:

large

value

string

URL of the photo. For example:

https://lh3.googleusercontent.com/a-/123456789012345678901

id

string

Unique identifier for this photo, for this user. For example:

0219




Primary Address Object

Back to top


Provides information about a user’s preferred address. To refer to an individual attribute, use syntax like this: primaryAddress.country.

Attribute Name

Type

Description

address1

string

First line of the user’s preferred address. For example:

1233 NW 12th Ave

address2

string

Second line of the user’s preferred address. For example:

Suite 150

city

string

Name of the city where the user’s preferred address is located. For example:

Portland

company

string

Name of the organization associated with the user. For example:

Akamai

country

string

Two-letter abbreviation for the country where the user’s preferred address is located. For example:

US

phone

string

Phone number associated with the user account. For example:

+155506031989

stateAbbreviation

string

Two-letter abbreviation for the state or region where the user’s preferred address is located. For example:

OR

zip

string

Postal code for the user’s preferred address. For example:

97209

zipPlus4

string

“Zip+4” postal code for the user’s preferred address. For example:

97209-2981





Profiles Plural

Back to top


Represents any third-party identity providers a user has employed to authenticate with your site: if you  haven’t enabled social login (e.g. allowing users to log on with Facebook or Twitter) then none of your users will have entries in the profiles plural.

To refer to an individual attribute, use syntax like this: profiles.domain.

Attribute Name

Type

Description

domain

string

Domain of the identity provider (IdP) that authenticated the user. For example:

google.com

identifier

string

Identity provider’s unique identity for the user. For example:

https://www.google.com/profiles/123456789012345678901

photo

string

URL for the photo associated with the user’s identity provider account. For example:

https://lh3.googleusercontent.com/a-/123456789012345678901

providerSpecifier

string

Unique identifier for the IdP that authenticated the user. For example:

google

Id

string

Unique identifier for this profile, for this user. For example:

0710




Roles Plural

Back to top


Maintains information about roles used by your organization to group and categorize users. Note that roles are arbitrary: you can create any kind and any number of roles you want. In addition, roles are optional: if you don’t want to use roles you don’t have to.

To refer to an individual attribute, you’ll need to use syntax like this: roles.value.

Attribute Name

Type

Description

display

string

Human-readable name associated with the role and primarily used for display purposes. For example:

Graduate Student

value

string

Value (name) of a user role. For example:

student

Id

string

Unique identifier for this role, for this user. For example:

0705