Protected self-service UIs

The plugin Loginapp >> UI Settings >> Protected Self-Service UIs configures UI components for protected self-services. These are arbitrary self-services that are only available after successful authentication (therefore the term protected).

  • Examples
  • Airlock 2FA device management
  • FIDO token registration
  • Cronto token management
  • mTAN token management
  • Change postal address
  • Change email address
  • Self-lock the user account
  • Manage logged-in browsers or devices.
  • Activate Digipass OTP token

Types of protected self-service UIs

There are two types of protected self-service UIs:




Flow-based self-services can implement any self-service flow. The flow UI settings provide UI components for each flow configured in the REST service settings.

Flow-based self-services are typically used to change data (e.g. assign or delete an authentication token, change user profile data, etc.).


Non-flow-based self-services are typically used to provide information about the user without changing data. Example: display Airlock 2FA tokens of a user.


REST services backing the protected self-service flow UIs are configured in
Loginapp >> Protected Self-Services >> Protected Self-Service Flows.

REST services backing non-flow-based self-service UIs are configured in
Loginapp >> Protected Self-Services.

Flow-based self-service UIs

For each self-service flow in the REST service configuration, a Protected Self-Service UI plugin may be configured. Selected properties are described below. Please refer to the property documentation in the Config Editor for further information and on other properties.



Flow ID

Links the UI to a self-service flow.

Customized Step UIs

The UI is automatically inferred from the REST service configuration. This property allows specifying custom step UIs for each step in the flow.

Completion Target

Defines where to redirect the browser after the self-service flow has successfully completed.

This may be an internal page (e.g. Airlock 2FA device list), an external URL, or a target application. To go to a target application, use the corresponding Authentication Flow Redirect (it knows about authorization and identity propagation).

Cancellation Target

Defines where to redirect the browser if the self-service flow has been canceled.

URLs of protected self-service flows

The URL for a self-service flow with ID <flow-id> is


Non-flow-based self-service UIs

There is no generic approach to non-flow-based self-service UIs. Specific UI configuration are configured in Loginapp >> Loginapp UI >> Protected Self-Service UIs (e.g. Airlock 2FA).

URLs protected non-flow services:



URIs of demo configuration

The demo configuration provides many pre-configured protected self-services. The URLs can be used to try them out in the browser.

URLs protected services in the demo configuration:

  • Airlock 2FA token self-management
  • <loginapp-uri>/ui/app/protected/tokens/airlock-2fa/devices
  • <loginapp-uri>/ui/app/protected/select/flow/activate-app-device
  • Cronto token self-management
  • <loginapp-uri>/ui/app/protected/tokens/cronto/devices
  • <loginapp-uri>/ui/app/protected/select/flow/cronto-activation
  • <loginapp-uri>/ui/app/protected/select/flow/cronto-letter-order
  • mTAN token self-management
  • <loginapp-uri>/ui/app/protected/tokens/mtan/
  • <loginapp-uri>/ui/app/protected/select/flow/mtan-registration
  • Other self services
  • <loginapp-uri>/ui/app/protected/select/flow/password-change
  • <loginapp-uri>/ui/app/protected/select/flow/fido-registration
  • <loginapp-uri>/ui/app/protected/select/flow/address-change
  • <loginapp-uri>/ui/app/protected/select/flow/email-change
  • <loginapp-uri>/ui/app/protected/select/flow/vasco-activation
  • <loginapp-uri>/ui/app/protected/remember-me/devices
  • <loginapp-uri>/ui/app/protected/flow/self-lockout