Access Management 7.3.2

Dashboards

The Dashboard service gives the end user an interface to access applications secured by AM; both cloud-based applications like SalesForce, and internal applications protected by web or Java agents. The Dashboard service uses SSO to log in to the applications when the user clicks on the application icon. For some apps, like SalesForce, you should limit access to only a few users. Other apps, like Google Mail or Drive, will likely be available to all users.

The user dashboard lets users quickly access their applications.
Figure 1. User dashboard

The Dashboard service gives users a single place to access their applications. Keep in mind that this does not limit user access, only what appears on the user dashboard.

There are three stages to setting up the Dashboard service:

  • Set up the Dashboard service and add applications.

  • Configure the service for the realms.

  • Assign users applications so that they appear on the users' dashboards. This can be done manually or through a provisioning solution.

Once the Dashboard service is configured for a user, the user can access their dashboard after logging in through the XUI under /XUI/?realm=/alpha#dashboard/.

When making a request to the UI, specify the realm or realm alias as the value of a realm parameter in the query string, or the DNS alias in the domain component of the URL. If you do not use a realm alias, then you must specify the entire hierarchy of the realm. For example: https://openam.example.com:8443/openam/XUI/?realm=/customers/europe#login/.

For example, the full URL depending on the deployment might be at https://openam.example.com:8443/openam/XUI/?realm=/alpha#dashboard/.

Implement the Dashboard service

Making some applications universally available ensures that all users have the same basic applications. However, some of your applications should be protected from the majority of your users. You will need to single out which users will include the application on their dashboard.

There are three default applications in the Dashboard service: Google, SalesForce, and ZenDesk.

Set up the dashboard service and add applications

You can add applications to the dashboard service with the following steps. All fields except the dashboard class name and ICF Identifier are required for the application to work properly from the dashboard:

  1. In the AM admin UI, go to Configure > Global Services > Dashboard > Secondary Configurations, and click Add a Secondary Configuration to add an application to the dashboard service.

  2. Provide a unique name for the application.

  3. Add a Dashboard Class Name that identifies how the end user will access the app, such as SAML2ApplicationClass for a SAML v2.0 application.

  4. Add a Dashboard Name for the application.

  5. Add a Dashboard Display Name. This name is what the end user will see, such as Google.

  6. Add the Dashboard Icon you would like the end user to see for the application. Either use a fully qualified URL or an appropriate relative URL so that the icon is rendered properly on the user dashboard.

  7. Add the Dashboard Login URL to point to the location the end user will go to once they click on the icon.

  8. Leave the ICF Identifier blank.

  9. Click Add.

Configure the Dashboard service for a realm

You must configure the Dashboard service and add applications to a realm before you can access them. The following instructions show you how to add an application to a single realm. Before you begin, make sure you have the name of the application (displayed in the Secondary Configuration Instance table under Configure > Global Services > Dashboard):

  1. Select Realms > Realm Name > Services, and click Add a Service.

  2. Select the Dashboard service, and click Create.

  3. Add or remove the applications you would like to appear on the Dashboard service for the realm.

  4. Save your changes.

Enable an application for a user

Use the following steps to enable access to an application from the user’s dashboard:

  1. Select Realms > Realm Name > Identities and click the user identifier to edit the user’s profile.

  2. Under Services, click Dashboard.

  3. Add the application to the user’s Assigned Dashboard list.

  4. Save your changes.

Remove user access to an application

Removing user access to an application does not delete the user’s identity profile. The following steps walk you through removing an application from a user’s dashboard:

  1. Select Realms > Realm Name > Identities and click the user identifier to edit the user’s profile.

  2. Under Services, click Dashboard.

  3. Delete the application from the user’s Assigned Dashboard list.

  4. Save your changes.

Displaying Dashboard Applications

AM lets administrators configure online applications to display applications on user Dashboards. You can used exposed REST API to display information about the online applications.

/dashboard/assigned

This endpoint retrieves the list of applications assigned to the authenticated user.

$ curl \
--header "iplanetDirectoryPro: AQIC5w…​2NzEz*" \
--header "Accept-API-Version: resource=1.0" \
https://openam.example.com:8443/openam/json/realms/root/realms/alpha/dashboard/assigned
{
    "google":{
        "dashboardIcon":[
            "Google.gif"
        ],
        "dashboardName":[
            "Google"
        ],
        "dashboardLogin":[
            "http://www.google.com"
        ],
        "ICFIdentifier":[
            ""
        ],
        "dashboardDisplayName":[
            "Google"
        ],
        "dashboardClassName":[
            "SAML2ApplicationClass"
        ]
    }
}
/dashboard/available

This endpoint retrieves the list of applications available in the authenticated user’s realm. The example is based on two of the default Dashboard applications: Google and Salesforce.

$ curl \
--header "iplanetDirectoryPro: AQIC5w…​2NzEz*" \
--header "Accept-API-Version: resource=1.0" \
https://openam.example.com:8443/openam/json/realms/root/realms/alpha/dashboard/available
{
    "google":{
        "dashboardIcon":[
            "Google.gif"
        ],
        "dashboardName":[
            "Google"
        ],
        "dashboardLogin":[
            "http://www.google.com"
        ],
        "ICFIdentifier":[
            ""
        ],
        "dashboardDisplayName":[
            "Google"
        ],
        "dashboardClassName":[
            "SAML2ApplicationClass"
        ]
    },
    "salesforce":{
        "dashboardIcon":[
            "salesforce.gif"
        ],
        "dashboardName":[
            "Salesforce"
        ],
        "dashboardLogin":[
            "http://salesforce.com"
        ],
        "ICFIdentifier":[
            ""
        ],
        "dashboardDisplayName":[
            "Salesforce"
        ],
        "dashboardClassName":[
            "SAML2ApplicationClass"
    }
}
/dashboard/defined

This endpoint retrieves the list of all applications available defined for the AM Dashboard service. The example is based on the three default Dashboard applications: Google, Salesforce, and Zendesk.

$ curl \
--header "iplanetDirectoryPro: AQIC5w…​2NzEz*" \
--header "Accept-API-Version: resource=1.0" \
https://openam.example.com:8443/openam/json/realms/root/realms/alpha/dashboard/defined
{
    "google":{
        "dashboardIcon":[
            "Google.gif"
        ],
        "dashboardName":[
            "Google"
        ],
        "dashboardLogin":[
            "http://www.google.com"
        ],
        "ICFIdentifier":[
            "idm magic 34"
        ],
        "dashboardDisplayName":[
            "Google"
        ],
        "dashboardClassName":[
            "SAML2ApplicationClass"
        ]
    },
    "salesforce":{
        "dashboardIcon":[
            "salesforce.gif"
        ],
        "dashboardName":[
            "SalesForce"
        ],
        "dashboardLogin":[
            "http://www.salesforce.com"
        ],
        "ICFIdentifier":[
            "idm magic 12"
        ],
        "dashboardDisplayName":[
            "Salesforce"
        ],
        "dashboardClassName":[
            "SAML2ApplicationClass"
        ]
    },
    "zendesk":{
        "dashboardIcon":[
            "ZenDesk.gif"
        ],
        "dashboardName":[
            "ZenDesk"
        ],
        "dashboardLogin":[
            "http://www.ZenDesk.com"
        ],
        "ICFIdentifier":[
            "idm magic 56"
        ],
        "dashboardDisplayName":[
            "ZenDesk"
        ],
        "dashboardClassName":[
            "SAML2ApplicationClass"
        ]
    }
}

If your application runs in a user-agent such as a browser, you can rely on AM to handle authentication.