--- title: SaaS REST description: The SaaS REST application template allows you to interact with most REST APIs to manage users, groups, and similar objects. Learn more in SaaS REST connector. component: pingoneaic page_id: pingoneaic:app-management:applications/saas-rest canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/applications/saas-rest.html section_ids: register_the_application: Register the application configure_provisioning: Configure provisioning provision_side_tabs: Provision side tabs next_steps: Next steps --- # SaaS REST | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This application uses the built-in SaaS REST connector. If you need to run the connector on a remote connector server (RCS), use [SaaS REST (connector server)](saas-rest-rcs.html) instead. | The SaaS REST application template allows you to interact with most REST APIs to manage users, groups, and similar objects. Learn more in [SaaS REST connector](https://docs.pingidentity.com/openicf/connector-reference/rest.html). ## Register the application 1. In the Advanced Identity Cloud admin console, go to Applications, and click [icon: grid_view, set=material, size=inline] Browse App Catalog. 2. In the Browse App Catalog modal, select an application, and click Next. 3. Review the Application Integration information, and click Next. 4. In the Application Details window, specify the name, description, application owners, and logo for the application. 5. To make the application an [Authoritative](../applications.html#target_and_authoritative_applications) source of identity data, select the Authoritative check box. This option is not available for every application. 6. Click Create Application. ## Configure provisioning 1. In the Advanced Identity Cloud admin console, on the Provisioning tab: * If setting up provisioning for the first time, click Set up Provisioning. * If editing existing settings, in the Connection section, click Settings. 2. Configure the following fields: | Field | Description | | --------------------- | ---------------------------------------------------------------------------------------------------------- | | Service URI | The service URI (example: `http://myservice.com/api`). | | Authentication Method | The method for authenticating to the remote service: `BASIC`, `OAUTH`, or `TOKEN`. The default is `TOKEN`. | 3. Depending on the Authentication Method, configure the applicable fields: * BASIC * OAUTH * TOKEN | Field | Description | | -------- | ----------------------------------------------------------- | | Login | The basic authentication login name for the remote service. | | Password | The basic authentication password for the remote service. | | Field | Description | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Client Id | The OAuth 2.0 client identifier for the remote service. | | Client Secret | The OAuth 2.0 client secret for the remote service. | | Token Endpoint | The OAuth 2.0 endpoint where a new access token is requested for the remote service. | | Grant Type | The OAuth 2.0 grant type to use (`client_credentials`, `jwt_bearer`, or `refresh_token`). | | Scope | The OAuth 2.0 scope to use. | | Use Basic Auth For OAuth Token Neg | Select this option to use basic authentication to send the client ID and client secret to the remote service as authorization headers.If unselected, the client ID and client secret are sent as form data. | Additional fields depending on the Grant Type: **refresh\_token** | Field | Description | | ------------- | --------------------------------------- | | Refresh Token | Used by the `refresh_token` Grant Type. | **jwt\_bearer** | Field | Description | | -------------- | ----------------------------------------------------------- | | JWT Key | The JWT data structure that represents a cryptographic key. | | JWT Claims | JWT claims to include in the payload. | | JWT Expiration | The JWT expiration in seconds. | | JWT Algorithm | The algorithm type to sign the payload. | | Field | Description | | -------------------------- | ---------------------------------------------------------------------------- | | Authorization Token Prefix | The prefix to use in the Authorization HTTP header for token authentication. | | Auth Token | The auth token for the remote service. | 4. Define the Account Object Schema. Learn more in [Account object](../provision-an-application.html#account-object-def). 5. Optionally, you can define additional object types: 1. Click [icon: plus, set=fa]Add Object Type. 2. Enter the object ID. 3. Define the object Schema. Learn more in [Synchronize an identity](../provision-an-application.html#provision-sync-identity). 6. Optionally, click Show advanced settings to set any of the following options: **Application specific settings** | Field | Description | | ------------------ | ------------------------------------------------------------------------------------ | | Exclude Unmodified | Select this option to synchronize only the modified properties on a target resource. | **Pool configuration** | Field | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Max idle and active container instances | The maximum number of idle and active container instances. The default value is `10`. | | Max Idle Connector Instances | The maximum number of idle connector instances. The default value is `10`. | | Set Timeout Period | Select to enable a timeout period for the connection. After enabling, configure the following:- Timeout period (ms): The timeout period in milliseconds. | | Set Minimum Idle Time | Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:- Min idle time (ms): The minimum idle time in milliseconds. | | Min Idle Instances | The minimum number of idle connector instances. | **Result Handler configuration** | Field | Description | | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | Enable for connectors with the attribute normalizer interface | Enables the attribute normalizer interface for supported connectors. | | Enable local filtering/search features | Enables local filtering and search capabilities. | | Enable case insensitive filter | Configures filters to ignore case sensitivity. | | Enable configuration of search attributes; disable for local connectors | Enables search attribute configuration. Disable this option for local connectors. | 1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds. Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search. 2. In the Operation Rate Limits area, select the operations to enforce rate limits on. You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search. For each selected operation, configure the following fields: | Field | Description | | --------------- | ---------------------------------- | | Request Limit | Requests allowed over time. | | Request Period | Limit resets after this time (ms). | | Request Timeout | Time before exception thrown (ms). | 7. Click Connect. 8. Verify the information in the Details tab. ## Provision side tabs The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as `Group`. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab. ![Sub-tabs under the Provisioning tab](../_images/ui-workforce-provisioning.png) | Provisioning tab | Description | Related sections | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | Details | View and manage an application, including name, ID, and native type. | Select the specific application from [Provision settings for an application](../provision-an-application.html#provision_settings_for_an_application). | | Properties | View and manage properties for the selected object type. | [Manage application attributes](../provision-an-application.html#manage_application_attributes) | | Data | View data about the selected object type. | [View user access data](../provision-an-application.html#view_user_access_data) | | Mapping | View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties. | [Manage mappings](../provision-an-application.html#manage_mappings) | | Reconciliation | Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.View and manage rules for the users and groups that use your application.View and manage schedules for Full and Incremental reconciliation. | [Reconcile and synchronize end-user accounts](../provision-an-application.html#recon-sync-end-users) | | Privacy & Consent | Manage end-user data sharing and synchronization. | [Configure end-user data sharing](../provision-an-application.html#config-end-user-data-sharing) | | Rules | View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application. | [Manage provisioning rules](../provision-an-application.html#manage-provisioning-rules) | | Advanced Sync | Create and manage mappings between a managed object type and an application or between applications. | [Manage advanced sync](../provision-an-application.html#manage-advanced-sync) | ## Next steps * [icon: check-square-o, set=fa][Application management](../applications.html) * [icon: check-square-o, set=fa][App catalog](../app-catalog.html) * [icon: check-square-o, set=fa][Register an application](../register-an-application.html) or [Register a custom or SSO application](../register-a-custom-application.html) * [icon: check-square-o, set=fa][Provision an application](../provision-an-application.html) * [icon: square-o, set=fa]*[Manage end users and roles](../manage-users-and-roles.html)* * [icon: square-o, set=fa][Manage application registrations](../manage-app-status.html)