Application management (current)
The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ. |
The topics in this and subsequent sections are for system administrators and similar roles whose responsibility is to set up and manage applications that work with the PingOne Advanced Identity Cloud.
You can use a registration process to manage the security and access of common and custom relying party applications and SAML 2.0 applications directly from Advanced Identity Cloud.
Using the Applications page, you can integrate Advanced Identity Cloud with external data stores or identity providers. This page provides a one-stop location to:
-
Register and provision popular Federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.
-
Register and provision your organization’s custom applications.
-
Manage data, properties, rules, provisioning, users, and groups for an application.
-
Activate and deactivate an application.
-
View the connection status of each application created in Advanced Identity Cloud.
To view OAuth 2.0 client applications created in AM admin UI (native console) or using the Advanced Identity Cloud REST API: In Advanced Identity Cloud admin UI, under Applications, click OAuth2 Clients and view the applications on the OAuth2 Clients page. |
All applications that you register with Advanced Identity Cloud are either target applications or authoritative applications. For more information, refer to Target and authoritative applications.
Each application relies on a connector to connect to external resources such as LDAP and flat files.
You can register OIDC OpenID Connect applications and SAMLv2 applications, and set up provisioning, and other features using the following methods:
-
Template - Advanced Identity Cloud includes a library of templates for OIDC relying party applications that makes the process of registration and configuration quick and easy. When using a template, Advanced Identity Cloud sets the OAuth 2.0 grant type based on the type of application you register. The system sets OpenID connect default options as well. You can then customize configurations in the application’s client profile.
-
Custom - This option allows you to register custom applications as an OAuth 2.0 or SAML 2.0 application.
To view a catalog of application templates, click Browse App Catalog. To search for an existing application, in the Search field, enter the name of an application.
To register an application, use an application template. Click Browse App Catalog, select the application, and complete the fields.
After you register an application, the page displays the following configuration tabs for single sign-on, provisioning, and so on.
The application type determines the tabs that the page displays. |
Tab | Description | Related sections |
---|---|---|
Details |
Configure, view, and manage application details, including name, description, owners, and logo. |
|
Provisioning |
Configure, view, and manage provisioning settings, including properties, mapping, rules, reconciliation, and schedules. |
|
Users & Roles |
Configure, view, and manage users and roles for your target application. |
Target and authoritative applications
All applications that you register with Advanced Identity Cloud are either target applications or authoritative applications.
-
target applications: Use Advanced Identity Cloud to create and manage user accounts in a target application. Running reconciliation on a target application syncs user account changes (new accounts, updated accounts, deleted accounts) and user-associated non-account objects (like groups) from Advanced Identity Cloud to the target application (for example, ServiceNow).
-
authoritative applications: Create and manage user accounts in an authoritative application. Authoritative applications act as a source of identities and do not allow management of users and roles. You do not assign users to an Authoritative application. Running reconciliation on an authoritative application syncs user account changes (New accounts, updated accounts, deleted accounts) from the authoritative application (for example, Workday) to Advanced Identity Cloud. You specify an application as authoritative when you create the application.
Whether an application is an authoritative application or a target application, you can set up the following application types:
OIDC OpenID Connect applications
OAuth 2.0 is a token-based authorization framework for SSO through API endpoints and is mainly for authorizing applications. For Advanced Identity Cloud, register an OAuth 2.0 application if you have a custom application integration with the ForgeRock SDK or hosted pages.
There are several types of OAuth 2.0 applications when registering a custom application:
Native / SPA applications with PKCE
Native applications are for specific platforms or devices. Examples include applications for mobile phones and applications for the macOS platform.
Single-page applications (SPAs) are OAuth 2.0 clients that run in an end user’s web browser. SPAs use Proof Key Code Exchange (PKCE) to verify the client because SPAs can’t secure the client secret. PKCE is a security standard from the IETF specification Proof Key for Code Exchange by OAuth Public Clients.
For a deep dive on how Advanced Identity Cloud implements PKCE for native and SPA applications, refer to Authorization code grant with PKCE.
Web applications
Web applications are OAuth 2.0 clients that run on a web server. End users (resource owners) access web applications using a web browser. The application makes API calls using a server-side programming language. The end user has no access to the OAuth 2.0 client secret or any access tokens that the authorization server issues.
Service / Machine-to-machine applications
Machine-to-machine (M2M) applications interact with an API, and no end user involvement is necessary. The application acts on behalf of itself and not on behalf of an end user. The application can ask for an access token directly without involving an end user in the process at all. Items such as a smart meter that tracks your utility usage and wearable devices that gather and communicate health data use services, and M2M applications.
SAML 2.0 applications
SAML 2.0 is an XML-based open standard for single sign-on (SSO) and is primarily for authenticating users. Register a SAML 2.0 application if the identity provider (IdP) for your application only supports SAML 2.0.
Learn more in Introduction to SAML 2.0.
Best practices for registering applications
Before you register an application with Advanced Identity Cloud, consider the following:
-
To set up SSO if the application is SAML 2.0, make sure you have the application metadata and entity ID for your application.
-
Know the settings for configuring provisioning. For information about application-specific provisioning settings, refer to Provision an application.
-
Know the users and groups that have access to your application.