Application management

The topics in this section are for tenants created on or after January 12, 2023. Learn more in Application management migration FAQ.

In Advanced Identity Cloud, an application is an object that represents an external service you want to connect to. This service might be a popular cloud-based application (such as Salesforce or Workday), a directory service (such as LDAP or Active Directory), or your own custom-built application.

You can configure an application for two main functions:

Provisioning: Automates the creation and management of user accounts in external applications.
Single sign-on (SSO): Lets end users access external applications using their Advanced Identity Cloud credentials. Through standard protocols such as OpenID Connect (OIDC), SAML, or WS-Federation, users authenticate once with Advanced Identity Cloud and can access applications without reentering credentials. Sometimes, these protocols also let users consent to delegated access, enabling applications to act on their behalf within approved scopes.

You register and manage applications from the Applications page in the Advanced Identity Cloud admin console.

The applications described here are comprehensive objects that can include SSO, provisioning, and other policies. For simpler API access use cases, you can register a Standalone OAuth 2.0 client.

Provisioning applications

To simplify provisioning, Advanced Identity Cloud provides an extensive app catalog. The catalog includes predefined templates for many popular cloud-based applications (such as HR and CRM solutions) and frameworks for scripted connectors (such as Scripted REST and Scripted Groovy).

Based on your configuration, Advanced Identity Cloud can automatically create, update, or delete user accounts in a connected application.

Each provisioning application relies on a connector to connect to the external resources such as LDAP and flat files.

All provisioning applications are either authoritative or target applications.

Authoritative applications: Authoritative applications act as a source of identities. Running reconciliation on an authoritative application synchronizes user account changes (new accounts, updated accounts, deleted accounts) from the authoritative application (for example, Workday) into Advanced Identity Cloud. You don’t assign users to an authoritative application within Advanced Identity Cloud. You manage them in the source application.

You specify an application as authoritative when you register the application.
Target applications: For target applications, Advanced Identity Cloud is the source of truth. Running reconciliation on a target application synchronizes user account and associated non-account objects (like groups) from Advanced Identity Cloud to the target application (for example, ServiceNow). You can assign users and roles to the application directly within Advanced Identity Cloud.

You must register the application before you can provision the application.

Currently, most of the application templates in the app catalog are for provisioning with external applications, not for SSO.

SSO applications

You typically configure SSO applications by creating a custom application based on a standard protocol. Advanced Identity Cloud supports several protocols, allowing you to integrate with a wide range of external services. While most are configured manually from scratch, some integrations such as Microsoft 365 have dedicated templates.

Learn more in Register a custom or SSO application

The applications you configure in the Applications page trust Advanced Identity Cloud as their IdP. You can also configure Advanced Identity Cloud to trust external IdPs (such as Google or Facebook) for user authentication. This is commonly known as social authentication. Learn more in Social authentication.

OpenID Connect (OIDC)

OIDC is a modern, token-based identity protocol built on top of the OAuth 2.0 authorization framework. It’s ideal for verifying the end-user’s identity and obtaining basic profile information, while enabling third-party applications (such as web, mobile, and SPAs) to securely access data or act on the user’s behalf.

When you register a custom OIDC application, you can choose from several types:

Type	Description
Native / SPA applications with PKCE	Native applications are built for specific platforms, such as mobile phones or desktops. Single-page applications (SPAs) run entirely in a user’s web browser. Both types are considered public clients because they can’t securely store a secret. They use the Proof Key for Code Exchange (PKCE) standard to secure the authentication flow. Learn more in Authorization code grant with PKCE.
Web applications	Traditional web applications run on a server. Because the back-end code isn’t exposed to the public, they’re considered confidential clients and can securely use a client secret to communicate with Advanced Identity Cloud.
Service / Machine-to-machine applications	Machine-to-machine (M2M) applications, such as daemons or CLIs, act on behalf of themselves rather than an end user. They authenticate directly without user interaction.

Type

Description

Native / SPA applications with PKCE

Native applications are built for specific platforms, such as mobile phones or desktops. Single-page applications (SPAs) run entirely in a user’s web browser. Both types are considered public clients because they can’t securely store a secret. They use the Proof Key for Code Exchange (PKCE) standard to secure the authentication flow.

Learn more in Authorization code grant with PKCE.

Web applications

Traditional web applications run on a server. Because the back-end code isn’t exposed to the public, they’re considered confidential clients and can securely use a client secret to communicate with Advanced Identity Cloud.

Service / Machine-to-machine applications

Machine-to-machine (M2M) applications, such as daemons or CLIs, act on behalf of themselves rather than an end user. They authenticate directly without user interaction.

SAML 2.0 applications

SAML is an XML-based open standard for exchanging authentication and authorization data. It’s widely used in enterprise federation scenarios. Register a SAML application if the application you’re connecting to requires it.

Learn more in SAML 2.0 introduction.

Bookmark applications

A Bookmark application is a simple, non-federated entry in an IdP’s application catalog or user portal.

Its purpose isn’t to perform authentication itself, but to provide a centralized and managed link to an external application, especially those that don’t support modern SSO protocols like SAML or OIDC.

WS-Fed applications

WS-Federation is an identity protocol that is part of the larger Web Services Security (WS-Security) framework.

Using this protocol to integrate with applications like Microsoft 365 requires the WS-Federation add-on capability. Contact your Ping Identity representative to add WS-Federation to your Advanced Identity Cloud subscription.

Best practices for registering applications

Before you register an application with Advanced Identity Cloud, consider the following:

To set up SSO with SAML, make sure you have the application’s metadata and entity ID.
Know the settings required for configuring provisioning. Learn more in Provision an application.
Know which users and groups should have access to your application.

PingOne Advanced Identity Cloud