PingOne Advanced Identity Cloud

Application management (current)

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.
Just show me the available apps!

The topics in this and subsequent sections are for system administrators and similar roles whose responsibility is to set up and manage applications that work with the PingOne Advanced Identity Cloud.

You can use a registration process to manage the security and access of common and custom relying party applications and SAML 2.0 applications directly from Advanced Identity Cloud.

Using the Applications page, you can integrate Advanced Identity Cloud with external data stores or identity providers. This page provides a one-stop location to:

  • Register and provision popular Federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.

  • Register and provision your organization’s custom applications.

  • Manage data, properties, rules, provisioning, users, and groups for an application.

  • Activate and deactivate an application.

  • View the connection status of each application created in Advanced Identity Cloud.

To view OAuth 2.0 client applications created in AM admin UI (native console) or using the Advanced Identity Cloud REST API:
In Advanced Identity Cloud admin UI, under Applications, click OAuth2 Clients and view the applications on the OAuth2 Clients page.

All applications that you register with Advanced Identity Cloud are either target applications or authoritative applications. For more information, refer to app-management:applications.adoc#target_and_authoritative_applications.

Each application relies on a connector to connect to external resources such as LDAP and flat files.

You can register OIDC OpenID Connect applications and SAMLv2 applications, and set up provisioning, and other features using the following methods:

  • Template - Advanced Identity Cloud includes a library of templates for OIDC relying party applications that makes the process of registration and configuration quick and easy. When using a template, Advanced Identity Cloud sets the OAuth 2.0 grant type based on the type of application you register. The system sets OpenID connect default options as well. You can then customize configurations in the application’s client profile.

  • Custom - This option allows you to register custom applications as an OAuth 2.0 or SAML 2.0 application.

To view a catalog of application templates, click Browse App Catalog. To search for an existing application, in the Search field, enter the name of an application.

To register an application, use an application template. Click Browse App Catalog, select the application, and complete the fields.

After you register an application, the page displays the following configuration tabs for single sign-on, provisioning, and so on.

The application type determines the tabs that the page displays.
Tab Description Related sections

Details

Configure, view, and manage application details, including name, description, owners, and logo.

Provisioning

Configure, view, and manage provisioning settings, including properties, mapping, rules, reconciliation, and schedules.

Provision an application

Users & Roles

Configure, view, and manage users and roles for your target application.

Manage end users and roles

Target and authoritative applications

All applications that you register with Advanced Identity Cloud are either target applications or authoritative applications.

  • target applications: Use Advanced Identity Cloud to create and manage user accounts in a target application. Running reconciliation on a target application syncs user account changes (new accounts, updated accounts, deleted accounts) and user-associated non-account objects (like groups) from Advanced Identity Cloud to the target application (for example, ServiceNow).

  • authoritative applications: Create and manage user accounts in an authoritative application. Authoritative applications act as a source of identities and do not allow management of users and roles. You do not assign users to an Authoritative application. Running reconciliation on an authoritative application syncs user account changes (New accounts, updated accounts, deleted accounts) from the authoritative application (for example, Workday) to Advanced Identity Cloud. You specify an application as authoritative when you create the application.

Whether an application is an authoritative application or a target application, you can set up the following application types:

OIDC OpenID Connect applications

OAuth 2.0 is a token-based authorization framework for SSO through API endpoints and is mainly for authorizing applications. For Advanced Identity Cloud, register an OAuth 2.0 application if you have a custom application integration with the ForgeRock SDK or hosted pages.

There are several types of OAuth 2.0 applications when registering a custom application:

Native / SPA applications with PKCE

Native applications are for specific platforms or devices. Examples include applications for mobile phones and applications for the macOS platform.

Single-page applications (SPAs) are OAuth 2.0 clients that run in an end user’s web browser. SPAs use Proof Key Code Exchange (PKCE) to verify the client because SPAs can’t secure the client secret. PKCE is a security standard from the IETF specification Proof Key for Code Exchange by OAuth Public Clients.

For a deep dive on how Advanced Identity Cloud implements PKCE for native and SPA applications, refer to Authorization code grant with PKCE.

Web applications

Web applications are OAuth 2.0 clients that run on a web server. End users (resource owners) access web applications using a web browser. The application makes API calls using a server-side programming language. The end user has no access to the OAuth 2.0 client secret or any access tokens that the authorization server issues.

Service / Machine-to-machine applications

Machine-to-machine (M2M) applications interact with an API, and no end user involvement is necessary. The application acts on behalf of itself and not on behalf of an end user. The application can ask for an access token directly without involving an end user in the process at all. Items such as a smart meter that tracks your utility usage and wearable devices that gather and communicate health data use services, and M2M applications.

SAML 2.0 applications

SAML 2.0 is an XML-based open standard for single sign-on (SSO) and is primarily for authenticating users. Register a SAML 2.0 application if the identity provider (IdP) for your application only supports SAML 2.0.

Learn more in Introduction to SAML 2.0.

Best practices for registering applications

Before you register an application with Advanced Identity Cloud, consider the following:

  • To set up SSO if the application is SAML 2.0, make sure you have the application metadata and entity ID for your application.

  • Know the settings for configuring provisioning. For information about application-specific provisioning settings, refer to Provision an application.

  • Know the users and groups that have access to your application.

Next step

App catalog

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

Register any of the following applications with PingOne Advanced Identity Cloud, and then click the logo to view app-specific provision settings:

Active Directory
Adobe Admin Console
AS400
Atlassian Jira
Azure AD
BeyondTrust
CSV File
Custom Application
Database Table
Directory Services (DS)
DocuSign
Epic EMP
Google Workspace
LDAP
Oracle E-Business Suite
PingOne
Powershell
Salesforce
Salesforce Community
SAP SuccessFactors Account
SAP SuccessFactors HR
SAP User Management
SCIM
Scripted Groovy
Scripted REST
Scripted Table
ServiceNow
Webex
Workday
I want to register a custom application.

Next step

Register an application

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

Advanced Identity Cloud includes a template library for OIDC applications making registration and configuration quick and easy. When using a template, Advanced Identity Cloud sets the OAuth 2.0 grant type based on the type of application you register. The system sets OIDC default options as well. You can then customize configurations in the application’s client profile and set up sign-on, provisioning, and users and groups.

If you are new to using this feature, we recommend that you first review Application management (current) before you begin this process.
ui workforce register using app template no sso

After registration, you can configure application specific details, including application name, icon, entry point URL, authorization, access indicators, and required connector and mapping information.

After an application is registered, Advanced Identity Cloud displays the application’s status as one of the following:

  • Active: The application successfully registered with Advanced Identity Cloud.

  • Inactive: The application is not successfully registered with Advanced Identity Cloud and requires additional setup.

Choose an application to connect

  1. In the Advanced Identity Cloud admin UI, go to Applications, and click grid_view Browse App Catalog.

  2. In the Browse App Catalog modal, select an application, and click Next.

    Select the latest application version.

  3. Review the Application Integration information, and click Next.

  4. In the Application Details window, specify the name, description, application owners, and logo for the application.

  5. To make the application an Authoritative source of identity data, select the Authoritative check box. This option is not available for every application.

  6. Click Create Application.

Next step

Register a custom application

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

If you can’t find a template for your OpenID Connect (OIDC) or SAML applications, Advanced Identity Cloud lets you create custom applications, where you supply all the configuration information.

Provisioning is not a custom applications feature.
ui workforce register custom application

Register a custom application or service

Learn more about OpenID Connect (OIDC) applications in Application management (current).

  1. On the Advanced Identity Cloud admin UI, go to Applications, and click Custom Application.

  2. On the Add a Custom Application dialog box, choose one of the following:

    • OIDC - OpenID Connect

    • SAML.

    • Bookmark.

  3. Click Next.

OpenID Connect (OIDC)

  1. Choose the application type you want to register. Learn more in OIDC OpenID Connect applications.

    • Native / SPA

    • Web

    • Service

  2. Click Next.

  3. In the Application Details modal, configure the following fields:

    • Name: The name of the application.

    • Description: A description of the application.

    • Application Owners: The owners of the application.

    • App Logo URI: The URL of the application logo.

  4. Click Next.

  5. In the Service Settings modal, configure the following fields:

    1. Enter a Client ID to display in the applications list, and if shown, enter a Client Secret. Remember the client secret. If you forget the client secret, you must reset it on the Sign On tab on the edit application page.

    2. Enable Use Secret Store for secrets to display the Secret Label Identifier field. Learn how to configure the Secret Label Identifier field in General Settings.

  6. Click Create Application.

OAuth 2.0 - Set up single sign-on

  1. On the Sign On tab, set or review the following credentials:

    Client Credentials
    Field Description

    Client ID

    Identifier used to register your client with AM’s authorization server, and then used when your client must authenticate to AM.

    (Web and Service) Client Secret

    Password used to register your client with AM’s authorization server, and then used when your client must authenticate to AM.

    Discovery URI

    AM URL base for OpenID Provider Configuration.
    Default: http://openam.example.com:8088/openam/oauth2
    Show advanced settings
    Field Description

    OAuth2.0 Authenticate Endpoint

    The endpoint for OAuth2.0 authentication.

    OAuth2.0 Authorization Endpoint

    The endpoint for OAuth2.0 authorization.

    OAuth2.0 Token Endpoint

    The endpoint the application uses to get an access token or a refresh token.

    OAuth2.0 Introspect Endpoint

    The endpoint that returns validation information for identifier-based access tokens.

    OAuth2.0 Userinfo Endpoint

    The endpoint that returns information about an end user.

    OAuth2.0 Identity Token Endpoint

    The endpoint that returns the identity token.
    General Settings
    Field Description

    Sign-in URLs

    Custom URL for handling login. Overrides the default OpenAM login page.

    Sign-out URLs

    Custom URL for handling logout. Example: http://client.example.com:8080/openam/XUI/?realm=/#logout.

    Grant Types

    Specify the set of OAuth 2.0 grant types, also known as grant flows, allowed for this client:

    Scopes

    Specify scopes presented to the resource owner when the resource owner is asked to authorize client access to protected resources. The openid scope is required.

    Use Secret Store for secrets

    Enable to display the Secret Label Identifier field.

    Secret Label Identifier

    Enter a value that represents the <identifier> part of a secret label for an OAuth 2.0 client. Advanced Identity Cloud uses the identifier to generate secret labels in the following format:

    Client Secret Identifier

    am.applications.oauth2.client.<identifier>.secret

    Client JWT Bearer Public Key Identifier

    am.applications.oauth2.client.<identifier>.jwt.public.key

    Client ID Token Public Encryption Key Identifier

    am.applications.oauth2.client.<identifier>.id.token.enc.public.key

    mTLS Self-signed Certificate Identifier

    am.applications.oauth2.client.<identifier>.mtls.trusted.cert

    Learn more in Secret labels.

  2. Review Advanced Settings:

    Access
    Field Description

    Default Scopes

    Scopes set automatically when tokens are issued. The openid scope is required.

    Response Types

    Specify the response types that the client uses. The response type value specifies the flow that determines how the ID token and access token are returned to the client. By default, the following response types are available:

    • code. Specifies that the client application requests an authorization code grant.

    • token. Specifies that the client application requests an implicit grant type and requests a token from the API.

    • id_token. Specifies that the client application requests an ID token.

    • code token. Specifies that the client application requests an access token, access token type, and an authorization code.

    • token id_token. Specifies that the client application requests an access token, access token type, and an ID token.

    • code id_token. Specifies that the client application requests an authorization code and an ID token.

    • code token id_token. Specifies that the client application requests an authorization code, access token, access token type, and an ID token.

    Claims

    Claims can be entered as simple strings, such as name, email, profile, or sub. Or, as a pipe-separated string in the format: scope|locale|localized description. For example, name|en|Full name of end user.

    Allow wildcard ports in redirect URLs

    Specify whether AM allows the use of wildcards (* characters) in the redirection URI port to match one or more ports.

    The URL configured in the redirection URI must be either localhost, 127.0.01, or ::1. For example, http://localhost:*/, https://127.0.0.1:80*/, or \https://[::1]:*443/.

    Enable this setting, for example, for desktop applications that start a web server on a random free port during the OAuth 2.0 flow.
    Authentication
    Field Description

    Token Endpoint
    Authentication Method

    Authentication method client uses to authenticate to AM.
    Choose one:

    • client_secret_basic. Clients authenticate using the HTTP Basic authentication scheme after receiving a client_secret value.

    • client_secret_post. Clients authenticate by including the client credentials in the request body after receiving a client_secret value.

    • private_key_jwt. Clients sign a JSON web token (JWT) with a registered public key.

    Client Type

    • Confidential clients can maintain the confidentiality of their credentials. For example, a web application runs on a server where its credentials are protected.

    • Public clients run the risk of exposing their passwords to a host or user agent. For example, a JavaScript client running in a browser may be accessible to the public at large.

    Implied Consent

    When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2.0 Provider must also be configured to allow clients to skip consent.

    OAuth 2.0 Mix-Up Mitigation active

    Enable this setting only if this OAuth 2.0 client supports the OAuth 2.0 Mix-Up Mitigation draft, otherwise AM will fail to validate access token requests received from this client.

    Default ACR values

    Default Authentication Context Class Reference values. Specify strings that will be requested as Voluntary Claims by default in all incoming requests.

    Request URIs

    Specify request_uri values that a dynamic client pre-registers.

    Client JWT Bearer
    Public Key

    A base64-encoded X509 certificate in PEM format used to obtain the client’s JWT bearer public key. The client uses the private key to sign client authentication and access token request JWTs, while AM uses the public key for verification.

    Subject Type

    Default value is public.

    • Choose pairwise if you want each client to receive a different subject value. This prevents correlation between clients.

    • Choose public if you want each client to receive the same subject value.

    Default Max Age

    Enable this option to enforce a default maximum age of 10 minutes. If the end user session is not currently active, and if more than 10 minutes have passed since the end user last authenticated, then the end user must authenticate again.

    Use Certificate-Bound Access Tokens

    Enable this option if you want access tokens issued to this client to be bound to an X.509 certificate. When enabled, access tokens will use the X.509 certificate to authenticate to the access_token endpoint.
    Token Lifetimes
    Field Description

    Authorization code lifetime (seconds)

    The time an authorization code is valid for.
    Default value: 120

    Access token lifetime (seconds)

    The time an access token is valid for, in seconds
    If you set the value to 0, the access token will not be valid. A maximum lifetime of 600 seconds is recommended. Default value: 3600

    Refresh token lifetime (seconds)

    The time a refresh token is valid for.
    If this field is set to -1, the refresh token will never expire. Default value: 604800

    JWT token lifetime (seconds)

    The amount of time the JWT is valid for. Default value: 3600
    Consent Screen
    Field Description

    Display Name

    Custom user-facing title. In this example, MyClient.

    Display Description

    User-facing instruction text. In this example, "This application is requesting the following information:"

    Privacy Policy URI

    URI containing the client’s privacy policy documentation. The URI is displayed as a link in the consent page.

    200
    Client Management
    Field Description

    Access Token

    Specify the registration_access_token value you provided when registering the client, and then subsequently, when reading or updating the client profile.
    Session Management
    Field Description

    Client Session URI

    Specify the relying party (client) URI to which the OpenID Connect Provider sends "session changed" notification. Message is sent using the HTML 5 postMessage API.
    Endpoint Response Formats
    Field Description

    User info response format

    Specify the output format from the userinfo endpoint.
    The supported output formats are:

    • (default) User info JSON response format.

    • User info encrypted JWT response format.

    • User info signed JWT response format.

    • User info signed then encrypted response format.

    Token Introspection Response Format

    Specifies the format of the token introspection response. The possible values for this property are:

    • JSON response format

    • Signed JWT response format

    • Signed then encrypted JWT response format
    Signing and Encryption
    Field Description

    Public key selector

    Select the public key for this client, which comes from the JWKs_URI, manual JWKs, or X.509 field.

    JSON Web Key URI

    The URI that contains the client public keys in JSON web key format.

    JSON Web Key

    Raw JSON web key value containing the client public keys.

    ID Token Encryption Public Key

    Base64-encoded public key for encrypting ID tokens.

    Enable ID Token Encryption

    When enabled, encryption uses the algorithm that the ID token must be encrypted with. Default algorithm value is RSA1_5 (RSAES-PKCS1-V1_5).

  3. Click Save.

SAML 2.0

  1. On the Application Details page, configure the following fields:

    • Name: The name of the application.

    • Description: A description of the application.

    • Application Owners: The owners of the application.

    • App Logo URI: The URl of the location of the application logo.

  2. Click Create Application.

SAML 2.0 - Set up single sign-on

  1. Click the Sign On tab.

  2. Click Set Up SSO.

  3. If you have set up multiple domains, in the Select a domain drop-down field, select a domain to use for sign-on.

  4. Click Next.

  5. Follow the steps on the Set Up Single Sign-on page.

  6. Click Next.

  7. Click Save.

  8. To view IdP metadata for the application, click View IdP Metadata.

  9. To update the application provider metadata, click Update Metadata.

  10. To download a certificate, click Download Certificate.

  11. Review or copy the following credentials:

    Endpoints
    Field Description

    IDP-Initiated Login Endpoint

    The login endpoint initiated by the IDP.

  12. Review or edit the following:

    Settings
    Field Description

    Single Sign On URL

    The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

    Audience URI (SP Entity ID)

    The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.

    Response

    Signed or Unsigned.

    Assertion Signature

    Signed or Unsigned.

  13. To set advanced settings, click Show advanced settings, and set or review the following:

    Field Description

    Name ID Format

    Identifies the SAML processing rules and constraints for the assertion’s subject statement. Use the default value of Unspecified unless the application explicitly requires a specific format.

    Assertion Encryption

    Encrypted or Unencrypted.

    Single Logout

    Enable to allow the application to initiate Single Logout. Then in the Single Logout URL field, enter the location where the logout response is sent.

    Attribute Statements (optional)

    Insert statements into the SAML assertions shared with your application. Set the Name, Name Format, and Value for each statement. Click the plus sign to add a new statement.

  14. Click Save.

Bookmark

You can now register a bookmark application, such as OneNote, Evernote, Google Bookmarks, or raindrop.io, to direct users to specific URLs. A bookmark application displays shortcut links on dashboards. When you click one of the links, the browser opens a new tab.

  1. On the Application Details page, configure the following fields:

    • Name: The name of the application.

    • Description: A description of the application.

    • Application Owners: The owners of the application.

    • URL: The sign-in URL for the application.

    • App Logo URI: The URl of the location of the application logo.

  2. Click Create Application.

Next step

Provision an application

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

On the Applications page, use the Provisioning tab to set up provisioning and configure the following:

  • Details about the application.

  • Properties in the target application.

  • Data in the target application.

  • Mappings from Advanced Identity Cloud admin UI to the target application.

  • Rules that specify the actions to take when certain reconciliation events occur.

  • Reconciliation to ensure data is synchronized between Advanced Identity Cloud admin UI and the target application.

  • Schedules to run reconciliation of accounts.

You must register an application before you can use the Provisioning tab. Afterward, you can use the Provisioning tab to create and manage connections to a target system like Salesforce.

The object type determines the side tabs that display on the Provisioning tab. Use the object type drop-down list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

ui workforce provisioning
Provisioning tab Description Related sections

Details

View and manage an application, including name, ID, and native type.

N/A

Properties

View and manage properties for the selected object type.

Manage application attributes

Data

View data about the selected object type.

View user access data

Mapping

View and manage mappings from Advanced Identity Cloud admin UI properties to external system properties (outbound mappings) and from external system properties to Advanced Identity Cloud admin UI properties (inbound mappings).

Manage mappings

Reconciliation

Preview inbound mappings between external systems and Advanced Identity Cloud admin UI, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Reconcile and synchronize end-user accounts

Provision settings for an application

While the application templates contain the same basic settings, some applications have specific settings that you must configure in the Provisioning tab. The following section lists these provisioner settings.

For information about accessing built-in connectors through the IDM admin UI (native console), refer to Connectors.

Active Directory

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Active Directory domain controller.

    Port

    The port for connecting to the Active Directory domain controller.

    Use SSL

    Enable to use SSL to connect to the Active Directory domain controller. The default value is true.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Active Directory users and groups

    The Base context for Active Directory users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is true.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is user.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is sAMAccountName.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is unicodePwd.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is false.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is true.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.

  15. To only synchronize the modified properties on a target resource, select Exclude Unmodified.

  16. Click Connect.

  17. Verify the information in the Details tab.

Adobe Admin Console

Details

The Advanced Identity Cloud Adobe Admin Console application lets you manage users, groups, and user group memberships between Adobe Admin Console and Advanced Identity Cloud. This application requires an Adobe Admin Console administrator account and a properly configured Adobe Admin Console.

Adobe Admin Console requirements
The steps for configuring Adobe Admin Console should be used as an outline, as the specific options, menus, and features may have changed.

Before you can configure the Advanced Identity Cloud application, you must create and configure a project in Adobe Admin Console. You need an Adobe Admin Console developer account to complete this procedure:

  1. Create or log in to an Adobe Admin Console developer account.

  2. From the Adobe Developer Console, click the Projects tab, and then click Create new project.

    Show Me
    Create a project in the Adobe Developer Console

  3. On the Project Name page, click Add API.

    Show Me
    Adobe Developer Console, add API

  4. In the Add an API window, select User Management API, and click Next.

    Show Me
    Adobe Admin Console, Add User Management API

  5. In the Add Credential area, select OAuth Server-to-Server, enter a Credential name, and then click Save configured API.

    Show Me
    Add credential area of the Add an API flow

  6. On the Project Name > User Management API page, in the Connected credentials area, click the credential you just added (OAuth Server-to-Server).

    Show Me
    Adobe Developer Console, connected credentials

  7. From the Credential detail tab, make note of the following:

    • CLIENT ID

    • CLIENT SECRET

    • SCOPES

    • ORGANIZATION ID

    Show Me
    Adobe Developer Console, credentials tab

    Use these values when you configure provisioning for an Advanced Identity Cloud Adobe Admin Console application.

  1. Complete Adobe Admin Console requirements.

  2. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings, in the Connection area, click Settings.

  3. Configure the following fields:

    Field Description

    Service URI

    The service endpoint URI.

    Organization ID

    Your organization’s unique ID. For example, 12345@AdobeOrg.

    Refer to Adobe Admin Console requirements for help locating this value.

    Token Endpoint

    The endpoint to query for a new access token.

    Client ID

    The client ID for OAuth 2.0 flow.

    Refer to Adobe Admin Console requirements for help locating this value.

    Client Secret (optional)

    The client secret for OAuth 2.0 flow.

    Refer to Adobe Admin Console requirements for help locating this value.

  4. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Scope (optional)

    The OAuth 2.0 scope(s) to use.

    Refer to Adobe Admin Console requirements for help locating this value.

    Group Read Rate Limit

    Defines throttling for group read operations either per second ("30/sec") or per minute ("100/min").

    User Read Rate Limit

    Defines throttling for user read operations either per second ("30/sec") or per minute ("100/min").

    Write Rate Limit

    Defines throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

  5. Click Connect.

  6. Verify the information in the Details tab.

AS400

AS400 is a mainframe on-premises computer and database that can store identity data. The AS400 application enables you to manage and synchronize users between AS400 and Advanced Identity Cloud. The application can only be a target application.

The following instructions assume you have access to an AS400 instance as an administrator.

Details

  1. Set up a remote connector server (RCS).

  2. Set up the AS400 connector with your RCS.

  3. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    Host Name

    Host name or IP address of AS400.

    User Name

    The username to log in to AS400.

    Password

    The password to log in to AS400.

    Use SSL?

    Enable to use SSL to connect to the AS400 application. The default value is false.

  5. Optionally, click Show advanced settings to set the following option:

    Option Description

    Maximum Connections (optional)

    The maximum number of connections.

    Maximum Lifetime (optional)

    The maximum time for an available connection to exist. The default value is 86400000 milliseconds.

    Maximum Inactivity (optional)

    The the maximum amount of inactive time before an available connection closes. The default value is 3600000 milliseconds.

    Maximum Use Time (optional)

    The maximum time a connection can be in use before it closes. The default value is -1 which indicates that there is no time limit.

    Maximum Use Count (optional)

    The maximum number of times a connection can be used before it is replaced in the pool. The default value is -1 which indicates that there is no limit.

    Is run Maintenance

    Indicates whether the maintenance thread is used to cleanup expired connections. The default is true.

    Is thread used

    Indicates whether threads are used in communication with the host servers and for running maintenance. The default is true.

    Cleanup Interval (optional)

    Specifies how often the maintenance daemon runs. The default value is 300000 milliseconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Atlassian Jira

The Advanced Identity Cloud Atlassian Jira application lets you manage and synchronize data between Advanced Identity Cloud and Atlassian Jira.

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim).

    SCIM Protocol Version

    Choose version 1 or version 2. The default is 1.

    Authentication Method

    The method for authenticating on the remote server: BASIC, OAUTH, or TOKEN. The default is TOKEN.

  3. Depending on the Authentication Method, configure the applicable fields:

    • BASIC

    • OAUTH

    • TOKEN

    Field Description

    User

    The username for SCIM.

    Password

    The password for SCIM.
    Field Description

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

    Refresh Token

    Used by the refresh_token Grant Type.
    Field Description

    Auth Token

    The auth token for SCIM.

  4. Configure the HTTP connection pool:

    Field Description

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings
    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the Atlassian SCIM endpoint. If true (enabled), the application reads the schema from the server. If false (disabled), the application provides a default schema based on the object classes in the configuration. The default value is true (enabled).

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Azure AD

Details

This requires a Microsoft account and a Microsoft Azure application set up.

  1. Set up an Azure application.

  2. Click Certificates and Secrets > New Client Secret.

  3. Enter a description and choose an expiration date.

  4. Click Save.

  5. Copy your client secret.

  6. Click API Permissions.

  7. Select Add a permissions > MS Graph > Application Permissions.

  8. Use the search function to find and select the following 13 permissions:

    ui applications msgraphiap

  9. Click Add permissions.

  10. Click Grant admin consent for default directory.

  11. Copy the following values:

    • application (client) id

    • directory (tenant) id

    • client credentials/secret

  12. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  13. Configure the following fields:

    Field Description

    Tenant

    The Azure AD tenant name or id.

    Client ID

    The client ID the connector uses during the OAuth 2.0 flow.

    Client Secret

    The client secret the connector uses during the OAuth 2.0 flow.

    Read Rate Limit

    Define throttling for read operations either per second ("30/sec") or per minute ("100/min").

    Write Rate Limit

    Define throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

    Perform Hard Delete

    If true, the delete operation permanently deletes the Azure object.

    License Cache Expiry Time

    Defines the expiry time (in minutes) for cached license information; for example, service plan data. The default value is 60 minutes.

  14. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  15. Click Connect.

  16. Verify the information in the Details tab.

BeyondTrust

The Advanced Identity Cloud BeyondTrust application lets you manage and synchronize data from Advanced Identity Cloud to BeyondTrust. This application can only be a target application.

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim/v2).

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

    Refresh Token

    Used by the refresh_token Grant Type.

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings
    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the BeyondTrust SCIM endpoint. If true (enabled), the application reads the schema from the server. If false (disabled), the application provides a default schema based on the object classes in the configuration. The default value is true (enabled).

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

CSV File

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Follow the steps on the Set up CSV modal.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    CSV File

    The full file path to the CSV file that is the application data source. The path uses uses the file location format /opt/data/file.csv.

    UID Column

    The UID column name in the CSV file; the primary search key. The default value is uid.

    Password Column

    The password column name in the CSV file; the primary search key. The default is password.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Quote Character

    The default value is ".

    Field Delimiter

    The default value is '.

    Newline String

    The default value is /n.

    Space Replacement String

    The default value is _.

    Sync Retention Count

    The default value is 3.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Database Table

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    JDBC Connection Url

    The URl for the JDBC database address that contains the table that you are provisioning. The format of the url depends on the type of database. For example, jdbc:mysql://localhost:3306/contractordb?serverTimezone=UTC or jdbc:oracle:thin:@//localhost:3306/contractordb. The address includes the name of the database you are connecting to.

    JDBC Driver

    The class name of the driver you are using to connect to a database. The name varies depending on the type of database you are using, such as oracle.jdbc.OracleDriver or com.mysql.jdbc.Driver.

    Username

    The username sent to the JDBC driver to establish a connection.

    Password

    The password sent to the JDBC driver to establish a connection.

    Table

    The name of the table in the JDBC database that contains the user accounts. The default is TABLE_NAME.

    Key Column

    The column value that is the unique identifier for rows in the table. The default is KEY_COLUMN.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Validate resources and passwords

    Enable to validate resources and passwords. After enabling this option, in the Password Column field, enter the name of the column in the table that holds the password values.

    Activate Sync ICF Interface

    Enable to poll for synchronization events, which are native changes to target objects. After enabling this option, in the Change Log Column field, enter the change log column that stores the latest change time.

    Allow empty string

    Enable to allow empty strings instead of null values, except for OracleSQL.

    Quote Database Column Names

    Enable to place specific quote characters around column names in the SQL that is generated to access the database. After enabling this option, in the Quote Characters field, enter the characters to use for quotes.

    Rethrow All SQL Exceptions

    Enable to show SQL Exceptions with code = 0. The default value is true.

    Native Timestamps

    Enable to retrieve timestamp data.

    All Native

    Enable to retrieve in a database-native format.

    Validate Connection

    Enable to specify a SQL query used to validate connections. After enabling this option, in the Validation SQL Query (optional) field, enter the SQL query for validating connections.

    Validation Interval (ms)

    Enter the validation interval in milliseconds. The default value is 3000.

    Validation Connection Query Timeout (ms)

    Enter the validation connection query timeout in milliseconds. The default value is -1.

    Initial Pool size

    Enter the initial pool size. The default value is 10.

    Maximum Idle

    Enter the maximum idle time. The default value is 100.

    Minimum Idle

    Enter the minimum idle time. The default value is 10.

    Maximum Wait (ms)

    Enter the maximum wait time in milliseconds. The default value is 30000.

    Maximum Active

    Enter the maximum active time. The default value is 100.

    Maximum Age (ms)

    Enter the maximum age in milliseconds. The default value is 0.

    Minimum Evictable Idle Time (ms)

    Enter the minimum evictable idle time in milliseconds. The default value is 60000.

    Time Between Eviction Runs(ms)

    Enter the time between eviction checks in milliseconds. The default value is 5000.

    Test Connection When Idle

    Enable to test the connection when idle.

    Test Connection On Borrow

    Enable to test the connection on borrow.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Directory Services (DS)

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Directory Services domain controller.

    Port

    The port for connecting to the Directory Services domain controller.

    Use SSL

    Enable to use SSL to connect to the Directory Services domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Directory Services users and groups

    The Base context for Directory Services users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is true.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is inetOrgPerson.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is uid.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is userPassword.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is false.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is false.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.

  15. To only synchronize the modified properties on a target resource, select Exclude Unmodified.

  16. Click Connect.

  17. Verify the information in the Details tab.

DocuSign

Details

The Advanced Identity Cloud DocuSign application lets you manage DocuSign service accounts and synchronize DocuSign accounts and Advanced Identity Cloud identities.

You must have a DocuSign administrator account and be able to add an integrator key (DocuSign Documentation).

To modify the settings for an existing provisioning connection, in Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Settings.

  1. In DocuSign, set up a DocuSign app and integration key:

    1. Log in to DocuSign and go to Integrations > Apps and Keys.

    2. On the Apps and Keys page, in the My Account Information area, copy and save the following values:

      DocuSign field Advanced Identity Cloud application field

      API Account ID

      Account

      Account Base URI

      Service Endpoint URI
      Show Me
      DocuSign My Account Information

    3. Click Add App and Integration Key.

      Show Me
      DocuSign Add App and Integration Key button

    4. In the Add Integration Key modal, enter an App Name, and click Create App.

      Show Me
      DocuSign Add Integration Key modal

    5. On the Apps and Keys > App Name page, copy the Integration Key and save the value. Use this value as the Client Id in Advanced Identity Cloud.

      Show Me
      DocuSign Add Integration Key modal

    6. In the Authentication area, click + Add Secret Key, and copy and save the value. Use this value as the Client Secret in Advanced Identity Cloud.

      Show Me
      DocuSign Add Secret Key
    Keep DocuSign open, as you’ll need to add information during provisioning configuration.

  2. In Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Set up Provisioning.

  3. In the Configure DocuSign Connected App modal, copy the Redirect URI, and click Next.

    Show Me
    Configure DocuSign modal

  4. In DocuSign, in the Additional settings area, click Add URI, paste the redirect URI, and click Save.

    Show Me
    DocuSign Add URI

  5. Go to Integrations > API Usage Center, and from the API Limit area, make note of the following:

    • Hourly Limit

    • Burst Limit

      Show Me
      DocuSign API Limit

    Use these values in the Advanced Identity Cloud advanced settings.

  6. In Advanced Identity Cloud admin UI, configure the following fields:

    Field Description

    Service Endpoint URI

    The DocuSign Account Base URI.

    Account

    The DocuSign API Account ID.

    Client ID

    The client ID for OAuth 2.0 flow. The DocuSign Integration Key.

    Client Secret

    The client secret for OAuth 2.0 flow. The DocuSign Secret Key.

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

  7. Optionally, click Show advanced settings to set any of the following options:

    Field or option Description

    Use Basic Auth for Token Negotiation

    Select this option to send the client ID and client secret to DocuSign as authorization headers. If the option is not selected, the ID and secret are sent as form data.

    Hour Rate Limit

    The hourly rate limit for the DocuSign API. The DocuSign Hourly Limit.

    Burst Rate Limit

    The burst rate limit for the DocuSign API. The DocuSign Burst Limit.

    Disable Http Compression

    Content compression is enabled by default. Select this option to disable it.

    Debug/Test settings
    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  8. Click Connect.

  9. Verify the information in the Details tab.

Epic EMP

Details

  1. Set up a remote connector server (RCS).

  2. Install the Epic connector on your RCS.

  3. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    Client ID

    The client ID for OAuth 2.0 flow.

    Private Key

    The Epic private key in PKCS#8 format.

    User Name

    The Epic user name for the connection.

    Password

    The Epic password for the connection.

    Template File Path

    The user template file location.

    Sub-Template File Path

    The user sub-template file location.

    In Basket File Path

    The in basket classifications file location.

    Groups File Path

    The groups file location.

    Max Records (optional)

    The maximum records returned for each search operation.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Max Connections

    The maximum number of connections.

    Connection Timeout

    The connection timeout (in seconds).

    Token Validity

    The token validity period.

    Proxy Host

    The Proxy server host.

    Proxy Port

    The Proxy server port.

    Proxy Username

    The Proxy server login username.

    Proxy Password

    The Proxy server login password.

    REST API Endpoint

    The REST endpoint URL.

    SOAP API Endpoint

    The SOAP endpoint URL.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Google Workspace

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Find and copy the Authorized Redirect URI.

  3. Log in to Google Cloud Console.

  4. In the Credentials area of your project, enter the Authorized Redirect URI you copied in an earlier step.

  5. Save your work.

  6. Return to Advanced Identity Cloud admin UI.

  7. On the Provisioning tab, set the Client ID and Client Secret.

  8. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  9. Click Connect.

  10. When you are redirected to Google, log in using your admin credentials.

  11. On the next screen, click Allow. You are then redirected back to Advanced Identity Cloud admin UI.

  12. Verify the information in the Details tab.

LDAP

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the LDAP domain controller.

    Port

    The port for connecting to the LDAP domain controller.

    Use SSL

    Enable to use SSL to connect to the LDAP domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for LDAP users and groups

    The Base context for LDAP users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is false.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is inetOrgPerson.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is uid.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is userPassword.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is true.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is false.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.

  15. To only synchronize the modified properties on a target resource, select Exclude Unmodified.

  16. Click Connect.

  17. Verify the information in the Details tab.

Oracle E-Business Suite (EBS)

The Advanced Identity Cloud Oracle E-Business Suite (EBS) application lets you manage and synchronize accounts between EBS and Advanced Identity Cloud.

Details

  1. Set up a remote connector server (RCS).

  2. The EBS connector is bundled with RCS, but you must download the JDBC driver. For more information, refer to Install the EBS connector.

  3. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    EBS Database URL

    The Oracle EBS database connection URL.

    EBS Database User

    The Oracle EBS user.

    EBS Database User Password

    The Oracle EBS user password.

    JDBC Driver (optional)

    The fully qualified Java class name of the JDBC driver to use.

  5. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

PingOne

Details

The Advanced Identity Cloud PingOne application lets you manage and synchronize data between PingOne and Advanced Identity Cloud. Configuration requires a PingOne administrator account and a properly configured PingOne environment.

PingOne requirements

Before you can configure the Advanced Identity Cloud application, you must register an application in PingOne. You need a PingOne environment to complete this procedure:

  1. In your PingOne environment, create a new application:

    1. From the menu, expand the Applications node, and click Applications.

    2. On the Applications page, click the add button.

    3. In the Add Application window, enter the necessary details, select the Worker application type, and click Save.

    Show Me
    Create an application in PingOne

  2. In the Application Name window, enable the application.

    Show Me
    Enable the application in PingOne

  3. On the Roles tab, click Grant Roles.

  4. On the Available Responsibilities tab, expand the Identity Data Admin node, select the applicable environment, and click Save.

    Show Me
    Add PingOne application role

  5. Click the Configuration tab, and make note of the following:

    • URLs > Token Endpoint

    • General > Client ID

    • General > Client Secret

    • General > Environment ID

    Use these values when you configure provisioning for an Advanced Identity Cloud PingOne application.

  1. Complete PingOne requirements.

  2. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings, in the Connection area, click Settings.

  3. Configure the following fields:

    Field Description

    Service Uri

    The service endpoint URI.

    Token Endpoint

    The OAuth 2.0 access token endpoint.

    Environment Id

    The environment identifier for your PingOne environment.

    Client Id

    The client ID for OAuth 2.0 flow.

    Client Secret

    The client secret for OAuth 2.0 flow.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

  4. To use Basic Auth to send the Client Id and Client Secret to PingOne as authorization headers, select Use Basic Auth For OAuth Token Neg. If the option is not selected, the Id and Secret will be sent as form data.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

PowerShell

You can use the PowerShell Connector Toolkit to create connectors that can provision any Microsoft system, including but not limited to Active Directory, Microsoft SQL, MS Exchange, SharePoint, Office365, and Azure. Any task performed with PowerShell can be executed through connectors based on this toolkit.

The PowerShell Connector Toolkit lets you develop connectors in PowerShell that address the requirements of your Microsoft Windows ecosystem. The framework is included with the .NET RCS server. Note that the framework itself is not a connector.

The Powershell Connector toolkit is built-in to the .NET RCS server.

Connectors created with the PowerShell Connector Toolkit run on the .NET platform and require the installation of a .NET connector server on the Windows system. To install the .NET connector server, refer to Sync identities.

The PowerShell connector combines a command-line shell and scripting language, built on the .NET Framework. For more information, refer to PowerShell Documentation.
Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Active Directory Host

    The host name or IP address of the Active Directory server.

    Active Directory Port

    The port number on which the remote resource listens for connections.

    Login

    The user account in the remote resource that is used for the connection.

    Password

    The password of the user account that is used for the connection

    Authenticate Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-authenticate.html[ICF authenticate operation]. The ICF authenticate operation lets an application authenticate an object on the target system, usually with a unique identifier (username) and a password.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Create Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets an application create objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Delete Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets an application delete objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Schema Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets an application describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Search Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets an application search for objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Sync Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-sync.html[ICF sync operation]. The ICF sync operation lets an application poll the target system for synchronization events created by changes to target objects.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Test Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets an application test the connector configuration against the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Update Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets an application update (modify or replace) objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    UID attribute name

    The attribute on the resource that contains the object UID.

    NAME attribute name

    The attribute on the resource that contains the object NAME.

    Substitute UID and NAME in query filter

    Enable if the UID and NAME should be replaced by the value defined in the NameAttributeName and UidAttributeName in the query filter.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Variables Prefix

    To avoid variable namespace conflicts, define a prefix for script variables. All variables are injected into the script under that prefix and can be used with the dotted notation.

    The default value is Connector.

    Query Filter Type

    To define the format used when injecting the query into the connector, set a query filter type by clicking one of the following:

    • Map - The query filter is a map.

    • Ldap - The query filter is in LDAP search format, for example, (cn=Joe).

    • Native - The query filter is a native OpenICF query filter.

    • AdPsModule - The query filter is compatible with the Active Directory PowerShell module, Get-ADUser Filter.

    Reload script on execution

    To reload the script from disk every time the connector executes the script, enable this setting.

    This can be useful for debugging. In production, disable this setting.

    Use Interpreter’s Pool

    To leverage the PowerShell RunSpace Pool, enable this setting.

    Min interpreter pool size

    The minimum size of the interpreter pool. The default value is 1.

    Max interpreter pool size

    The maximum size of the interpreter pool. The default value is 5.

    Pool cleanup interval

    To specify the interval (in minutes) to discard unused interpreter instances. To avoid cleaning up unused interpreter instances, set this property to 0. The default value is 60.

    PS Modules to Import

    An array of additional PowerShell modules that must be imported

    Custom Properties

    An array of Strings that define custom configuration properties. Each property uses the format name=value.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Salesforce or Salesforce Community User

You can use a Salesforce application template or a Salesforce Community User application template to provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

Details

  1. In Advanced Identity Cloud admin UI, go to the Provisioning tab.

  2. On the Provisioning tab, click Set up Provisioning.

  3. In the Callback URI field, copy the callback URI.

  4. In another browser, log in to Salesforce.

  5. In platform tools, go to the app manager.

  6. Create a new connected app button.

  7. Configure the following settings:

    • Connected App Name

    • API Name

    • Contact email

    • Custom

  8. (Custom environment only) Enter the Login URL for the application.

  9. Enter the Consumer Key.

  10. Enter the Consumer Secret.

  11. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  12. Click Connect. You are redirected to Salesforce.

  13. Log in to Salesforce. You are redirected to Advanced Identity Cloud.

  14. Verify the information in the Details tab.

SAP SuccessFactors Account or SAP SuccessFactors HR

The SAP SuccessFactors connectors let you synchronize SAP SuccessFactors users with Advanced Identity Cloud admin UI users.

Details

  • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

  • When editing existing settings in the Connection area, click Settings.

    1. Configure the following fields:

      Field Description

      Host

      The hostname or IP address for your SuccessFactors application.

      Client ID

      The client ID for your SuccessFactors application.

      User ID

      The user ID for your SuccessFactors application.

      Private Key

      The private key which is used for signing JWT.

      Company Id

      The company ID as present in the target application.

    2. Optionally, click Show advanced settings to set any of the following options:

      Field Description

      Person Segments

      Enable to retrieve data based on person segments.

      Page Size

      The page size for the search operation.

      Maximum Connections

      The maximum allowed timeout for the connection (in seconds).

      Connection Timeout

      The connection timeout for the connection (in seconds).

      Use Proxy

      Enable to use a proxy server to connect to your SuccessFactors application.

      After you enable this option, set the following fields:

      • HTTP Proxy Host Name: The host name of the HTTP Proxy server.

      • HTTP Proxy Port: The port of the HTTP Proxy server.

      • HTTP Proxy Username: The username for logging into the HTTP Proxy server.

      • HTTP Proxy Password: The password for logging into the HTTP Proxy server.

      Exclude Unmodified

      Select this option to synchronize only the modified properties on a target resource.

    3. Click Connect.

    4. Verify the information in the Details tab.

SAP User Management

The SAP User Management connector lets you synchronize users from Advanced Identity Cloud to SAP user accounts. This application can only be a target application.

Details

  1. Set up a remote connector server (RCS).

  2. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  3. Configure the following fields:

    Field/Option Description

    SAP Application Server FQDN

    The FQDN of your SAP Application Server. For example, sap.example.com.

    SAP Gateway Host

    The SAP gateway host name.

    SAP Gateway Server

    The SAP gateway server.

    SAP User

    The SAP Logon user.

    Password

    The SAP Logon password.

    SAP Client

    The SAP client.

    SAP System Number

    The SAP system number.

    SAP System Language

    The language of the remote SAP system.

    SAP Router

    The IP address, port, and optional password of the SAP router, if applicable. The syntax is /H/host/S/port/W/optionalPassword. For example:

    /H/203.0.113.0/S/3299/W/48npb_hg815.77rr62.hdj

    CUA

    Whether to enable SAP Central User Administration (CUA).

  4. Optionally, click Show advanced settings to set any of the following options:

    Field/Option Description

    Destination

    SAP JCo destination name.

    Direct Connection

    If selected, use a direct connection to an SAP ABAP Application server or SAP router. If cleared, use a connection to a group of SAP instances through a SAP message server.

    Target Directory

    The directory to write classes.

    Warning Level

    The compiler warning level.

    Disabled Global AST Transformations

    A list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    SourceEncoding

    The encoding for source files.

    X509 Certificate

    The X509 certificate to supply for authentication.

    Trace

    Whether to enable RFC trace.

    CPIC Trace

    Whether to enable CPIC trace. Possible values are 0-3.

    SAP Message Server Host

    The message server host.

    Group

    The group name of the application servers. Used when you log in to a logon group that uses load balancing.

    Message Server Service

    The message server service name.

    R3 Name

    The name of the SAP system used when you log in to a logon group that uses load balancing.

    SNC Mode

    Flag used to activate SNC (Secure Network Connection). Possible values are 0 (OFF) and 1 (ON).

    SNC QoP

    The connection security level to use. Possible values are:

    1

    Authentication only
    2

    Integrity protection
    3

    Privacy protection
    8

    Use the application server value snc/data_protection/use
    9

    Use the application server value snc/data_protection/max

    SNC Library

    The external library path for the Secure Network Connection service. The default is the system-defined library as defined in the environment variable SNC_LIB.

    SNC Partner Name

    The application server ABAP SNC name. For example, "p:CN=ABC, O=MyCompany, C=US". You can find the name in the profile parameter snc/identity/as on the AS ABAP.

    SNC Name

    The connector SNC name. For example, "p:CN=OpenIDM, O=MyCompany, C=US". This parameter is optional, but set it to make sure that the correct SNC name is used for the connection.

    SNC SSO

    Whether the connection should be configured for single sign-on (SSO). Possible values are 0 (OFF) and 1 (ON).

    Pool Capacity

    The maximum number of idle connections kept open by the destination. If there is no connection pooling, set this to 0. The default value is 1.

    For optimum performance, set this value to an integer between 5 and 10.

    Expiration time

    After this time (in milliseconds) has elapsed, the system closes the free connection. The default value is 60000.

    Max Get time

    If the pool has allocated the maximum allowed number of connections, the maximum time (in milliseconds) to wait for a connection.

    Peak Limit

    The maximum number of active connections that can be created for a destination simultaneously. The value 0 is unlimited.

    Expiration Period

    After this time (in milliseconds) has elapsed, the destination checks released connections for expiration.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  5. Click Connect.

  6. Verify the information in the Details tab.

SCIM

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim).

    SCIM Protocol Version

    Choose version 1 or version 2. The default is 1.

    Authentication Method

    The method for authenticating on the remote server: BASIC, OAUTH, or TOKEN. The default is OAUTH.

  3. If you chose OAUTH, fill in the following fields:

    Field Description

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use.

  4. If you chose BASIC, configure the following fields:

    Field Description

    User

    The username for SCIM.

    Password

    The password for SCIM.

  5. If you chose TOKEN, configure the following fields:

    Field Description

    Auth Token

    The auth token for SCIM.

  6. Fill out the following fields:

    Field Description

    Use TLS Mutual Authentication

    Select to use TLS Mutual Authentication.

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  7. If you selected Use TLS Mutual Authentication, configure the following fields:

    Field Description

    Client Certificate Alias

    The client certificate alias.

    Client Certificate Password

    The client certificate password.

  8. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Use an HTTP Proxy

    Select to use an HTTP proxy.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings
    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the SCIM endpoint. The default value is true.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  9. Click Connect.

  10. Verify the information in the Details tab.

Scripted Groovy

The generic Groovy Connector Toolkit runs a Groovy script for any operation, such as search, update, create, and others, on any external resource. The Groovy Connector Toolkit is not a complete connector in the traditional sense. Rather, it is a framework you use to write your own Groovy scripts to address the requirements of your implementation. For more information, refer to Groovy Connector Toolkit.

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Script Base Class

    Base class name for scripts (must derive from Script).

    Script Roots

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

    Custom Sensitive Configuration

    Custom Sensitive Configuration script for Groovy ConfigSlurper.

    Schema Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    Test Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets a connector test the connector configuration against the target system.

    Create Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Authenticate Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-authenticate.html[ICF authenticate operation]. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Delete Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets a connector delete objects on the target system.

    Resolve Username Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-resolve-username.html[ICF resolve username operation]. The ICF resolve username operation lets a connector resolve an object to its UID, based on its username.

    Search Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets a connector search for objects on the target system.

    Customizer Script

    The name of the file that lets you customize the Apache HTTP client connection pool, proxy, default headers, timeouts, and so on.

    Target Directory

    Directory into which to write classes.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Warning Level

    The warning level of the compiler. If not set, the default value is 1.

    Min. Recompilation Interval

    Sets the minimum amount of time after a script can be recompiled. If not set, the default value is 100.

    Custom Configuration

    Custom Configuration script for Groovy ConfigSlurper.

    Tolerance

    The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. If not set, the default value is 10.

    Debug

    If true, debugging code should be activated.

    Classpath

    The classpath for use during compilation.

    Disabled Global AST Transformations

    Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    Verbose

    If true, the compiler should produce action information.

    Source Encoding

    The encoding for source files. If not set, the default value is UTF-8.

    Recompile Groovy Source

    If set to true, recompilation is enabled.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Scripted REST

The Scripted REST connector is an implementation of the Scripted Groovy Connector Toolkit. It uses Groovy scripts to interact with any REST API. This connector type lets you develop a fully functional REST-based connector for in-house or cloud-based application. For more information, refer to Scripted REST connector.

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Service Address

    The service URI (example: http://myservice.com/api).

    Proxy Address

    The optional Proxy server URI (example: http://myproxy:8080).

    Username

    The remote user to authenticate with.

    Password

    The password to authenticate with.

    Default Content Type

    The default HTTP request content type. One of TEXT, XML, HTML, URLENC, BINARY, or JSON. If not set, the default value is JSON.

    Default Request Headers

    Placeholder for default HTTP request headers.

    Default Authentication Method

    The default authentication method for the connection. Specify BASIC or OAUTH. If not set, the default value is BASIC.

    If Default Authentication Method is set to OAUTH, configure the following fields:

    • Token Endpoint: When using OAuth 2.0, this property defines the endpoint where a new access token should be queried for (https://myserver.com/oauth2/token).

    • Client ID: The secure client identifier for OAuth 2.0.

    • Client Secret: The secure client secret for OAuth 2.0.

    • Refresh Token: The refresh token used to renew the access token for the refresh_token grant type.

    • Scopes: The optional scopes to use for OAuth 2.0.

    Grant Type

    The grant type to use. Specify CLIENT_CREDENTIALS, REFRESH_TOKEN, or AUTHORIZATION_CODE. If not set, the default value is CLIENT_CREDENTIALS.

    Custom Sensitive Configuration

    Custom Sensitive Configuration script for Groovy ConfigSlurper.

    Custom Configuration

    Custom Configuration script for Groovy ConfigSlurper.

    Script Roots

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

    Authenticate Script

    The name of a connector file that uses a custom REST request to implement the ICF authenticate operation. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Create Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Delete Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets a connector delete objects on the target system.

    Search Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets a connector search for objects on the target system.

    Test Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets a connector test the connector configuration against the target system.

    Sync Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-sync.html[ICF sync operation]. The ICF sync operation lets a connector poll the target system for synchronization events created by changes to target objects.

    Schema Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports for each object type.

    Resolve Username Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-resolve-username.html[ICF resolve username operation]. The ICF resolve username operation lets a connector resolve an object to its UID, based on its username.

    Script On Resource

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-script-on-resource.html[ICF script on resource operation]. The ICF script on resource operation lets a connector runs a script directly on the target resource.

    Customizer Script

    The name of the file that lets you customize the Apache HTTP client connection pool, proxy, default headers, timeouts, and so on.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Target Directory

    Directory into which to write classes.

    Warning Level

    The warning level of the compiler. If not set, the default value is 1.

    Recompilation Interval

    Sets the minimum of time after a script can be recompiled. If not set, the default value is 100.

    Script Base Class

    Base class name for scripts (must derive from Script).

    Tolerance

    The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. If not set, the default value is 10.

    Debug

    If true, debugging code should be activated.

    Classpath

    The classpath for use during compilation.

    Disabled Global AST Transformations

    Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    Verbose

    If true, the compiler should produce action information.

    Source Encoding

    The encoding for source files. If not set, the default value is UTF-8.

    Recompile Groovy Source

    If set to true, recompilation is enabled.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Scripted Table

The Scripted SQL connector is an implementation of the Scripted Groovy Connector Toolkit. This connector lets you use Groovy scripts to interact with any SQL database. To use this connector, you must write a Groovy script for each operation that you want the connector to perform (create, read, update, delete, authenticate, and so on). For more information, refer to Scripted SQL connector.

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    User

    The connection username sent to the JDBC driver to establish a connection.

    Password

    The connection password sent to the JDBC driver to establish a connection.

    JDBC URL

    The URL for the JDBC driver.

    JDBC Driver

    The class name of the driver you are using to connect.

    Create Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Delete Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets a connector delete objects on the target system.

    Search Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets a connector search for objects on the target system.

    Authenticate Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-authenticate.html[ICF authenticate operation]. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Schema Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    Sync Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-sync.html[ICF sync operation]. The ICF sync operation lets a connector poll the target system for synchronization events created by changes to target objects.

    Test Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets a connector test the connector configuration against the target system.

    Script Root(s)

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Validation Query

    The SQL query used to validate connections from this pool before returning them to the caller. If specified, this query does not have to return any data, it just can’t throw a SQLException. The default value is null. Example values are:

    • SELECT 1 (mysql)

    • select 1 from dual (oracle)

    • SELECT 1 (MS Sql Server)

    Validation Interval

    To avoid excess validation, only run validation at most at this frequency - time in milliseconds. If a connection is due for validation, but has been validated previously within this interval, it will not be validated again. The default value is 30000 (30 seconds).

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

ServiceNow

Before you configure ServiceNow, refer to the Before you start section in ServiceNow connector.

Details

  1. In ServiceNow, create an OAuth API endpoint for external clients.

  2. Note your instance url, username, and password.

  3. After auto-generating your secret, copy the client id and client secret.

  4. In the connector configuration, you must include a ServiceNow user who has admin and rest_api_explorer roles.

    If you don’t want to assign the admin role to the ServiceNow user, you must ensure that the user has access to the following tables:

    • sys_user_has_role

    • sys_user_grmember

    • sys_user_delegate

    • sys_user_role

    • sys_user_group

    • core_company

    • cmn_department

    • cmn_cost_center

    • cmn_location

  5. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  6. Configure the following settings:

    Field Description

    ServiceNow instance

    URL of the ServiceNow instance. For example, dev00000.service-now.com

    Username

    An API user in ServiceNow that can consume the REST API.

    Password

    Password for the end user.

    Client ID

    Client ID of the OAuth 2.0 application in ServiceNow.

    Client Secret

    Client Secret for the preceding Client ID.

  7. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  8. Click Connect.

  9. Verify the information in the Details tab.

Webex

Details

The Advanced Identity Cloud Webex application lets you manage and synchronize data between Webex Control Hub and Advanced Identity Cloud. A Webex administrator account is required.

To modify the settings for an existing provisioning connection, in Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Settings.

  1. In Webex, set up a Webex integration application:

    1. Create a Webex developer account.

    2. Create an integration application and add the required scopes to manage users, groups, licenses, and roles. Minimum required scopes:

      • spark-admin:people_write

      • spark-admin:people_read

      • spark-admin:licenses_read

      • spark-admin:roles_read

      • identity:groups_rw

      • identity:groups_read

    3. Save the client secret and client ID.

      Keep your Webex integration application window open, as you’ll need to add information during provisioning configuration.

  2. In Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Set up Provisioning.

  3. In the Configure Webex App modal, copy the Redirect URI, and click Next.

    Show Me
    Configure Webex modal

  4. In Webex, in your Webex integration application Redirect URI(s) area, paste the redirect URI, and click Save.

    Show Me
    Webex integration app redirect URI

  5. In Advanced Identity Cloud admin UI, configure the following fields:

    Field Description

    Client ID

    The client ID for OAuth 2.0 flow.

    Client Secret

    The client secret for OAuth 2.0 flow.

    Service URI

    The service endpoint URI.

    Token Endpoint

    The OAuth 2.0 access token endpoint.

  6. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  7. Click Connect.

  8. Verify the information in the Details tab.

Workday

Details

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Make sure you have the requirements mentioned on the Connect to Workday page.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    Workday Host Name

    The hostname of the Workday instance. For example, example.workday.net.

    Workday Tenant Name

    The Workday tenant that you are connecting to.

    Username

    The username for connecting to the Workday tenant.

    Password

    The password for connecting to the Workday tenant.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Enforce Connection Timeout

    Enable to set the timeout (in seconds) the application waits for a request to be sent to the Workday instance. After you enable this option, enter a value in the Connection Timeout (seconds) field.

    Enforce Receive Timeout

    Enable to set the timeout (in seconds) the application waits for a response from the Workday instance. After you enable this option, enter a value in the Receive Timeout (seconds) field.

    Use Proxy

    Enable to use an HTTP proxy server to connect to Workday. After you enable this option, set the following fields:

    • Proxy Host Name: The hostname for the proxy.

    • Proxy Port: The port for the proxy.

    Set Effective Date

    Enable to set an effective date or a duration during which access to Workday is granted. After you enable this option, set the Effective Date field. Valid values for the Effective Date field are X-Path function, XML Schema, or Duration. If set to Duration, the effective date is the current date + duration.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Manage application attributes

Properties are the application attributes that Advanced Identity Cloud creates automatically. You can use the Properties tab to view and modify the properties of an account object or group/organization identity that can access your application.

The tab displays the name, identity type, and other information such as multivalued or required, for a property.

Add or edit a property

  1. On the Properties tab, do one of the following:

    • To add a new property, click Add a Property.

    • To edit a property, double-click a property.

  2. In the Name drop-down field, select a property.

  3. In the Type drop-down field, select a property type.

  4. Set one or more of the following options:

    Field Description

    Multi-valued

    Make the property a multi-value property.

    Required

    Make the property a required property.

    User-specific

    Make the property specific to individual users and not roles. If you don’t check this option, the property appears in the role’s relationship page when you add a role to an application.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Creatable

    Make the property creatable.

    Readable

    Make the property readable. Required for the property to appear in the Users & Roles tab.

    Updatable

    Make the property updatable.

    Returned by default

    Set the property to be returned by default. Requires the Readable option to be checked.

    Enumerated Values

    A list of allowed values that constrain the values you can set for the property. Supported for string and array type properties.

    To define a list of values for this property:

    1. Beside the Values field, click the plus sign.

    2. In the text field, enter the unique identifier for the value.

    3. In the value field, enter the display text for the value.

    4. To add another value, click the plus sign, and repeat steps 2 and 3 above.

    5. To delete a value, click the negative sign beside a value.

  6. Click Save.

Set a property as user-specific

You can set a property to be for a specific user.

  1. On the Properties tab, click a property.

  2. Enable User-specific.

  3. Click Save.

Set the display order of a property

When you add a new user or role, you specify properties for the identity. You can set the display order of the properties.

  1. In the Provisioning page, under the application name and logo, click the drop-down arrow and select a user or role. For example, select User.

  2. On the Properties tab, to set the order of a property, drag and drop a property up or down to the desired location.

  3. To verify your changes, add a new user or role. For example, on the Users & Roles tab, select Users, and click + Assign Users.

  4. The modal should display the properties in the order that you set.

Delete a property

  1. On the Properties tab, to the right of the property, click the ellipsis (...).

  2. Click Delete.

You cannot undo the delete action.

View user access data

After you successfully connect to the target application, review the Data tab to verify the users and groups/organizations that have access to the application.

Customize columns

  1. In the upper right corner of the Data page, click the horizontal ladder icon.

  2. Select the column types to display.

  3. Click Apply.

End-user data sharing

Users who have accounts in target applications can share their data with other applications. After a preference to share data with other applications has been configured, data from the target applications is synchronized with Advanced Identity Cloud.

Configure end-user data sharing and synchronization

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click the Privacy & Consent tab.

  2. To let end users prevent sharing of their personal data, under Consent-based Provisioning, click Activate.

  3. To only share the data of users that have set sharing preferences:

    1. In Advanced Identity Cloud admin UI, go to Hosted Pages and select Realm Default theme.

    2. Go to Account Pages and select Layout.

    3. Check the Consent option.

    4. Click Save. The end-user profile page now displays the Personal Data Sharing option.

    5. In Advanced Identity Cloud admin UI, on the Provisioning tab, click the Privacy & Consent tab.

    6. Under Preference-based Provisioning, choose one or more preferences. These are the preferences you set up for users.

Manage mappings

The Mapping tab lets you create identity object and attribute mappings between Advanced Identity Cloud and an external system application. You define mappings between a source and a target. The definition of source and target depend on the type of mapping:

Outbound mapping

Provision user attributes from Advanced Identity Cloud (source) to an external target application (target).

Inbound mapping

Reconcile user attributes from an external authoritative application (source) to Advanced Identity Cloud (target).

To avoid inconsistencies between systems, don’t update mappings while a provisioning or reconciliation is in progress.

Create or edit a mapping

  1. In the Advanced Identity Cloud admin UI, go to Applications, then select your application, then click the Provisioning tab.

  2. In the left navigation panel, click the Mapping tab.

    • If displayed, click Outbound (shown if your application is connected to external target application).

      1. Choose one of the following:

        • To create an outbound mapping:

          1. Click + Add a property to open a mapping configuration modal.

          2. In the drop-down list of targets, select an attribute to update in the external target application.

          3. Click Next.

        • To edit an outbound mapping:

          1. Click a mapping to open its mapping configuration modal.

      2. In the drop-down list of sources, select an Advanced Identity Cloud attribute to provide a source value. This step is optional if you intend to apply a transformation script and/or a default value.

    • If displayed, click Inbound (shown if your application is connected to an external authoritative application).

      1. Choose one of the following:

        • To create an inbound mapping:

          1. Click + Add a property to open a mapping configuration modal.

          2. In the drop-down list of targets, select an Advanced Identity Cloud attribute to update.

          3. Click Next.

        • To edit an inbound mapping:

          1. Click a mapping to open its mapping configuration modal.

      2. In the drop-down list of sources, select an attribute from the external authoritative application to provide a source value. This step is optional if you intend to apply a transformation script and/or a default value.

  3. (Optional) Apply a transformation script to the mapping.

  4. (Optional) Apply a conditional update to the mapping.

  5. (Optional) Apply a default value to the mapping.

  6. Click Save to save the mapping and close the mapping configuration modal.

Apply a transformation script to a mapping

You can apply a transformation script to a mapping to compute a target value using a combination of source values and string manipulations. For example, you may want to combine first name and last name attributes into a single name attribute.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Check Apply transformation script.

    2. Insert your transformation script into the Transformation Script editor. Refer to these examples:

    3. (Optional) To use custom global variables in the script, refer to Define custom global variables for a script.

    4. Click Save to save the mapping and close the mapping configuration modal.

Source object behavior

The source object in a transformation script changes depending on what you select from the drop-down list of sources:

  • If you select a source attribute, such as source.name, the source object represents just that attribute. For example, to access name.familyName you would reference source.familyName.

  • If you don’t select a source attribute, the source object represents the entire identity object and its attributes. For example, to access name.familyName you would reference source.name.familyName.

Transformation script example 1
source.name ? source.name.familyName : null ;

In this example, the script checks if a value exists for source.name. If it does, we know source.name is an object and familyName is one of the attributes on that object, so the script sets the field with the value of source.name.familyName. Otherwise, the script sets this field to null.

Transformation script example 2
source.givenName + ' ' + source.sn ;

In this example, the script sets the field to a combination of the given name and surname, with a space in the middle; for example, "Jane Fergus".

Transformation script example 3a
source.active ? 'active' : 'inactive';

In this example, the script checks if the source.active property has any value set. If true, the script sets this field to the string active. Otherwise, the script sets the field to inactive.

Transformation script example 3b

You can configure the previous script slightly differently if you prefer (as described in Source object behavior). If you select source.active from the drop-down list of sources, source.active is represented as source in the transformation script. So the transformation script would be:

source ? 'active' : 'inactive';

Apply a conditional update to a mapping

You can apply a conditional update to a mapping so that the target attribute is only updated when certain conditions evaluate to true.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Click Show advanced settings.

    2. Check Apply conditional update.

    3. Choose one of the following ways to conditionally update the attribute:

      • To use filter fields:

        1. Make sure Filter is selected.

        2. Use the fields to set the conditions that must occur to update the attribute.

          For example, if you want to update the attribute only for users in the United States, select "Country" from the list of attributes, select "is" from the list of operators, and enter "United States" in the open text field:

          mapping conditional update filter fields

      • To use a filter query:

        1. Make sure Filter is selected.

        2. Click Advanced Editor.

          If you build a filter with the filter fields, it is automatically populated as a query filter in the advanced editor.

        3. In the editor, edit the query filter.

          For example, if you want to update the attribute only for users in the United States, enter /object/country eq "United States":

          mapping conditional update filter query

      • To use a script:

        1. Click Script.

        2. In the Conditional Update Script field, modify the script that defines the condition.

          For example, if you want to update the attribute only for users in the United States, enter object.country == "United States":

          mapping conditional update script

        3. (Optional) To use custom global variables in the script, refer to Define custom global variables for a script.

    4. Click Save to save the mapping and close the mapping configuration modal.

Apply a default value to a mapping

You can apply a default value to a mapping. The default value is applied to a target attribute if the result of a mapping (including after any transformation script or conditional update) is a value of null.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Click Show advanced settings.

    2. Check Apply a default if value is null.

    3. Insert your default value into the editor.

    4. Click Save to save the mapping and close the mapping configuration modal window.

Define custom global variables for a script

  1. In the Transformation Script field or the Conditional Update Script field, click + Add Variables.

  2. To specify the variables in a JSON format, check the JSON toggle.

  3. To give the variable a name, enter a name in the Name field.

  4. To give the variable a value, enter a value in the Value field.

  5. To add more global variables for your script, click the plus sign and repeat the previous two steps.

  6. Click Save.

Preview an outbound mapping

Previewing provides an example of how user mapping appears from source to target.

  1. In the left navigation panel, click the Mapping tab, then click Outbound.

  2. Click Preview.

  3. In the drop-down list, choose an end user to preview. The page displays a preview of the target object that will be created when provisioning.

  4. Click Done.

Delete a mapping

  1. In the Advanced Identity Cloud admin UI, go to Applications, then select your application, then click the Provisioning tab.

  2. In the left navigation panel, click the Mapping tab.

    • If displayed, click Outbound (shown if your application is connected to external target application).

    • If displayed, click Inbound (shown if your application is connected to an external authoritative application).

  3. Click a mapping.

  4. Find the mapping you want to delete and click its ellipsis icon (more_horiz), then click Delete.

  5. In the Delete Mapping? modal, click Delete.

Reconcile and synchronize end-user accounts

A reconciliation operation involves a target system (the system with user account updates) and Advanced Identity Cloud admin UI (the system that receives the updates). For example, a Salesforce application and Advanced Identity Cloud admin UI. Mappings define the relationship between the target system and Advanced Identity Cloud admin UI.

The goal of reconciliation is to ensure synchronization and consistency between Advanced Identity Cloud admin UI and the external system application. Reconciliation uses the details you define in the Mappings tab to determine how to map and update properties.

Running reconciliation syncs end-user account changes (New accounts, updated accounts, deleted accounts) and user-associated non-account objects (like Groups) from an authoritative application to Advanced Identity Cloud. This is for an inbound mapping.

The Reconciliation tab prepares an application to run reconciliation jobs; however, to schedule full and incremental reconciliation, go to the Reconciliation > Reconcile > Schedules tab.

Preview associations

To discern how your data reconciles between an external system and Advanced Identity Cloud admin UI, you can preview associations before you run reconciliation.

On the Reconciliation > Reconcile tab, click Preview Associations.

Synchronize an identity

You can synchronize an identity in Advanced Identity Cloud with an identity that exists in a target system. To achieve this, Advanced Identity Cloud models the identity in the target system and makes it available for mapping as a series of objects and properties:

Account object

The account object represents the user entity in the target system. Examples of account object properties are name and email.

For example, in a Salesforce application, the account.email object property is mapped to mail in the Advanced Identity Cloud user identity.

Non-account object

Non-account objects represent entities linked to the user entity in the target system. Examples of non-account objects are roles, groups, departments, permissions, and licenses.

For example, in a Salesforce application, the group object property is mapped to the GroupIds field in the Advanced Identity Cloud user identity.

Each templated application in Advanced Identity Cloud contains an account object and may contain one or more non-account objects that are modelled specifically to the target system.

Manually set non-account objects for an account object

After you create certain connectors and run reconciliation, you can start mapping the account object to various non-account objects. These non-account objects are predefined. For more information about connectors with predefined non-account objects, refer to Connectors with predefined non-account objects.

However, connectors for non-authoritative applications, such as a Scripted REST connector, a Scripted Groovy connector, or a Scripted Table connector, don’t have predefined non-account objects. The reason is that these types of connectors can have different non-account objects. These non-account objects are nonpredefined objects.

For connectors for non-authoritative applications, you must manually select the non-account objects that map to specific properties for an account object.

  1. Select the Provisioning tab.

  2. Select the Properties tab.

  3. Edit a property.

  4. On the Edit Property screen, enable Constrain values for this property.

  5. On the Edit Property screen, enable Application Object Type.

  6. In the Select Object Type drop-down field, select a non-account object type to map to the current property.

  7. On the Edit Property screen, enable Entitlement.

  8. Click Save.

Connectors with predefined non-account objects

The following connectors have predefined non-account object types. After creating a connector that is listed in the table and running reconciliation, you can associate the account object in the second column with the non-account objects in the third column.

Connector Account object Predefined non account objects

Active Directory

ldapGroups

Group

Azure AD

  • __roles__

  • memberOf

  • __servicePlanIds__

  • Directory Role

  • Group

  • servicePlan

Google Workspace

  • __ROLES__

  • __GROUPS__

  • __LICENSE_ASSIGNMENTS__

  • Role

  • __GROUP__

  • __LICENSE_ASSIGNMENTS__

LDAP

ldapGroups

Group

Powershell

Dynamic

N/A

Salesforce

  • __PermissionSetIds__

  • __GroupIds__

  • Profile Id

  • UserRoleId

  • FeatureLicenses

  • Permission Set

  • Group

  • Profile

  • UserRole

  • FeatureLicense

SAP SuccessFactors

__GROUP__

Group

SCIM

groups

Group

Sripted Groovy

Dynamic

N/A

Scripted REST

Dynamic

N/A

Sripted SQL

Dynamic

N/A

ServiceNow

  • location

  • costcenter

  • company

  • department

  • group

  • roles

  • location

  • costcenter

  • company

  • department

  • group

  • role
Map target system object properties to Identity Cloud

To ensure all properties that are associated with a user account or role account synchronize during reconciliation, perform the following steps.

  1. If your connector is not predefined, perform the steps in Manually set non-account objects for an account object.

  2. Select the Provisioning tab.

  3. Click Mapping.

  4. Click Inbound.

  5. Follow steps 3 to 6 in Create or edit a mapping.

Run a reconciliation

Before you perform the following steps, to ensure you synchronize all information for the identity, map all relevant object properties with the identity.

  1. On the Reconciliation > Reconcile tab, click the ellipsis (…​) to the right of a mapping.

  2. Click Reconcile Identity.

  3. Verify the information on the page, and click Reconcile Identity.

  4. After the reconciliation process is complete, click Done.

View a report about the last reconciliation

You can view information about the last reconciliation, such as:

  • The percent of all accounts successfully reconciled.

  • Information about each reconciled account: mapping source, mapping target, attempted action, and the result of the reconciliation.

Before you perform the following steps, make sure you run reconciliation.

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. To view a searchable table report of the last reconciliation results, set Persist Associations to true.

    • If set to true, the UI displays a reconciliation report table and a search field that lets you search the table. The table displays below the reconciliation percentage graphic and percentage bars.

    • If set to false, the UI does not display a reconciliation report table.
      To filter the report results, enter text in the Search users field.
      To view different subsets of the report (1-to-1 match / no match), click View and select an item from the drop-down list.

For large reconciliations jobs:
To avoid performance issues, ForgeRock recommends that you leave Persist Associations set to false.

Manage reconciliation schedules

The Schedules section of the Reconciliation > Settings tab lets you view and schedule reconciliation events for accounts or groups/organizations that have access to your application.

You can schedule two types of reconciliation:

  • Full Reconciliation: A process that completely synchronizes the source and target. This process usually happens once a week on a weekend or once a month but at longer intervals. The long intervals are because the synchronization process is very labor-intensive and can take a large amount of time depending on the reconciliation data.

  • Incremental Reconciliation: Also referred to as liveSync, incremental reconciliation is a process that only synchronizes the deltas between the source and target. You can run incremental reconciliation every few minutes to get new updates. For example, if you run an incremental reconciliation at 12:55 PM, then again at 2:00 PM, Advanced Identity Cloud admin UI only looks at the timeframe in between to update, create, or delete data if anything changes in the source or target. Depending on the application, a timestamp or change number is used to synchronize the delta.

You can edit existing schedules and activate or deactivate them.

Set up a full or incremental reconciliation schedule

The initial state of a schedule is inactive.

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an inactive schedule: Full Reconciliation or Incremental Reconciliation.

  3. Choose one of the following ways to edit the schedule:

    • Edit the fields on the Set up page and click Save Schedule.

    • To use a text editor to edit the schedule:

      1. Enable the Use cron toggle.

      2. Enter a valid cron string in the Frequency field.

      3. Click Save Schedule.

Deactivate a schedule

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an active schedule.

  3. Click Deactivate Schedule.

Manage reconciliation rules

You use rules to define the actions you want Advanced Identity Cloud to perform when certain events occur during reconciliation. For example, if reconciliation detects that an identity object exists in Advanced Identity Cloud but not in the target application, Advanced Identity Cloud creates an identity object in the target application and links it to a source object in Advanced Identity Cloud if both of the following are true:

  • Reconciliation detects that the identity object exists in Advanced Identity Cloud but not in the target application.

  • You select Advanced Identity Cloud to take the action CREATE.

Each rule has an action. Advanced Identity Cloud performs the action when a rule triggers an action to be performed on a record. Advanced Identity Cloud evaluates each record. When an event meets a rule condition, Advanced Identity Cloud performs the action you have defined for that rule.

The Situation Rules section of the Reconciliation > Settings tab displays the name and action of the rules for your application.

Situation (application) rules
Situation rule Description

Ambiguous

The source identity object matches multiple target identity objects based on the defined unique attribute. There must be a one-to-one link between a source and target identity object. can’t accurately make this link due to ambiguity.

Source Missing

For authoritative apps only.

The target identity object links to a missing source. This usually means the source identity object was deleted.

Missing

The source links to a missing target identity object. This usually means the target identity object was deleted.

Found Already Linked

The target identity object is linked to an old source object, usually deleted, and can’t be linked to the new source identity object. This usually the source identity object was deleted and tried to recreate the source object. On reconciliation, Advanced Identity Cloud identified that it already found a source and target identity object linked. For more information on Found Already Linked, refer to the knowledge base article How do I resolve the Found Already Linked situation in Advanced Identity Cloud?.

Unassigned

The reconciliation finds a valid target identity object with no link established. This usually means another reconciliation needs to happen to establish a link (if you set the action to Link).

Unqualified

The source identity object doesn’t qualify, but target identity objects were found.

Link Only

A link is found, but the target identity object is missing. Advanced Identity Cloud had a matching source and target with a link but can no longer find the target identity object.

Confirmed

The ideal situation for a record. The source and target identity objects both exist and a valid link between the two are present. This means the source and target both have a unique identifier that can only match one-to-one, and Advanced Identity Cloud established a link between the two.

Found

A valid source and target identity object match, but there is no link between the two. On a following reconciliation, Advanced Identity Cloud creates a link and the record moves from Found to the Confirmed rule.

Absent

The source identity object doesn’t find a target identity object. This usually means a new record was created on the source, and typically, the action is Create. This creates a target identity object and links the source and target identity object.
Rule action types

When a reconciliation determines the situation of a record, you must specify the action to be taken. There can only be one action per situation rule.

Action Description

Async

An asynchronous process has started. Don’t perform any action or generate any report.

Create

Create a target identity object and link the source and target.

Delete

Delete the target identity object and unlink the source and target.

Exception

Flag the link situation as an exception and log the incident.

Ignore

Don’t change the link or target object state.

Link

Create a link between the source and the correlated target identity object.

No Report

Don’t perform any action or generate any report.

Onboard

Onboard the account and link the correlated target object.

Report

Don’t perform any action but report what would happen if the default action were performed.

Unlink

Unlink the linked target from the source.

Update

Update the target identity object and create a link between source and target.

Configure basic and advanced correlation between accounts

You can correlate the user accounts in an application to user accounts in Advanced Identity Cloud admin UI. This correlation is important because account attributes in the application may have different names than account attributes in Advanced Identity Cloud admin UI.

The Account Correlation section of the Reconciliation > Settings tab lets you choose the attribute(s) to use to match users in your application to users in Advanced Identity Cloud admin UI.

  1. On the Reconciliation > Settings tab, navigate to the Account Correlation section.

  2. Click Match using.

  3. In the Attribute(s) to Match drop-down list, choose the attribute(s) to use to match users in the target system to users in Advanced Identity Cloud admin UI.

  4. To use a query to set or edit match attributes, click Use advanced query.

    • For an authoritative application:

      1. Choose to correlate a user if any or all attributes are matched.

      2. Use the User property field to set the user property(s) to match.

    • For a target application:

      1. Edit the correlation query script.

  5. Click Save.

Manage reconciliation events

Event hooks allow you to set an action that occurs when a specific event happens.

The Event Hooks section of the Reconciliation > Settings tab lets you view and define event hooks for reconciliation events.

Add an event hook

  1. On the Reconciliation > Settings tab, navigate to the Event Hooks section.

  2. To the right of an event hook, click + Add.

  3. Edit the script for the event hook.

  4. Click Save or Save and Close.

Restrict reconciliation to specific identities

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. Configure the following settings:

    • To restrict reconciliation to specific identities in an application by defining an explicit source query:

      1. Enable Filter Source.

      2. Choose to filter the source if Any or All conditions are met.

      3. Use the remaining fields to define the explicit source query. You can define the query using all the properties available in the target system.

    • To restrict reconciliation to specific identities in Advanced Identity Cloud by defining an explicit target query:

      1. Enable Filter Target.

      2. Choose to filter the target if Any or All conditions are met.

      3. Use the remaining fields to define the explicit target query. You can define the query using all the properties available in Advanced Identity Cloud.

    • To filter the application identities that are included in reconciliation using a script:

      1. Enable Valid Source Script.

      2. Edit the script.

    • To view a searchable table report of the last reconciliation results, set Persist Associations to true. For more information, refer to View a report about the last reconciliation.

    • To filter the Advanced Identity Cloud admin UI identities that are included in reconciliation using a script:

      1. Enable Valid Target Script.

      2. Edit the script.

    • To allow correlation of source objects to empty target objects, enable Correlate empty target objects.

    • To prefetch each link in the database before processing each source or target object, enable Prefetch Links.

    • To allow reconciliations from an empty source to delete all data in a target resource, enable Allow reconciliations from an Empty Source.

    • To tune performance by adjusting the number of concurrent threads dedicated to reconciliation, in the Threads Per Reconciliation field, enter the number of concurrent threads.

    • To set the synchronization token used for incremental inbound reconciliation, enter a value in the Sync Token field.

  3. Click Save.

Reset the last reconciliation job

You may need to reset the last reconciliation job if it failed or if it made a change you want to revert; for example, if the last reconciliation job added a new application user.

To reset the last reconciliation job, you must reset the sync token attribute. The sync token attribute stores the value of the last incremental reconciliation job that synced data inbound from a target system to Advanced Identity Cloud.

  1. In your target system, get or create the reset value for the sync token attribute. To understand how to do this, refer to the documentation provided by the vendor of your target system.

  2. In Advanced Identity Cloud admin UI, navigate to Applications > Provisioning > Reconciliation.

  3. Click the Settings tab.

  4. Scroll down and click Show advanced settings.

  5. In the Sync Token text field, enter a new value for the sync token attribute.

  6. Click Save.

Next step

Manage end users and roles

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

The Users & Roles tab show all end users and roles assigned to an application either through a role or direct assignment.

Use the tab to manage and view the end users in your organization that can access applications. After you establish the server connection, you can use Advanced Identity Cloud to add, edit, and remove end users directly from the application. To make it easier to set up access for groups of end users, you can create roles with specific access privileges and assign them to the appropriate end users.

You can also map end users to one or more target system object properties. For more information, refer to Map target system object properties to Advanced Identity Cloud.

You can assign an end user or role to an OIDC or SAML 2.0 application without setting up mappings or provisioning.

Add an end user to a target application

You can add a user to a target application if, for example, a new employee joins your organization and should have access to the application.

  1. On the Users & Roles tab, click Users.

  2. Click Assign Users.

  3. In the Members drop-down field, select an end user.

  4. Click Next.

  5. Specify the account details as they should exist in the external system for the end user.

  6. Click Assign.

Manage target applications associated with a user

You can add, edit, or revoke all target applications, including OIDC and SAMLv2 applications associated with a user.

  1. In the Advanced Identity Cloud admin UI, navigate to Identities > Manage > Alpha realm - Users.

  2. Click a user.

  3. Click Applications.

  4. To view information about an application, click the application.

  5. To add an application, click + Add Application and follow the steps.

  6. To revoke an application, click the ellipsis (…​) to the right of the application, and select Revoke.

Add a role to an application

You can add a role to the application if, for example, a new role is added to your organization that needs access to the application.

  1. On the Users & Roles tab, click Roles.

  2. Click Assign Roles.

  3. In the Roles drop-down field, choose a role.

  4. If one or more properties are not set as 'user-specific', specify account details as they should exist in the external system. For instructions about how to set or unset a property as 'user-specific', see Add or edit a property.

  5. Click Assign.

View all target applications associated with a role

You can view all target applications associated with a role, including OIDC and SAMLv2 applications.

  1. In the Advanced Identity Cloud admin UI, navigate to Identities > Manage > Alpha realm - Roles.

  2. Click a role.

  3. Click Applications.

  4. To view information about an application, click the application.

View an end-user account

The Assignment column shows how a end user is assigned to an application:

  • Direct: The end user is assigned directly to an application.

  • Role-based: The end user is part of a role assigned to the application.

The Assignment column also shows non-account objects that are assigned to a end user. For example, a group. During reconciliation, if a non-account object does not exist, it is created. If it exists, a relationship is established with the object.

You can view information about a end-user account that has access to an application.

  1. On the Users & Roles tab, click Users.

  2. Click an end user.

You cannot directly edit a end user who was added to an application via a role.

Remove an end user from an application

You can remove an end user from an application if, for example, a user leaves your company.

  1. On the Users & Roles tab, click Users.

  2. To the right of the end user, click the ellipsis (...).

  3. Select Revoke.

You cannot directly revoke a end user from an application if the end user was added via a role. In this case, to revoke the end user, remove the end user from the role.

Remove a role from an application

You can remove a role from an application if, for example, the role becomes obsolete.

  1. On the Users & Roles tab, click Roles.

  2. To the right of the role, click the ellipsis (...).

  3. Select Revoke.

Next step

Manage application registrations

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

Instead of deleting an application, you can deactivate it. For example, when making production changes, you may want to deactivate the application so that the end user doesn’t experience erroneous behavior.

You can only deactivate a Custom application.

Activate or deactivate an application

  1. On the Application page, double-click the application.

  2. Under the application logo, click the drop-down field, and select Active or Inactive.

Connect or disconnect a provisioner

  1. On the Provisioning tab, in the Connection area, click Connect or Disconnect.

Next step

Standalone OAuth 2.0 clients

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

The Advanced Identity Cloud admin UI lets you create OAuth 2.0 clients as part of an application using the application catalog or custom applications.

You can also create standalone OAuth 2.0 clients in these ways:

  • Using the REST API

  • Using open_in_new Native Consoles > Access Management > Applications > OAuth 2.0 > Clients

The Advanced Identity Cloud admin UI tracks these standalone clients in web_asset OAuth2 Clients.

Update standalone OAuth 2.0 clients

To update a standalone client:

  1. In the Advanced Identity Cloud admin UI, go to web_assetOAuth2 Clients to view a list of standalone clients.

  2. Click a client.

  3. Use the toggle under the logo to set the client as check_circle Active or power_settings_new Inactive. The change is saved immediately.

  4. In the Details tab, update the following fields:

    • Name: The name of the client.

    • Description: A description of the client.

    • App Logo URI: The URL of the client logo.

  5. In the Sign On tab, follow the instructions in OAuth 2.0 - Set up single sign-on.

  6. Click Save.

Application management (legacy)

The topics in this section are for tenants created before January 12, 2023. Learn more in Application management migration FAQ.

Your applications act as clients to PingOne Advanced Identity Cloud. Ping Identity uses both OAuth 2.0 and OpenID Connect protocols to protect your applications. When you register a supported application or service, Advanced Identity Cloud sets the OAuth 2.0 grant type based on the type of application you’re registering. Advanced Identity Cloud also sets OpenID Connect default options for you. You can customize configuration in the application’s client profile.

To get started, first register your application or service to your tenant. Then, create a client profile for the application or service.

You can view and manage all your applications on the Applications page of the Advanced Identity Cloud admin UI.

The Advanced Identity Cloud admin UI supports a maximum of 500 applications.

Register an application or service

  1. In the Advanced Identity Cloud admin UI, go to Applications, and click + Add Application.

  2. In the New Consumer App dialog box, choose the application type you want to register:

  3. In the Web Application Credentials dialog box, enter a Client ID to be displayed in the Applications list, and if shown, enter a Client Secret.

  4. Click Create Application.

Create a client profile

  1. In the Advanced Identity Cloud admin UI, click Applications.

  2. In the Applications list, find the application name, then click More (), and choose Edit.

  3. Review read-only Client Credentials:

    Client Credentials

    Discovery URI

    AM URL base for OpenID Provider Configuration.
    Default: http://openam.example.com:8088/openam/oauth2

    Client ID

    Identifier used to register your client with AM’s authorization server, and then used when your client must authenticate to AM.

    Client Secret

    Password used to register your client with AM’s authorization server, and then used when your client must authenticate to AM.

  4. Edit General Settings:

    General Settings

    Name

    Specify a client name to display to the resource owner when the resource owner is asked to authorize client access to protected resources.

    App Logo URI

    Specify the location of your custom logo image file.

    Description

    Specify a client description to display to the resource owner when the resource owner is asked to authorize client access to protected resources.

    Sign-in URLs

    Custom URL for handling login. Overrides the default OpenAM login page.

    Sign-out URLs

    Custom URL for handling logout. Example: http://client.example.com:8080/openam/XUI/?realm=/#logout.

    Grant Types

    Specify the set of OAuth 2.0 grant types, also known as grant flows, allowed for this client:

    Authorization Code

    (default) Instead of requesting authorization directly from the user, your client application or service directs the user to an authorization server (Advanced Identity Cloud).

    Back Channel Request

     

    Implicit

    The client is issued an access token directly. No intermediate credentials (such as an authorization code) are issued. This grant type can potentially pose a security risk. Learn more in Implicit grant.

    Resource Owner Password Credentials

    Username and password can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the user and the client application or service.

    Client Credentials

    Used when the client acts on its own behalf or requests access to protected resources based on previously-arranged authorization.

    Refresh Token

    Credentials used to obtain access tokens.

    Device Code

    Authorizes a client device, such as a smarthome thermostat, to access its service on an end user’s behalf. For example, the end user could log in to the thermostat service using a cell phone to enter a code displayed on the thermostat.

    SAML 2.0

    Leverages the REST-based services provided by AM’s OAuth 2.0 support. Maintains existing SAML 2.0 federation implementation.

    Scopes

    Specify scopes that display to the resource owner when they authorize client access to protected resources.

    The openid scope is required.

  5. Edit Advanced Settings:

    Access

    Add Default Scopes

    Scopes to be set automatically when tokens are issued. The openid scope is required.

    Add Response types

    Specify the response types that the client uses. The response type value specifies the flow that determines how the ID token and access token are returned to the client. By default, the following response types are available:

    • code. Specifies that the client application requests an authorization code grant.

    • token. Specifies that the client application requests an implicit grant type and requests a token from the API.

    • id_token. Specifies that the client application requests an ID token.

    • code token. Specifies that the client application requests an access token, access token type, and an authorization code.

    • token id_token. Specifies that the client application requests an access token, access token type, and an ID token.

    • code id_token. Specifies that the client application requests an authorization code and an ID token.

    • code token id_token. Specifies that the client application requests an authorization code, access token, access token type, and an ID token.

    Add Claims

    Claims can be entered as simple strings, such as name, email, profile, or sub. Or, as a pipe-separated string in the format: scope|locale|localized description. For example, name|en|Full name of user.

    Allow wildcard ports in redirect URLs

    Specify whether AM allows the use of wildcards (* characters) in the redirection URI port to match one or more ports.

    The URL configured in the redirection URI must be either localhost, 127.0.01, or ::1. For example, http://localhost:*/, https://127.0.0.1:80*/, or https://[::1]:*443/.

    Enable this setting, for example, for desktop applications that start a web server on a random free port during the OAuth 2.0 flow.
    Authentication

    Token Endpoint
    Authentication Method

    Authentication method client uses to authenticate to AM.
    Choose one:

    • client_secret_basic. Clients authenticate using the HTTP Basic authentication scheme after receiving a client_secret value.

    • client_secret_post. Clients authenticate by including the client credentials in the request body after receiving a client_secret value.

    • private_key_jwt. Clients sign a JSON web token (JWT) with a registered public key.

    Token Endpoint Authentication Method (Client Type)

    • Confidential clients can maintain the confidentiality of their credentials. For example, a web application runs on a server where its credentials are protected.

    • Public clients run the risk of exposing their passwords to a host or user agent. For example, a JavaScript client running in a browser may be accessible to the public.

    Implied Consent

    When enabled, the resource owner will not be asked for consent during authorization flows. The OAuth2 Provider must also be configured to allow clients to skip consent.

    OAuth 2.0 Mix-Up Mitigation active

    Enable this setting only if this OAuth 2.0 client supports the OAuth 2.0 Mix-Up Mitigation draft; otherwise AM will fail to validate access token requests received from this client.

    Add Default ACR values

    Default Authentication Context Class Reference values. Specify strings that will be requested as Voluntary Claims by default in all incoming requests.

    Add Request URIs

    Specify request_uri values that a dynamic client would pre-register.

    Client JWT Bearer
    Public Key

    A base64-encoded X509 certificate in PEM format used to obtain the client’s JWT bearer public key. The client uses the private key to sign client authentication and access token request JWTs, while AM uses the public key for verification.

    Subject Type

    Default value is public.

    • Choose pairwise if you want each client to receive a different subject value. This prevents correlation between clients.

    • Choose public if you want each client to receive the same subject value.

    Default Max Age

    Enable this option to enforce a default maximum age of ten minutes. If the user session is not currently active, and if more than ten minutes have passed since the user last authenticated, then the user must be authenticated again.

    Use Certificate-Bound Access Tokens

    Enable this option if you want access tokens issued to this client to be bound to an X.509 certificate. When enabled, access tokens will use the X.509 certificate to authenticate to the access_token endpoint.
    Token Lifetimes

    Authorization code lifetime (seconds)

    The time an authorization code is valid for.
    Default value: 120

    Access token lifetime (seconds)

    The time an access token is valid for, in seconds
    If you set the value to 0, the access token will not be valid. A maximum lifetime of 600 seconds is recommended. Default value: 3600

    Refresh token lifetime (seconds)

    The time a refresh token is valid for.
    If this field is set to -1, the refresh token will never expire. Default value: 604800

    JWT token lifetime (seconds)

    The amount of time the JWT is valid for. Default value: 3600
    Consent Screen

    Add Display Name

    Custom user-facing title. In this example, MyClient.

    Add Display Description

    User-facing instruction text. In this example, "This application is requesting the following information:"

    Add Privacy Policy URI

    URI containing the client’s privacy policy documentation. The URI is displayed as a link in the consent page.

    200
    Client Management

    Access Token

    Specify the registration_access_token value that you provide when registering the client, and then subsequently, when reading or updating the client profile.
    Session Management

    Client Session URI

    Specify the relying party (client) URI to which the OpenID Connect Provider sends "session changed" notification. Message is sent using the HTML 5 postMessage API.
    Endpoint Response Formats

    User info response format

    Specify the output format from the userinfo endpoint.
    The supported output formats are:

    • (default) User info JSON response format.

    • User info encrypted JWT response format.

    • User info signed JWT response format.

    • ︎ User info signed then encrypted response format.

    Token introspection response format

    Specifies the format of the token introspection response. The possible values for this property are:

    • JSON response format

    • Signed JWT response format

    • Signed then encrypted JWT response format
    Signing and Encryption

    Public key selector

    Select the public key for this client, which comes from the JWKs_URI, manual JWKs, or X.509 field.

    JSON Web Key URI

    The URI that contains the client public keys in JSON web key format.

    JSON Web Key

    Raw JSON web key value containing the client public keys.

    ID Token Encryption Public Key

    Base64-encoded public key for encrypting ID tokens.

    Enable ID Token Encryption

    When enabled, encryption uses the algorithm with which the ID token must be encrypted. Default algorithm value is RSA1_5 (RSAES-PKCS1-V1_5).

  6. Click Save.

Supported application types

When you register an application or service, Advanced Identity Cloud automatically sets the optimal configuration for you. To change the default settings, edit the client profile.

Native / SPA

Native applications are developed for specific platforms or devices. Examples include the applications on mobile phones and applications dedicated to the macOS platform.

Single-page applications (SPAs) are OAuth 2.0 clients that run in a user’s web browser. SPAs use PKCE to verify the client because SPAs do not have a way to secure the client_secret value. PKCE stands for Proof Key Code Exchange; a security standard explained in the IETF specification Proof Key for Code Exchange by OAuth Public Clients.

For a deep dive on how ForgeRock implements PKCE for native and SPA applications, learn more in Authorization code grant with PKCE.

Web

Web applications are OAuth 2.0 clients that run on a web server. End users (resource owners) access web applications using a web browser. The application makes API calls using a server-side programming language. The end user has no access to the OAuth 2.0 client secret or any access tokens issued by the authorization server.

Service

Machine-to-machine (M2M) applications interact with an API and no user involvement is necessary. The application can ask for an access token without involving a user in the process. A smart meter that tracks your utility usage and wearable devices that gather and communicate health data use services and M2M applications.

OAuth 2.0 and OpenID Connect

Advanced Identity Cloud uses OAuth 2.0 and OpenID Connect to protect your applications.

OAuth 2.0

Advanced Identity Cloud provides an authorization service in the OAuth 2.0 authorization flow. OAuth 2.0 lets you set up access to your resources without sharing end-user account information. For a deep dive, learn more in RFC6749.

You may encounter domain validation prompts when using forgeblocks.com and id.forgerock.io domains as redirect URLs in your Google OAuth 2.0 applications. To resolve this, you must use a custom domain, and then set up domain verification with Google.

You could encounter No provider found errors when using forgeblocks.com and id.forgerock.io domains as redirect URLs in your OAuth 2.0 applications. To resolve this, either modify the redirect URL to include a realm identifier, or use a custom domain:

  • Incorrect:
    https://<tenant-env-fqdn>/am/oauth2/client/form_post/...

  • Correct:
    https://<tenant-env-fqdn>/am/oauth2/<realm>/client/form_post/...
    or
    https://<custom-domain-fqdn>/am/oauth2/client/form_post/...

A custom domain acts as a realm DNS alias, so when it is used as a redirect URL, Advanced Identity Cloud implicitly knows which realm to use.

OpenID Connect

OpenID Connect (OIDC) provides an identity layer on top of OAuth 2.0. OIDC lets a client make assertions about the user’s identity and their means of authentication. For a deep dive, learn more in OIDC grant flows.

What’s in the client profile

Changing the client profile settings requires a working knowledge of OAuth 2.0, its grant types, and its components. If no one has given you direction on how to configure the client profile, you’ll want to read up on some basic concepts.

Scopes

Scopes limit your client application’s access to end users' resources. For a deep dive on how scopes work, learn more in Scopes.

Grant types

Grant types, also known as grant flows, describe how your application or service access gets an access token. Learn more about grant types in OAuth 2.0 grant flows.

Claims

Claims convey information about the end user to your client application or service. For a deep dive on claims, learn more in the Claims.

Access tokens

Your applications and services use access tokens when making requests on behalf of a user. Tokens provide proof that your application or service is authorized to access the end user’s data. For a deep dive on access tokens, learn more in Advanced Identity Cloud as authorization server.

Keys

Keys protect sensitive information that Advanced Identity Cloud needs to both send and receive. You can store keys in ESV secrets, then use them in OAuth 2.0 authentication flows by mapping the ESVs to secret labels.

Test SAML 2.0 SSO using JSP flows

The topics in this section are for tenants created before January 12, 2023. Learn more in Application management migration FAQ.

SAML 2.0 helps organizations to share(or federate) identities and services without having to manage the identities or credentials themselves.

These instructions describe how to launch an SP-initiated JSP flow to test SAML 2.0 SSO. PingOne Advanced Identity Cloud acts as the authentication service provider (SP) in a circle of trust (CoT). For this test, a self-managed AM instance acts as the identity provider (IDP).

Before identities can be federated in a CoT, an AM module named Federation must be present in the SP configuration.

In self-managed AM instances, by default the Federation module is ready-to-use.

In Advanced Identity Cloud AM instances, you must manually create a module named Federation when you create an SP circle of trust.

Step 1: Set up an SP and an IDP

  1. Set up the Advanced Identity Cloud AM instance as a service provider:

    1. In the AM admin UI (native console), go to
      Realm Name > Applications > Federation > Entity Providers.

    2. Click + Add Entity Provider > Hosted, and add a hosted entity provider:

      • Entity ID: Enter a unique identifier. Example: Cloud-SP.

      • Service Provider Meta Alias: Provide an SP alias. Example: cloud-sp.

    3. Export the SP metadata to an XML file. Example export metadata URL:
      https://<tenant-FQDN>/am/saml2/jsp/exportmetadata.jsp?entityid=<SP-Entity-ID>&realm=/alpha.

  2. Set up the self-managed AM instance as an identity provider:

    1. In the AM admin UI (self managed), go to
      Top Level Realm > Applications > Federation > Entity Providers.

    2. Click + Add Entity Provider > Hosted, and add a hosted entity provider:

      • Entity ID: Enter a unique identifier. Example: AM-IDP.

      • Meta Alias: Provide an IDP alias. Example: am-idp.

    3. Export the IDP metadata to an XML file. Example export metadata URL:
      https://<IDP-host-FQDN>/openam/saml2/jsp/exportmetadata.jsp?entityid=<IDP-Entity-ID>.

  3. In the Advanced Identity Cloud AM instance, add a remote entity provider by importing the IDP metadata:

    1. In the AM admin UI (native console), go to
      Realm Name > Authentication > Federation > Entity Providers.

    2. Click + Add Entity Provider > Remote.

    3. Import the IDP metadata.

  4. In the self-managed AM instance, add a remote entity provider by importing the SP metadata:

    1. In the AM admin UI (self managed), go to:
      Top Level Realm > Authentication > Federation > Entity Providers.

    2. Click + Add Entity Provider > Remote.

    3. Import the SP metadata.

  5. Create a user profile on the SP and IDP:

    1. SP: In the AM admin UI (native console), go to Identities and add a user identity.

    2. IDP: In the AM admin UI (self managed), go to Identities and add a user identity.

Step 2: Create an SP circle of trust

  1. In the Advanced Identity Cloud AM instance, create a circle of trust:

    1. In the AM admin UI (native console), go to
      Realm Name > Applications > Federation > Circles of Trust.

    2. Click + Add Circle of Trust.

    3. On the New Circle of Trust page, provide a name, then click Create.

    4. On the CoT page, provide CoT details.

      CoT details:

      • Description: Enter a unique identifier.

      • Entity Providers: Choose the entity IDs for the SP and IDP.
        Examples: Cloud-SP AM-IDP

    5. Click Save Changes.

  2. In the Advanced Identity Cloud AM instance, create a federation module:

    1. In the AM admin UI (native console), go to
      Realm Name > Authentication > Modules.

    2. On the Modules page, click Add Module. Enter module details:

      • Name: Must be named Federation.

      • Type: Must be type Federation.

    3. Click Save Changes.

  3. In the Advanced Identity Cloud AM instance, configure the page the browser displays upon successful SSO:

    1. In the AM admin UI (native console), go to
      Realm Name > Applications > Federation > Entity Providers.

    2. In the Cloud-SP entity provider page, select the Advanced tab.

    3. In the Relay State URL List field, add the target URL for the SP end-user sign-in page.
      Example: https://<tenant-FDQN>/enduser/?realm=alpha#/dashboard.

    4. Click Save Changes.

Step 3: Create an IDP circle of trust

  1. In the AM admin UI (self managed), go to
    Top Level Realm > Applications > Circles of Trust.

  2. Click + Add Circle of Trust.

  3. On the New Circle of Trust page, provide a name, then click Create.

  4. On the CoT page, provide CoT details.

    CoT details:

    • Description: Enter a unique identifier.

    • Entity Providers: Choose the entity IDs for the SP and IDP.
      Examples: Cloud-SP AM-IDP.

  5. Click Save Changes.

Step 4: Test SAML 2.0 SSO

  1. In a browser, go the JSP URL to launch an SP-initiated JSP flow. Example:
    https://<tenant-FQDN>/am/saml2/jsp/spSSOInit.jsp?realm=/alpha/&metaAlias=/alpha/cloud-sp&idpEntityID=AM-IDP&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&NameIDformat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&RelayState=https://<tenant-FQDN>/enduser/?realm=alpha#/dashboard.

  2. On the IDP sign-in page, enter the user’s credentials:

    Keep this session open. The IDP authenticates the user, then the browser redirects the user back to the SP sign-in page.

  3. On the SP sign-in page, enter the user’s credentials:

    After this second successful authentication, the user’s SP identity is linked to, or federated with, the user’s IDP identity.

    The browser redirects to the SP end-user page.

  4. Sign the user out of both the SP and IDP.

  5. Go to the IDP end-user sign-in page, and enter the user’s credentials.

    When the user is successfully authenticated, the browser redirects to the SP end-user page specified in Relay State URL List.

More Information

For deep dives, learn more in: