Application management (current)

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

The topics in this and subsequent sections are for system administrators and similar roles whose responsibility is to set up and manage applications that work with the Identity Cloud.

You can use a registration process to manage the security and access of common and custom relying party applications and SAML 2.0 applications directly from Identity Cloud.

Using the Applications page, you can integrate Identity Cloud with external data stores or identity providers. This page provides a one-stop location to:

Register and provision popular Federation-capable applications quickly and easily by choosing from a library of templates, such as Salesforce and Workday.
Register and provision your organization’s custom applications.
Manage data, properties, rules, provisioning, users, and groups for an application.
Activate and deactivate an application.
View the connection status of each application created in Identity Cloud.

To view OAuth 2.0 client applications created in AM admin UI (native console) or using the Identity Cloud REST API:
In Identity Cloud admin UI, under Applications, click OAuth2 Clients and view the applications on the OAuth2 Clients page.

All applications that you register with Identity Cloud are either target applications or authoritative applications. For more information, refer to Target and authoritative applications.

Each application relies on a connector to connect to external resources such as LDAP and flat files.

You can register OIDC OpenID Connect applications and SAMLv2 applications, and set up provisioning, and other features using the following methods:

Template - Identity Cloud includes a library of templates for OIDC relying party applications that makes the process of registration and configuration quick and easy. When using a template, Identity Cloud sets the OAuth 2.0 grant type based on the type of application you register. The system sets OpenID connect default options as well. You can then customize configurations in the application’s client profile.
Custom - This option allows you to register custom applications as an OAuth 2.0 or SAML 2.0 application.

To view a catalog of application templates, click Browse App Catalog. To search for an existing application, in the Search field, enter the name of an application.

To register an application, use an application template. Click Browse App Catalog, select the application, and complete the fields.

After you register an application, the page displays the following configuration tabs for single sign-on, provisioning, and so on.

The application type determines the tabs that the page displays.

Tab	Description	Related sections
Details	Configure, view, and manage application details, including name, description, owners, and logo.
Provisioning	Configure, view, and manage provisioning settings, including properties, mapping, rules, reconciliation, and schedules.	Provision an application
Users & Roles	Configure, view, and manage users and roles for your target application.	Manage end users and roles

Tab

Description

Related sections

Details

Configure, view, and manage application details, including name, description, owners, and logo.

Provisioning

Configure, view, and manage provisioning settings, including properties, mapping, rules, reconciliation, and schedules.

Provision an application

Users & Roles

Configure, view, and manage users and roles for your target application.

Manage end users and roles

Target and authoritative applications

All applications that you register with Identity Cloud are either target applications or authoritative applications.

target applications: Use Identity Cloud to create and manage user accounts in a target application. Running reconciliation on a target application syncs user account changes (new accounts, updated accounts, deleted accounts) and user-associated non-account objects (like groups) from Identity Cloud to the target application (for example, ServiceNow).
authoritative applications: Create and manage user accounts in an authoritative application. Authoritative applications act as a source of identities and do not allow management of users and roles. You do not assign users to an Authoritative application. Running reconciliation on an authoritative application syncs user account changes (New accounts, updated accounts, deleted accounts) from the authoritative application (for example, Workday) to Identity Cloud. You specify an application as authoritative when you create the application.

Whether an application is an authoritative application or a target application, you can set up the following application types:

OIDC OpenID Connect applications

OAuth 2.0 is a token-based authorization framework for SSO through API endpoints and is mainly for authorizing applications. For Identity Cloud, register an OAuth 2.0 application if you have a custom application integration with the ForgeRock SDK or hosted pages.

There are several types of OAuth 2.0 applications when registering a custom application:

Native / SPA applications with PKCE

Native applications are for specific platforms or devices. Examples include applications for mobile phones and applications for the macOS platform.

Single-page applications (SPAs) are OAuth 2.0 clients that run in an end user’s web browser. SPAs use Proof Key Code Exchange (PKCE) to verify the client because SPAs can’t secure the client secret. PKCE is a security standard from the IETF specification Proof Key for Code Exchange by OAuth Public Clients.

For a deep dive on how Identity Cloud implements PKCE for native and SPA applications, refer to Authorization code grant with PKCE.

Web applications

Web applications are OAuth 2.0 clients that run on a web server. End users (resource owners) access web applications using a web browser. The application makes API calls using a server-side programming language. The end user has no access to the OAuth 2.0 client secret or any access tokens that the authorization server issues.

Service / Machine-to-machine applications

Machine-to-machine (M2M) applications interact with an API, and no end user involvement is necessary. The application acts on behalf of itself and not on behalf of an end user. The application can ask for an access token directly without involving an end user in the process at all. Items such as a smart meter that tracks your utility usage and wearable devices that gather and communicate health data use services, and M2M applications.

SAML 2.0 applications

SAMLv2 is an XML-based open standard for single sign-on (SSO) and is primarily for authenticating users. Register a SAML application if the Identity Provider for your application only supports SAMLv2. For more information, visit SAML v2.0 guide.

Best practices for registering applications

Before you register an application with Identity Cloud, consider the following:

To set up SSO if the application is SAML 2.0, make sure you have the application metadata and entity ID for your application.
Know the settings for configuring provisioning. For information about application-specific provisioning settings, refer to Provision an application.
Know the users and groups that have access to your application.

Identity Cloud