Identity Cloud

Enable federation for your tenant

After you set up a federation provider, you can allow Identity Cloud to use the provider to federate administrators.

To perform the following steps, you must be a super administrator in a tenant where federation is enabled.

  1. In Identity Cloud, navigate to Tenant settings.

  2. Click Federation.

  3. Click + Identity Provider.

  4. Select the federation provider to use:

    • Microsoft Azure

    • ADFS

    • OIDC

  5. Click Next.

  6. Follow the steps on the Configure Application page and click Next.

  7. On the Identity Provider Details page, complete the following fields:

    ui federation identity provider details
    • Name: The name of the provider.

    • Application ID: The ID for the application.

    • Application Secret: The client secret for the application.

      Set the client secret directly in the Application Secret field only for testing purposes; you must configure the client secret as an ESV before you can promote configuration. Refer to Store client secrets in ESVs.
    • Well-known Endpoint:

      • If you are setting up Azure, this is the URL from the OpenID Connect metadata document field. In the URL, make sure to replace organization with the actual tenant ID for your tenant.

      • If you are setting up AD FS, this is the endpoint from the OpenID Connect section.

        Values for the following fields are automatically obtained from the Well-known Endpoint field value:

        • Authorization Endpoint: The endpoint for authentication and authorization. The endpoint returns an authorization code to the client.

        • Token Endpoint: The endpoint that receives an authorization code. The endpoint returns an access token.

        • User Info Endpoint: The endpoint that receives an access token. The endpoint returns user attributes.

    • (For OIDC only): OAuth Scopes: The scopes the application uses for user authentication. The default scopes are openid, profile, and email.

    • (For OIDC only): Client Authentication Method: Options are client_secret_post and client_secret_basic. The default option is client_secret_post.

    • Button Text: The text for the application button.

    • To use group membership to enable federation:

      1. Set up your identity provider:

      2. Select one of the following options:

        • For Microsoft Azure: Enable Use Microsoft Azure group membership to allow federated login to ForgeRock.

        • For AD FS: Enable Use ADFS group membership to allow federated login to ForgeRock.

      3. Enter the name of the group claim in the Group Claim Name field.

        By default, Azure sends the ID of the group. You may need to configure Azure to send the name of the group.
      4. To apply specific administrator access to a group, perform one of the following sets of steps:

        • Apply Super administrator access to a group: To the left of Super Admins, in the Group Identifiers field, enter the identifiers of the group(s).

        • Apply Tenant administrator access to a group: To the left of Tenant Admins, in the Group Identifiers field, enter the identifiers of the group(s).

  8. Click Save.

Copyright © 2010-2023 ForgeRock, all rights reserved.