Administrator federation
Administrator federation allows administrators to use single sign-on (SSO) to log in to an Identity Cloud tenant.
By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily deprovision users by removing their access from your centralized identity provider.
The groups feature allows you to add and remove administrators depending on their group membership in your identity provider (Microsoft Azure, AD FS).
Instead of inviting one administrator to your tenant at a time, you can invite a set of administrators. You can also specify the type of administrator access for an entire group of users.
Types of federation providers
ForgeRock supports federation using the OIDC standard.
On the Tenant Settings page, clicking + Identity Provider displays the Add Sign On Method page.

This page lets you choose one of the following as a federation identity provider:
-
Azure Active Directory: Microsoft Azure Active Directory (Azure AD) pre-configured with Open ID Connect. For more information, refer to What is Azure Active Directory?.
-
Active Directory Federation Services: Microsoft Active Directory Federation Services (AD FS) pre-configured with Open ID Connect. For more information, refer to Active Directory Federation Services.
-
OIDC: Generic Open ID Connect. For more information, refer to https://openid.net/connect/.
Types of administrators
You can assign the following types of administrators in Identity Cloud:
-
Super administrators: Administrators that can manage the tenant and tenant administrators by:
-
Granting or revoking
Super administrator
rights to and from tenant administrators. -
Enabling federation for a tenant.
-
Requiring some or all administrators in a tenant environment to use federation.
-
-
Tenant administrators: Administrators that can manage the tenant, but not tenant administrators.
To configure Identity Cloud to use federation providers, you first need to set up a federation provider. Then, enable federation for your tenant environments. To deprovision an administrator, revoke the administrator’s access.