Identity Cloud

Administrator federation

Administrator federation allows administrators to use single sign-on (SSO) to log in to an Identity Cloud tenant.

By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily deprovision users by removing their access from your centralized identity provider.

The groups feature allows you to add and remove administrators depending on their group membership in your identity provider (Microsoft Azure, AD FS).

Instead of inviting one administrator to your tenant at a time, you can invite a set of administrators. You can also specify the type of administrator access for an entire group of users.

Types of federation providers

ForgeRock supports federation using the OIDC standard.

On the Tenant Settings page, clicking + Identity Provider displays the Add Sign On Method page.

ui federation add sign on method

This page lets you choose one of the following as a federation identity provider:

Types of administrators

You can assign the following types of administrators in Identity Cloud:

  • Super administrators: Administrators that can manage the tenant and tenant administrators by:

    • Granting or revoking Super administrator rights to and from tenant administrators.

    • Enabling federation for a tenant.

    • Requiring some or all administrators in a tenant environment to use federation.

  • Tenant administrators: Administrators that can manage the tenant, but not tenant administrators.

To configure Identity Cloud to use federation providers, you first need to set up a federation provider. Then, enable federation for your tenant environments. To deprovision an administrator, revoke the administrator’s access.

Next step

Copyright © 2010-2023 ForgeRock, all rights reserved.