Identity Cloud

Administrator federation

Administrator federation allows administrators to use single sign-on (SSO) to log in to an Identity Cloud tenant.

By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily deprovision users by going to your centralized identity provider and removing that user’s access.

Types of federation providers

ForgeRock supports federation using the OIDC standard:

  • Azure Active Directory: Microsoft’s Azure Active Directory (Azure AD) pre-configured with Open ID Connect. For more information, refer to What is Azure Active Directory?.

  • Active Directory Federation Services: Microsoft’s Active Directory Federation Services (ADFS) pre-configured with Open ID Connect. For more information, refer to Active Directory Federation Services.

Types of administrators

You can assign the following types of administrators in Identity Cloud:

  • Super administrators: Administrators that can manage the tenant and tenant administrators:

    • Granting or revoking Super administrator rights to and from tenant administrators.

    • Enabling federation for a tenant.

    • Requiring some or all administrators in a tenant to use federation.

  • Tenant administrators: Administrators that can manage the tenant, but not tenant administrators.

To configure Identity Cloud to use federation providers, you first need to set up a federation provider. Then, you need to enable federation for your tenants. Afterwards, to deprovision an administrator, revoke the administrator’s access.

Set up a federation provider

For the latest documentation for Microsoft Azure or Microsoft ADFS, please refer to Microsoft documentation.

Set up Microsoft ADFS as a federation identity provider

Prerequisites

Before setting up Microsoft ADFS as a federation identity provider, make sure the following requirements are met:

To use Microsoft ADFS as a federation identity provider, you need to create a Relying Party Trust. The trust is a set of identifiers, names, and rules that identify the partner or web-application to the federation Service.

Afterwards, you need to create an application group that uses Single sign-on (SSO) to access systems that are outside the corporate firewall.

Create a Relying Party Trust

  1. Open the Server Manager console.

  2. In AD FS Management, select Tools > AD FS.

  3. On the AD FS dialog, in the left panel, click Relying Party Trusts.

  4. In the Actions pane, select Add Relying Party Trust.

  5. Complete the Add Relying Party Trust wizard as follows:

    1. On the Welcome page, select Claims aware.

    2. On the Select Data Source page, select Enter data about the relying party manually.

    3. On the Specify Display Name page, enter a display name.

    4. Step through the wizard until you reach the Configure Identifiers page.

    5. On the Configure Identifiers page, add your tenant URLs as the relying party trust identifiers:

      • For a demo or sandbox environment: https://openam-your-env.forgeblocks.com/am.

      • For a customer environment: https://openam-your-env.id.forgerock.io/am.

    6. On the Choose Access Control Policy page, select the appropriate settings according to your corporate policy.

    7. Step through the wizard until you reach the Finish page.

    8. Complete the wizard.

Create an Application Group

  1. In the AD FS editor, select Application Groups.

  2. In the Actions pane, select Add Application Group.

  3. Complete the Add Application Groups wizard as follows:

    1. On the Welcome page: provide a name and a description and select the Server application accessing a web API template.

    2. On the Server application page:

      • Accept the proposed Name.

      • Note the Client Identifier.

      • Add these tenant Redirect URIs, and click Next:

        • For a demo or sandbox environment: https://openam-your-env.forgeblocks.com/login/admin.

        • For a customer environment: https://openam-your-env.id.forgerock.io/login/admin.

    3. On the Configure Application Credentials page:

      • Select Generate a shared secret.

      • Use the Copy to clipboard button to copy the secret.

    4. Click Next.

    5. On the Configure Web API page, add the client identifier you noted earlier.

    6. Click Next.

    7. On the Choose Access Control Policy page, select the appropriate settings according to your corporate policy.

    8. Click Next.

    9. On the Configure Application Permissions page, check the following permitted scopes:

      • allatclaims

      • email

      • openid

      • profile

    10. Click Next.

    11. On the Summary page, review your selections.

    12. Click Next.

    13. On the Complete page, select Close.

Include additional identity claims in tokens

Perform the following steps to instruct Microsoft ADFS to include additional in the tokens that Identity Cloud requires.

  1. In the AD FS editor, select Application Groups.

  2. In the Actions pane, select Add Application Group.

  3. Double-click your application group.

  4. In the Applications section, in the Web API area, select your application, and click Edit.

  5. Click the Issuance Transform Rules tab.

  6. Click Add Rule.

  7. To include active directory attributes of the users that are accessing Identity Cloud, in the Claim rule template drop-down field, select Send LDAP Attributes as Claims.

  8. In the Claim rule name field, enter a name for the claim rule. For example, enter Profile Attributes.

  9. In the Attribute store drop-down field, select Active Directory.

  10. To map LDAP attributes to name spaces in Identity Cloud, in the Mapping of LDAP attributes to outgoing claim types section:

    1. In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select E-Mail Addresses.

    2. In the Outgoing Claim Type (Select or type to add more) column, enter mail.

    3. In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select Given-Name.

    4. In the Outgoing Claim Type (Select or type to add more) column, enter givenName.

    5. In the LDAP Attribute (Select or type to add more) column, click the drop-down field and select Surname.

    6. In the Outgoing Claim Type (Select or type to add more) column, enter sn.

  11. Click Finish.

  12. On the Issuance Transform Rules tab, click Apply.

  13. Click OK.

  14. Click OK again.

Obtain the well-known endpoint for the ADFS Open ID Connect service

  1. In the AD FS editor, select Service > Endpoints.

  2. In the middle pane, scroll down to the OpenID Connect section.

  3. In the OpenID Connect section, note the URL path. The Well-Known end point URL is the host name of the machine running ADFS + the URL path you just noted.

Set up Microsoft Azure AD as a federation identity provider

Prerequisites

Before setting up Microsoft Azure AD as a federation identity provider, make sure the following requirements are met:

Configure Microsoft Azure AD as a federation provider

  1. In a browser, navigate to the Microsoft Azure portal dashboard.

  2. On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.

  3. Click + New registration.

  4. On the Register an application page, enter the application Name.

  5. Select one or more Supported account types.

  6. In the Redirect URI (optional) section, in the drop-down list and select Web.

  7. Enter the Redirect URI (from the Redirect URL field on the Identity Cloud azure page).

  8. Click Register.

  9. Click Add a certificate or secret.

  10. Add a new client secret.

  11. Copy or make note of your application client ID and client secret.

  12. Save your changes.

  13. On the Azure Active Directory admin center page, navigate to Azure Active Directory > App registrations.

  14. Click Endpoints at the top of the page.

  15. Make note of your OpenID Connect metadata document endpoint, ensuring it contains your Azure tenant ID. For example: https://login.microsoftonline.com/XXXXXX/v2.0/.well-known/openid-configuration.

Enable federation for your tenant

After you set up a federation provider, you can allow Identity Cloud to use the provider to federate administrators. A super administrator can enable a federation provider (Microsoft Azure, Microsoft ADFS, or OIDC) for an Identity Cloud tenant.

  1. In Identity Cloud, navigate to Tenant settings.

  2. Click Federation.

  3. Click + Identity Provider.

  4. Select the federation provider to use:

    • Microsoft Azure

    • ADFS

  5. Click Next.

  6. Follow the steps on the Configure Application page and click Next.

  7. On the Identity Provider Details page, complete the following fields:

    • Name: The name of the provider.

    • Application ID: The ID for the application.

    • Application Secret: The client secret for the application.

    • Well-known Endpoint:

      • If you are setting up Azure, this is the URL from the OpenID Connect metadata document field. In the URL, make sure to replace organization with the actual tenant ID for your tenant.

      • If you are setting up ADFS, this is endpoint from the OpenID Connect section.

    • Authorization Endpoint: Automatically obtained from the Well-known Endpoint field value.

    • Token Endpoint: Automatically obtained from the Well-known Endpoint field value.

    • User Info Endpoint: (Azure only) Automatically obtained from the Well-known Endpoint field value.

    • Button Text: The text for the application button.

  8. Click Save.

Managing your client secrets

Create a new client secret

If you have set up Microsoft Azure or Microsoft ADFS as a federation provider, you must create and use a new client secret before the old one expires.

  1. In your provider, create a new client secret:

Update a client secret in the tenant UI

  1. To perform the following steps, you must be a super administrator in a tenant where federation is enabled. In Identity Cloud, navigate to Tenant settings.

  2. Click Federation.

  3. On the Identity Provider Details page, add the new client secret to the Application Secret field.

  4. Click Save.

Grant or revoke super administrator access

To perform the following steps, you must be a super administrator in a tenant where federation is enabled.

  • To grant super or tenant administrator privileges to new administrators:

    1. When you invite tenant administrators, on the Invite admins dialog box, before sending the invitation, select either Super Admin or Tenant Admin. When the invitee receives the invitation email, they must follow the steps in the email to Register as an administrator.

  • To grant or revoke super administrator privileges to existing administrators:

    1. Navigate to Tenant Settings > Admins.

    2. Click an administrator.

    3. In the Group section, click Edit.

    4. On the Edit Group page:

      • To grant super administrator access, select Super Admin.

      • To grant tenant administrator access, select Tenant Admin.

    5. Click Save.

Register as an administrator

If you are added as an administrator to an Identity Cloud tenant, you receive an email that prompts you to complete the registration process. Afterwards, you can perform various tasks as mentioned in Types of administrators.

  1. As an administrator, when you receive the Complete the ForgeRock Identity Cloud registration email, click Complete Registration.

  2. Perform one of the following sets of steps:

    • To use your email and password to register with Identity Cloud, on the Complete Registration page:

      1. Enter your email address, first name, last name, and your password.

      2. Click Next.

      3. Choose a country of residency, accept ForgeRock’s privacy policy, and click Next.

      4. Choose to set up 2-step verification or skip this option. You should now see the Identity Cloud dashboard.

    • To use Microsoft Azure or Microsoft ADFS to register with Identity Cloud, on the Complete Registration page:

      1. Choose to continue with Microsoft ADFS or Microsoft Azure.

      2. Enter your credentials and log in.

      3. Choose a country of residency, accept ForgeRock’s privacy policy, and click Next. You should now see the Identity Cloud dashboard.

Set federation login requirements

After adding administrators, you need to configure how the administrators sign in to the federation-enabled tenant.

To perform the following steps, you must be a super administrator in a tenant where federation is enabled.

  1. To apply federation to Identity Cloud administrators, in Tenant settings, click the Federation tab.

  2. In the Enforcement section, click Edit.

  3. On the Edit Tenant Federation Enforcement page, select one of the following items:

    • Optional for All Admins: Allow all administrators to use either their ForgeRock credentials or federation to sign in.

    • Required for All Admins Except Super Admins: Require all administrators who are not super administrators to use federation to sign in. Super admins can use their ForgeRock credentials or federation to sign in.

    • Required for All Admins: all admins to use federation to sign in. If you choose this option, to switch to a lower enforcement level, you must log a support ticket.

  4. Click Update. It may take about ten minutes for the changes to take effect.

  5. On the Change Federation Enforcement? modal:

    • To confirm your changes, click Confirm.

    • To cancel your changes, click Cancel.

Activate or deactivate a federation provider

As a super administrator, you can activate or deactivate a federation provider.

You may want to activate a federation provider if this is the first time you are setting up federation for a tenant. You may want to deactivate a federation provider if the provider is experiencing technical issues. If you deactivate all federation providers for a tenant, administrators can no longer use federation to log into the tenant.

To perform the following steps, you must be a super administrator in a tenant where federation is enabled.

You can only deactivate a federation IdP if one of the following is true:

  • Optional for All Admins is selected on the Edit Tenant Federation Enforcement page.

  • More than one federation IdP is enabled in the Identity Cloud tenant.

    1. In Identity Cloud, navigate to Tenant settings.

    2. Click Federation.

    3. Perform one of the following actions:

      • To activate a federation IdP:

        1. To the right of a deactivated federation IdP, click More (), and select Activate.

      • To deactivate a federation IdP, perform one of the following actions:

        1. To the right of a deactivated federation IdP, click More (), and select Deactivate.

Remove an administrator from a tenant

To automatically prevent administrators from logging into Identity Cloud, in your Identify provider, remove the administrators.

Copyright © 2010-2023 ForgeRock, all rights reserved.