Manage Your Tenant

The Identity Cloud Admin UI provides you a unified view of all the customer, workforce, and device profiles in your tenant. Use the Admin UI to manage all aspects of your tenant including: realms, identities, applications, user journeys, and password policy.

While Identity Cloud works with all supported browsers, administrative activity works best using Google Chrome.

Supported Browsers:
  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 11 and later

Tenant settings

View tenant details

  1. In the Admin UI (upper right), open the Tenant menu.

    150

  2. Click Tenant Settings > Details.

    The Tenant Name is the identifier assigned to the tenant during onboarding and registration. This identifier is not configurable.

You’ll need these artifacts for making API calls to AM, or for extracting log data.

  1. In the Admin UI (upper right), open the Tenant menu.

    150

  2. Click Tenant Settings > Global Settings.

    • Server
      The name of the iPlanetDirectoryPro cookie for your tenant.
      You can copy and paste this in a variety of calls in AM. (Example: OAuth 2.0 Auth Code flow)

    • Log API Keys
      You’ll need this to extract log data.

      • Click On, then click the arrow.

      • In the Log API Keys dialog box, click + New Log API Key.

      • In the New Log API Key dialog box, provide a name, and then click Create key.

      • Identity Cloud generates an api_key_id and an api_key_secret for you to copy and paste.

      • Click Done.

Using Hosted Pages

Identity Cloud hosts default web pages you can use in end-user journeys. The pages are designed to help you quickly create and test common user self-service operations.

For example, the default login journey starts with a sign-in page for capturing username and password. The journey ends with the end-user’s profile page.

600

But, if you don’t want to risk exposing information contained in the default end-user profile, you can deactivate its hosted page. Then you can use the ForgeRock SDKs or your own APIs to create and host your own custom web pages.

When the Hosted Pages option is deactivated, this web page is displayed to unauthorized users:

450

By deactivating the default end-user profile, you can still use the hosted end-user journey UI, while denying unauthorized access to end-user profiles. Your customers manage only their own profiles, or delegate administration, using your application.

When you deactivate hosted pages, all hosted pages associated with your tenant are deactivated.

See the Journeys page for brief videos that demonstrate how hosted pages are integrated into default journeys.

Activate or Deactivate Hosted Pages

hosted pages on

  1. In the Identity Cloud Admin UI, open the Tenant menu and go to Tenant Settings > Global Settings.

  2. Click Hosted Pages.

  3. On the Hosted Pages page:

    • To activate hosted pages, click Activate.

    • To deactivate hosted pages, click Deactivate.

The change takes effect immediately.

When you deactivate hosted pages, all hosted pages associated with your tenant are deactivated.

See the Journeys page for brief videos that demonstrate how hosted pages are integrated into default journeys.

Administrator settings

If you are the top-level administrator, you can invite others to become members of the Admins team to help you manage the tenant.

Edit your own admin profile

In the Admin UI (upper right), open the Tenant menu, then click your username.

150

On your admin profile page:

  • To edit your name or email address, click Edit Personal Info.
    Provide information, then click Save.

  • In the Account Security card:

    • To change your username, click Update.

      • Enter your current password, then click Next.

      • Enter your new username, then click Next.
        You’ll receive an email confirming your username has been changed.

    • To change your password, click Reset.

      • Enter your current password, then click Next.

      • Enter your new password, then click Next.
        You’ll receive an email confirming your password has been changed.

  • By default, 2-Step Verification is enabled.
    For more information, see Manage admin 2-step verification.

Manage admin 2-step verification

2-Step verification, also known as multifactor authentication (MFA), prevents unauthorized actors from signing in as admins by asking for another factor at authentication.

Identity Cloud provides two ways admins can sign in with a second factor:

When you sign in as an admin for the first time, Identity Cloud offers you choices, and guides you through the device registration process.

During registration, Identity Cloud displays 10 Verification codes. Be sure to copy the codes and store them in a secure location.

  • You’ll use the verfication codes as recovery codes if you cannot use your registered device to sign in.

  • You can use each verification code only once. Then, the code expires.

  • If, for some reason, you need to re-register a device, first delete your previously registered device.

Change 2-Step verification options

  1. Open your Admin user profile.
    In the Admin UI, open the Tenant menu and choose your Admin username.

  2. On your Admin user profile page, find 2-Step Verification and click Change.

    The 2-Step/Push Authentication page lists devices you’ve registered for MFA.

    To delete a device, click its More () menu, and choose Delete.

    • When you delete a device from the list, 2-step or push authentication is disabled. You cannot undo the delete operation.

    • Once you sign out and attempt to sign back in again, you will be asked if you want to set up a second factor.

Invite other administrators

Send invitations to people when you want to authorize them to manage settings for your tenant.

  1. In the Admin UI (upper right), open the Tenant menu.
    150

  2. Click Invite admins.

  3. In the Invite Admins dialog box, enter a comma-separated list of email addresses for the people you want to authorize.

  4. Click Send Invitations.
    Identity Cloud sends an email to each addressee. The invitation will contain instructions for the addressee to set up their administrator account.

After the invitee completes the instructions in the invitation email, the invitee becomes an Admin team member.

By default, Admin team members are authorized with the same permissions as a top-level administrator.

View the Admins list

From the Admins list you can invite new Admins, view an admin’s profile, deactivate, or delete an admin.

  1. In the Admin UI, click the tenant name to expand the settings menu.

  2. Click Tenant Settings > Admins.

    • To invite a new Admin, click Invite Admins.

    • To deactivate an admin, click Active, then click Deactivate.
      When you deactivate an admin, their status changes, but the admin remains on the Admins list.

    • To view an admin’s details, click More (). Admin details are not configurable on this page. You can edit an admin’s user profile on the Manage Identities page.

    • To delete an admin, click Delete admin.

      When you delete an admin, their username is removed from the Admins list, and admin permissions are removed from their user profile. This operation cannot be undone!

Realm settings

See Realms for background on realms.

Go to the Realms Settings page to view the status (active or inactive) of realms in your tenant, to customize the end-user UI theme, or to delete a realm.

Manage realm settings

  1. In the Admin UI (upper left), open the Realm menu.

    150

  2. Go to Realm Settings > Details.

  3. On the Details page:

    • The Status bar indicates whether the realm is Active or Inactive.

    • To take the realm out of service, click Deactivate.
      When a realm is deactivated, users and devices contained in the realm will not be able to access its applications. Identity and app information is still registered to your identity platform.

    • Name: The realm name is non-configurable.

    • (Optional) DNS Aliases: Alternative display names for this the realm URL.

    • Use Client-based Sessions: Enable this option to enable signing and encryption of the JWT in the global session service.

When you’re satisfied with your changes, click Save.

Override realm authentication attributes

This is useful when you want to adjust the core authentication properties that apply to a realm. For example, you might want to extend the time limit for responding to an authentication verification email. Use the AM Admin UI to make this kind of change.

  1. In the Identity Cloud Admin UI, click Native Consoles > Access Management.

  2. In the AM Admin UI, go to> Authentication > Settings.

core auth attributes

For detailed property information, see Core Authentication Attributes   in the AM 7 Authentication and Single Sign-On Guide.

Delete a realm

  1. In the Admin UI (upper left), open the Realm menu.
    150

  2. Go to Realm Setting > Details.

  3. On the Realm Details page, click Delete Realm.

Once you delete a realm, the realm cannot be restored.

Switch realms

Switch realms when you want to access identities or applications registered to a realm other than the current realm. You must have administrator permissions with the other realm before you can switch to it.

  1. In the Admin UI (upper left), open the Realm menu.
    150

  2. Click Switch realm.

  3. In the Switch Realm dialog box, click Switch.

Once you have switched to another realm, you can view its status. If you have appropriate administrator permissions, you can edit realm settings.

Using a custom domain name

Configure a custom domain name when you want to use a customer-friendly URL to access Identity Cloud. You can use your own company name or brand, for example, in place of the default forgerock.io domain.

When choosing a custom domain name, consider the following:

  • You can set a custom domain name only at the realm level.

  • You can set multiple custom domain names per realm.

  • The Admin UI will continue to display the URL
    https://openam-{yourcompanyname}.id.forgerock.io.

  • Don’t use your top-level domain name.

    • Wrong: mycompany.com

    • Right: id.mycompany.com

  • Changing your custom domain name affects your end-user UIs and REST APIs.

Configure a custom domain

Before you begin, open a new browser window and sign in to the website for your domain name provider. For these steps, keep Identity Cloud open in a separate browser window.

  1. In the Admin UI, go to Realm > Realm Settings > Custom Domain.

  2. Click + Add a Custom Domain.

  3. In the Add a Custom Domain dialog box, enter the domain name you want to use, then click Verify.
    The domain name must be unique, and must contain at least one period (dot).
    Example: id.mycompany.com.

    After Identity Cloud validates your domain name, you’re prompted to verify your domain name ownership. In the Verify Domain Name Ownership dialog box, Identity Cloud provides Host and Data information you’ll need to prove that you own the domain you’ve named.

  4. Create or modify your CNAME record.

    1. In a separate browser window, sign in to the website for your domain name registrar.

    2. Find the CNAME record for your domain.
      If you don’t already have a CNAME record for your domain, then follow the domain name provider’s instructions to create one now.

    3. In the CNAME record for your domain, copy and paste the Host and Data values provided in the Verify the Domain Ownership dialog box.

    4. Follow the domain name provider’s instructions to complete the operation.
      It may take up to 48 hours for the domain name changes to propagate.

  5. Return to the Verify the Domain Ownership dialog box. Click Verify.

  6. Configure the Base URL Source.

    1. Go to Native Access Consoles > Access Management.

    2. From the Realms menu, choose the realm that contains the custom domain name.

    3. On the Services page, click Base URL Source to edit its configuration.

    4. On the Base URL Source page, change the Base URL Source option to
      "Host/protocol from incoming request".

    5. Click Save Changes.

      After you’ve successfully configured your custom domain:

  7. Next steps:

    • It may take up to 48 hours for the domain name changes to propagate. If you try to use the new domain name to access your website, error messages may display until the changes take effect.

    • To confirm that Identity Cloud is serving traffic over HTTPS (TLS) for your custom domain name, in a browser, go to your custom domain location. Example: https://id.mycompany.com.

    • To test the hosted pages, use an igcognito or private browser window to access an end-user URL. Example:
      https://id.mycompany.com/login/?authIndexType=service&authIndexValue=mytreename#/

    • If error messages still display after 48 hours, make sure your Identity Cloud domain name settings are correct and match your CNAME record.

Customize a UI theme

You can use your own logo and preferred colors in the UI that your app users will see.

  1. In the Admin UI, click the realm name to expand the settings menu.

  2. Go to Realm Setting > Theme.

    • Realm Logo URL: Logo to use for all end-user UIs including consent pages and application pages. This URL can be overridden in the client application profile.

    • To customize the color of any of the following, enter a hexadecimal color code:

      • Sign-in Background Color

      • Button Color

      • Button Active Color

      • Button Text

    • Button Radius: To customize the size of the button radius, slide the slider to the right to make the button larger. Slide it to the left to make the button smaller.

    • (Optional) Sign-In Background Image: Enter the URL of an image you want to display in the background.

  3. When you’re satisfied with your changes, click Save.