Manage Your Tenant

The Identity Cloud Admin UI provides you a unified view of all the customer, workforce, and device profiles in your tenant. Use the Admin UI to manage all aspects of your tenant including: realms, identities, applications, user journeys, and password policy.

While Identity Cloud works with all supported browsers, administrative activity works best using Google Chrome.

Supported Browsers:
  • Chrome and Chromium, latest stable version

  • Firefox, latest stable version

  • Safari, latest stable version

  • Internet Explorer 11 and later

Tenant settings

The person who names the tenant becomes the tenant administrator. A tenant administrator is authorized to configure realm and tenant settings, and to invite others to become administrators.

By default, all tenant administrators have top-level administration permissions. These permissions are non-configurable.

In the Admin UI (upper right), open the Tenant menu.  
 
Then, click Tenant Settings.

150

View tenant details

  1. In the Admin UI (upper right), open the Tenant menu.

    150

  2. Click Tenant Settings > Details.

    The Tenant Name is the identifier assigned to the tenant during onboarding and registration. This identifier is not configurable.

You’ll need these artifacts for making API calls to AM, or for extracting log data.

  1. In the Admin UI (upper right), open the Tenant menu.

    150

  2. Click Tenant Settings > Global Settings.

    • Server
      The name of the iPlanetDirectoryPro cookie for your tenant.
      You can copy and paste this in a variety of calls in AM. (Example: OAuth 2.0 Auth Code flow)

    • Log API Keys
      You’ll need this to extract log data.

      • Click On, then click the arrow.

      • In the Log API Keys dialog box, click + New Log API Key.

      • In the New Log API Key dialog box, provide a name, and then click Create key.

      • Identity Cloud generates an api_key_id and an api_key_secret for you to copy and paste.

      • Click Done.

Tenant administrators

The individual authorized to set up your tenant is the tenant’s initial top-level administrator.

If you are the top-level administrator, you can invite others to become members of the Admins team to help you manage the tenant.

Edit your own admin profile

In the Admin UI (upper right), open the Tenant menu, then click your username.

150

On your admin profile page:

  • To edit your name or email address, click Edit Personal Info.
    Provide information, then click Save.

  • In the Account Security card:

    • To change your username, click Update.

      • Enter your current password, then click Next.

      • Enter your new username, then click Next.
        You’ll receive an email confirming your username has been changed.

    • To change your password, click Reset.

      • Enter your current password, then click Next.

      • Enter your new password, then click Next.
        You’ll receive an email confirming your password has been changed.

Invite other administrators

Send invitations to people when you want to authorize them to manage settings for your tenant.

  1. In the Admin UI (upper right), open the Tenant menu.
    150

  2. Click Invite admins.

  3. In the Invite Admins dialog box, enter a comma-separated list of email addresses for the people you want to authorize.

  4. Click Send Invitations.
    Identity Cloud sends an email to each addressee. The invitation will contain instructions for the addressee to set up their administrator account.

After the invitee completes the instructions in the invitation email, the invitee becomes an Admin team member.

By default, Admin team members are authorized with the same permissions as a top-level administrator.

View the Admins list

From the Admins list you can invite new Admins, view an admin’s profile, deactivate, or delete an admin.

  1. In the Admin UI, click the tenant name to expand the settings menu.

  2. Click Tenant Settings > Admins.

    • To invite a new Admin, click Invite Admins.

    • To deactivate an admin, click Active, then click Deactivate.
      When you deactivate an admin, their status changes, but the admin remains on the Admins list.

    • To view an admin’s details, click More (). Admin details are not configurable on this page. You can edit an admin’s user profile on the Manage Identities page.

    • To delete an admin, click Delete admin.

      When you delete an admin, their username is removed from the Admins list, and admin permissions are removed from their user profile. This operation cannot be undone!

Realms

Go to the Realms Settings page to view the status (active or inactive) of realms in your tenant, to customize the end-user UI theme, or to delete a realm.

Manage realm settings

  1. In the Admin UI (upper left), open the Realm menu.

    150

  2. Go to Realm Settings > Details.

  3. On the Details page:

    • The Status bar indicates whether the realm is Active or Inactive.

    • To take the realm out of service, click Deactivate.
      When a realm is deactivated, users and devices contained in the realm will not be able to access its applications. Identity and app information is still registered to your identity platform.

    • Name: The realm name is non-configurable.

    • (Optional) DNS Aliases: Alternative display names for this the realm URL.

    • Use Client-based Sessions: Enable this option to enable signing and encryption of the JWT in the global session service.

When you’re satisfied with your changes, click Save.

Override realm authentication attributes

This is useful when you want to adjust the core authentication properties that apply to a realm. For example, you might want to extend the time limit for responding to an authentication verification email. Use the AM Admin UI to make this kind of change.

  1. In the Identity Cloud Admin UI, click Native Consoles > Access Management.

  2. In the AM Admin UI, go to> Authentication > Settings.

core auth attributes

For detailed property information, see Core Authentication Attributes   in the AM 7 Authentication and Single Sign-On Guide.

Delete a realm

  1. In the Admin UI (upper left), open the Realm menu.
    150

  2. Go to Realm Setting > Details.

  3. On the Realm Details page, click Delete Realm.

Once you delete a realm, the realm cannot be restored.

Switch realms

Switch realms when you want to access identities or applications registered to a realm other than the current realm. You must have administrator permissions with the other realm before you can switch to it.

  1. In the Admin UI (upper left), open the Realm menu.
    150

  2. Click Switch realm.

  3. In the Switch Realm dialog box, click Switch.

Once you have switched to another realm, you can view its status. If you have appropriate administrator permissions, you can edit realm settings.

About realms

A realm is a container that stores identities and applications within your tenant. By default, Identity Cloud creates one realm within your identity platform. You can have more than one realm. Realms help you organize identities into large and logical groupings.

For example, companies typically divide its identities into two divisions: one for employees, and a separate division for customers. Each division, or realm, contains its own set of identities and registered applications.

Each realm is fully self-contained and operates independently of other realms within your tenant. By default, users and devices in one realm cannot access identities or applications in another realm. Realms provide the means to keep customers from accessing employee information, while allowing employees conditional access to customer information. You can grant conditional access to individual employees by editing their user profiles.

Using a custom domain name

Create a custom domain name when you want to use a customer-friendly URL to access Identity Cloud. You can use your own company name or brand, for example, in place of the default forgerock.io domain.

When choosing a custom domain name, consider the following:

  • You can set a custom domain name only at the realm level.

  • You can set only one custom domain per realm.

  • The Admin UI will continue to display the URL
    https://openam-{yourcompanyname}.id.forgerock.io.

  • Don’t use your top-level domain name.

    • Wrong: mycompany.com

    • Right: id.mycompany.com

  • Changing your custom domain name affects your end-user UIs and REST APIs.

Create a custom domain name

Before you begin, open a new browser window and sign in to the website for your domain name provider. For these steps, keep Identity Cloud open in a separate browser window.

  1. In the Admin UI, go to Realm > Realm Settings > Custom Domains.

  2. Click + New Domain Name.

  3. In the New Domain Name dialog box, enter the domain name you want to use, then click Verify.
    The domain name must be unique, and must contain at least one period (dot).
    Example: id.mycompany.com.

    After Identity Cloud validates your domain name, you’re prompted to verify your domain name ownership. In the Verify Domain Name Ownership dialog box, Identity Cloud provides Host and Data information you’ll need to prove that you own the domain you’ve named.

  4. Create or modify your CNAME record.

    1. In a separate browser window, sign in to the website for your domain name registrar.

    2. Find the CNAME record for your domain.
      If you don’t already have a CNAME record for your domain, then follow the domain name provider’s instructions to create one now.

    3. In the CNAME record for your domain, copy and paste the Host and Data values provided in the Verify the Domain Ownership dialog box.

  5. In the Identity Cloud Admin UI, in the Verify the Domain Ownership dialog box, click Verify.
    After you’ve successfully created your custom domain name:

  6. Next steps:

    • It may take up to 48 hours for the domain name changes to propagate. If you try to use the new domain name to access your website, error messages may display until the changes take effect.

    • To confirm that Identity Cloud is serving traffic over HTTPS (TLS) for your custom domain name, in a browser, go to your custom domain location. Example: https://id.mycompany.com.

    • To test the hosted pages, use an igcognito or private browser window to access an end-user URL. Example: https://id.mycompany.com/login/?authIndexType=service&authIndexValue=mytreename#/

    • If error messages still display after 48 hours, make sure your Identity Cloud domain name settings are correct and match your CNAME record.

Customize a UI theme

You can use your own logo and preferred colors in the UI that your app users will see.

  1. In the Admin UI, click the realm name to expand the settings menu.

  2. Go to Realm Setting > Theme.

    • Realm Logo URL: Logo to use for all end-user UIs including consent pages and application pages. This URL can be overridden in the client application profile.

    • To customize the color of any of the following, enter a hexadecimal color code:

      • Sign-in Background Color

      • Button Color

      • Button Active Color

      • Button Text

    • Button Radius: To customize the size of the button radius, slide the slider to the right to make the button larger. Slide it to the left to make the button smaller.

    • (Optional) Sign-In Background Image: Enter the URL of an image you want to display in the background.

  3. When you’re satisfied with your changes, click Save.