Identity Cloud

Tenant administrator settings

Types of administrators

There are two types of administrator in Identity Cloud:

  • Tenant administrator: An administrator that can manage realm settings and most tenant settings except for those related to managing other tenant administrators. All tenant administrator identities get the same realm permissions, and these are not configurable.

  • Super administrator: A tenant administrator with the following elevated permissions:

    • Invite tenant administrators.

    • Grant or revoke super administrator privileges to and from tenant administrators.

    • Enable federation for a tenant.

    • Enforce federation for some or all administrators in a tenant.

The tenant provisioning process initially creates a single super administrator.

Register as an administrator

Tenant administrators Super administrators[1]

Action allowed?

Yes

Yes

If you are added as an administrator to an Identity Cloud tenant, you receive an email that prompts you to complete the registration process.

  1. When you receive the Complete the ForgeRock Identity Cloud registration email, click Complete Registration.

  2. Perform one of the following sets of steps:

    • To use your email and password to register with Identity Cloud, on the Complete Registration page:

      1. Enter your email address, first name, last name, and your password.

      2. Click Next.

      3. Choose a country of residency, accept ForgeRock’s privacy policy, and click Next.

      4. Choose to set up 2-step verification or skip this option. You should now see the Identity Cloud dashboard.

    • To use Microsoft Azure or AD FS to register with Identity Cloud, on the Complete Registration page:

      1. Choose to continue with Microsoft Azure or AD FS.

      2. Enter your credentials and log in.

      3. Choose a country of residency, accept ForgeRock’s privacy policy, and click Next. You should now see the Identity Cloud dashboard.

Tenant administrator sign-in

Tenant administrators Super administrators[1]

Action allowed?

Yes

Yes

Tenant administrators access their sign-in page using a URL that specifies the realm as a forward slash:

  • https://<tenant-env-fqdn>/login/?realm=/#/

Upon successful authentication, a tenant administrator is automatically switched to the Alpha realm.

Multiple failed authentication attempts cause Identity Cloud to lock out a tenant administrator. For information about how to unlock an administrator’s account, refer to Unlock a tenant administrator’s account.

Edit your own tenant administrator profile

Tenant administrators Super administrators[1]

Action allowed?

Yes

Yes

In the Identity Cloud admin UI, open the Tenant menu (upper right), and click your username.

150

On your tenant administrator profile page:

  • To edit your name or email address, click Edit Personal Info.
    Provide the information, then click Save.

  • In the Account Security card:

    • To change your username, click Update.

      • Enter your current password, then click Next.

      • Enter your new username, then click Next.
        You’ll receive an email confirming your username has been changed.

    • To change your password, click Reset.

      • Enter your current password, then click Next.

      • Enter your new password, then click Next.
        You’ll receive an email confirming your password has been changed.

    • By default, 2-Step Verification is enabled.
      For more information, refer to Manage tenant administrator 2-step verification.

  • To view the social identity providers you can use to log into your account, view the Social Sign-in card.

  • To view the devices that have accessed your account, view the Trusted Devices card.

  • To view the applications you have granted access to your account, view the Authorized Applications card.

  • To download your account data, in the Account Controls card, beside Download your data, click the downward pointing arrow, and click Download.

  • To delete your account data, in the Account Controls card, beside Delete account, click the downward pointing arrow, and click Delete Account.

Invite tenant administrators

Tenant administrators Super administrators[1]

Action allowed?

No

Yes

Send invitations to people when you want to authorize them to manage settings for your tenant.

  1. In the Identity Cloud admin UI (upper right), open the Tenant menu.
    150

  2. Click Invite admins.

  3. In the Invite Admins dialog box, enter a comma-separated list of email addresses for the people you want to authorize.

  4. Grant people specific administrator access by selecting either Super Admin or Tenant Admin.

  5. Click Send Invitations.
    Identity Cloud sends an email to each address, containing instructions to set up an administrator account.

After the invitee completes the instructions in the invitation email, the invitee becomes an administrator.

View the tenant administrators list

Tenant administrators Super administrators[1]

Action allowed?

No

Yes

From the tenant administrators list, you can invite new tenant administrators, deactivate tenant administrators, or delete tenant administrators.

  1. In the Identity Cloud admin UI, click the tenant name to expand the settings menu.

  2. Click Tenant Settings > Admins.

    • To invite a new tenant administrator:

    • To deactivate a tenant administrator:

      • Find an administrator with the label Active.

      • Click More (), and select Deactivate.

    • To delete a tenant administrator, click More (), and select Delete.

      When you deactivate a tenant administrator, their status changes, but they remain on the tenant administrators list.

      When you delete a tenant administrator, their username is removed from the tenant administrators list, and tenant administrator permissions are removed from their user profile. This operation cannot be undone!

Unlock a tenant administrator’s account

Tenant administrators Super administrators[1]

Action allowed?

No

Yes

If Identity Cloud locks out one of your company’s tenant administrators due to multiple failed login attempts, the account can be unlocked.

If your organization has multiple tenant administrators, another tenant administrator can unlock the account:

  1. In the Identity Cloud admin UI, open the Tenant menu (upper right), and click your username.

  2. Click Tenant Settings > Admins.

  3. Find the entry for the administrator who was locked out.

  4. In the same row, click More () and choose Activate.

If your organization does not have multiple tenant administrators, submit a ForgeRock Support ticket.

Grant or revoke super administrator access

Tenant administrators Super administrators[1]

Action allowed?

No

Yes

To grant or revoke super administrator privileges:

  1. Go to Tenant Settings > Admins.

  2. Click an administrator.

  3. In the Group section, click Edit.

  4. On the Edit Group page:

    • To grant super administrator access, select Super Admin.

    • To grant tenant administrator access, select Tenant Admin.

      ui federation edit group access
  5. Click Save.

Manage tenant administrator 2-step verification

Tenant administrators Super administrators[1]

Action allowed?

Yes

Yes

2-step verification, also known as multifactor authentication (MFA), prevents unauthorized actors from signing in as a tenant administrator by asking for a second factor of authentication.

Identity Cloud provides tenant administrators with the following second factor options:

Register for 2-step verification

You can register for 2-step verification when you sign in as a tenant administrator for the first time:

idcloudui tenant administrator set up 2 step verification

  • Click Set up to let Identity Cloud guide you through the device registration process.

  • Alternatively, click Skip for now to temporarily skip registration for 2-step verification.

    The option to skip registration for 2-step verification is a deprecated feature, and soon 2-step verification will be mandatory in all tenants. To understand if this affects you, read the Tenant administrator mandatory 2-step verification FAQ.

Manage verification codes

During registration for 2-step verification, Identity Cloud displays 10 verification codes.

Be sure to copy the codes and store them in a secure location.
  • You’ll use the verfication codes as recovery codes if you cannot use your registered device to sign in.

  • You can use each verification code only once. Then, the code expires.

  • If, for some reason, you need to re-register a device, first delete your previously registered device.

Change 2-step verification options

  1. Open your tenant administrator user profile.
    In the Identity Cloud admin UI, open the Tenant menu and choose your tenant administrator username.

  2. On your tenant administrator user profile page, find 2-Step Verification and click Change.

    The 2-Step/Push Authentication page lists devices you’ve registered for MFA.

    To delete a device, click its More () menu, and choose Delete.

    • When you delete a device from the list, 2-step or push authentication is disabled. You cannot undo the delete operation.

    • Once you sign out and attempt to sign back in again, you will be asked if you want to set up a second factor.


1. A super administrator is a tenant administrator with elevated permissions for configuring tenant administrators and tenant federation. Refer to Types of administrators.
Copyright © 2010-2024 ForgeRock, all rights reserved.