Application management

Delegated User Management v2 allows you to protect access to applications. The applications can be federated in the OneWelcome Identity Platform, or non-federated applications. When you configure an application, you define permissions for the application.

Access to the applications is controlled through Delegated User Management authorization rules, and constrained through access roles that include the application permissions that you define.

Federated and non-federated applications

Applications can be federated or non-federated:

• Federated applications are the SAML and OIDC or OAuth applications that are configured for federation in the OneWelcome Identity Platform. When a user tries to access the application, the application determines that it needs to refer to the OneWelcome Identity Platform to provide authentication and grant access. The status of federated applications comes from the OneWelcome Identity Platform.

• Non-federated applications are integrated through APIs and are not configured for federation in the OneWelcome Identity Platform. Access is granted through some other means, such as APIs, a proxy, or some intermediary between the OneWelcome Identity Platform and the application. The status of non-federated applications is always active.

Add an application

Only administrators in the root organization can add applications. Applications are defined for the tenant.

Each application has a name, an external identifier, and permissions that you can include in access roles. The applications can be non-federated or federated in OneWelcome through protocols such as OIDC, SAML, or OAuth.

1. From the root organization, in the left pane, select Applications.

2. On the Applications page, select Add application.

3. Select one of the following:

   • Federated application: Select an application that is already configured for federation in the OneWelcome Identity Platform.

     

     The Add application page already has this information:

     • Federated application: The application that you selected.

     • Entity ID

   • Non-federated application: Define an application that is integrated through APIs and is not configured for federation in the OneWelcome Identity Platform.

4. On the Basic information tab, enter the Application display name and (optional) description.

   The name must be unique relative to other applications in the organization.

5. (Optional) Enter an External ID.

   The external ID is an attribute that can help with your own referencing of the application.

6. Save the application:

   • To add permissions now, select Save and continue.

     The system saves the application opens the Permissions tab.

   • To add permissions later, select Save.

     The system saves the application and returns to the Applications overview page.

Add permissions

Each permission has a name, a value, and an optional description.

For federated applications, the value is the permission descriptor or identifier that is included in the access token that is sent to the application.

For non-federated applications, APIs can retrieve permission descriptors, to determine what a user is entitled to do in the application.

Each application must include at least one permission.

1. On the Permissions tab, select Add permission.

   

2. On the Add permission page, enter a Permission name that is unique within the application.

3. Enter a Permission identifier.

   The identifier is a value that can be injected into an access token or return attribute, and interpreted by the application that receives it.

4. (Optional) Enter a Description.

   The description is helpful for administrators who create access roles for different categories of users.

5. Select Save.

Edit an application

On the Applications overview page, in the menu for the application, select View details and update the application.

Make an application inactive or active

Only federated applications can be inactive.

Users can only access active applications. Inactive applications are unavailable to users, but still exist in the system.

On the Applications overview page, in the menu for the application, select Make application inactive or Make application active.

Delete an application

Deleting an application removes it from the system.

On the application details page, in the top-right menu, select Delete application.

Edit permission details

On the application details page, in the menu for the permission, select View details and update the permission.