Clients List

You can search for any specific client by using the search box.

Client ID

It pertains to the ID referenced in URIs and tokens.

Name

This refers to the display name of the client.

It can be customized, allowing you to set any name according to your needs.

Type

This indicates the protocol utilized for authentication or authorization for this specific client.

You can adjust this setting and choose between two options -

OpenID Connect: This enables clients to verify the identity of the End-User based on authentication conducted by an Authorization Server.
SAML (Security Assertion Markup Language): This facilitates web-based authentication and authorization scenarios, including cross-domain single sign-on (SSO), and utilizes security tokens containing assertions to transmit information.

Description

This pertains to the description for the Client.

You can establish any description that helps you identify the client effectively.

Home URL

This denotes the default URL that the authentication server has to use when redirecting or linking back to the client.

Import Client

Once you click Import Client, you will be directed to the screen below.

Resource file

To upload a file from your local machine or any path, click on Browse to select the file.

You can upload either a JSON or XML file.

Clear

If you've selected a file but decide not to upload it, click on Clear.

clicking on Clear will prompt a confirmation message. Choose Clear to remove the file or Cancel to retain it.

Client ID

This refers to the client identifier registered with the Identity Provider. This field is essential because it is used in URIs and tokens.

It's mandatory when configuring a client.

In the case of SAML, it represents the expected issuer value from authentication requests.

Name

This refers to the display name of the client.

It can be customized, allowing you to set any name according to your needs.

Description

This pertains to the description for the Client.

You can establish any description that helps you identify the client effectively.

Always display in UI

This is a toggle button, when enabled (toggled ON), ensures the client is always listed in the Account UI, even if the user has no active session.

If turned OFF, the client will not appear in the Account UI if there is no active session.

You can switch this ON or OFF based on your needs.

Type

This indicates the protocol utilized for authentication or authorization for this specific client.

There are two options -

OpenID Connect: This enables clients to verify the identity of the End-User based on authentication conducted by an Authorization Server.
SAML (Security Assertion Markup Language): This facilitates web-based authentication and authorization scenarios, including cross-domain single sign-on (SSO), and utilizes security tokens containing assertions to transmit information.

Save

If you're satisfied with the changes and want to implement them, click on Save.

Cancel

If you've made changes that you don't wish to apply, click on Cancel.

Click the Refresh button to see the latest settings.

You can also modify the number of clients displayed per screen by choosing your preferred option from the dropdown menu.

Create Client

If you want to create a new client, simply click on Create Client.

Upon doing so, you will be directed to the following screen.

Client type

This indicates the protocol utilized for authentication or authorization for this specific client.

You can adjust this setting and choose between two options -

OpenID Connect: This enables clients to verify the identity of the End-User based on authentication conducted by an Authorization Server.
SAML (Security Assertion Markup Language): This facilitates web-based authentication and authorization scenarios, including cross-domain single sign-on (SSO), and utilizes security tokens containing assertions to transmit information.

You can choose the most suitable option from the dropdown menu based on your requirements.

Client ID

This refers to the client identifier registered with the Identity Provider. This field is essential because it is used in URIs and tokens.

It's mandatory when configuring a client.

In the case of SAML, it represents the expected issuer value from authentication requests.

Name

This refers to the display name of the client.

It can be customized, allowing you to set any name according to your needs.

Description

This pertains to the description for the Client.

You can establish any description that helps you identify the client effectively.

Always display in UI

This is a toggle button, when enabled (toggled ON), ensures the client is always listed in the Account UI, even if the user has no active session.

If turned OFF, the client will not appear in the Account UI if there is no active session.

You can switch this ON or OFF based on your needs.

Once you've entered the above details, click Next to proceed with creating the Client.

Back

This option is disabled on this screen as it is the initial configuration step for creating a client, and you cannot return to any previous settings.

Cancel

If you wish to cancel the client creation and discard the changes, click on Cancel.

Clicking Next will redirect you to the following screen.

Client Authentication

This is a toggle button. When enabled (toggled ON), the OIDC type is set to confidential access.

When turned OFF, it is set to public access.

You can switch this ON or OFF based on your requirements.

Authorization

This toggle button, when enabled (toggled ON), activates fine-grained authorization support for a client. When turned OFF, this feature is disabled.

You can adjust this setting based on your specific requirements.

Authentication Flow

You can choose the authentication flow by ticking the checkbox beside each of these options.

The table below displays the various types of flows along with a brief description for each.

Type of Flow

Description

Standard flow

This option activates standard OpenID Connect redirect-based authentication using an authorization code. Enabling this checkbox adds support for 'Authorization Code Flow' to this client.

Direct access grants

By selecting this checkbox, support for Direct Access Grants is enabled. This allows the client to access the user's username/password directly and exchange it with the ZTrust server for an access token.

Implicit flow

Selecting this checkbox enables support for OpenID Connect redirect-based authentication without requiring an authorization code.

Service accounts roles

Selecting this checkbox enables authentication for this client to ZTrust and retrieves an access token specifically dedicated to this client.

OAuth 2.0 Device Authorization Grant

Selecting this checkbox activates support for the OAuth 2.0 Device Authorization Grant. This indicates that the client is an application installed on a device with limited input capabilities or lacking a suitable browser.

OIDC CIBA Grant

Selecting this checkbox activates support for OIDC CIBA Grant, indicating that the user is authenticated through an external authentication device rather than the user's browser.

Once you've entered the above details, click Next to proceed with creating the Client.

Back

To return to the previous settings screen, click Back.

Upon clicking Back, you will be redirected to the previous screen, which is the General Settings page.

Cancel

If you wish to cancel the client creation and discard the changes, click on Cancel.

Clicking Next will redirect you to the following screen.

Root URL

This value is added to the beginning of the URL when ZTrust uses a configured relative URL.

Home URL

This denotes the default URL that the authentication server has to use when redirecting or linking back to the client.

Valid redirect URIs

This refers to the valid URI pattern to which a browser can redirect after a successful login or logout. Enter the desired URI Pattern and click on the '+ Add valid redirect URIs' to add it.

You can select the '-' symbol if you wish to remove a particular URI pattern.

Valid Post redirect URIs

This pertains to the valid URI pattern to which a browser can redirect after a successful logout.

Enter the desired URI pattern and click on the '+ Add valid post logout redirect URIs' to add it.

You can select the '-' symbol if you wish to remove a particular URI pattern.

Web Origins

This setting manages Cross-Origin Resource Sharing (CORS).

The domain URLs listed here are included in the access token sent to the client application. The client application utilizes this data to determine whether to permit a CORS request to be initiated.

You can input any domain URL and click on the '+ Add web origins' symbol to add it.

If you wish to remove a specific URL, you can select the '-' symbol.

Save

If you're satisfied with the changes and want to implement them, click on Save.

Back

To return to the previous settings screen, click Back.

Upon clicking Back, you will be redirected to the previous screen, which is the Capability Config page.

Cancel

If you've made changes that you don't wish to apply, click on Cancel.

After selecting Save, you will be directed to the following screen.

General Settings

Client ID

This refers to the client identifier registered with the Identity Provider. This field is essential because it is used in URIs and tokens.

It's mandatory when configuring a client.

In the case of SAML, it represents the expected issuer value from authentication requests.

Name

This refers to the display name of the client.

It can be customized, allowing you to set any name according to your needs.

Description

This pertains to the description for the Client.

You can establish any description that helps you identify the client effectively.

Always display in UI

This is a toggle button, when enabled (toggled ON), ensures the client is always listed in the Account UI, even if the user has no active session.

If turned OFF, the client will not appear in the Account UI if there is no active session.

You can switch this ON or OFF based on your needs.

Access settings

Root URL

This value is added to the beginning of the URL when ZTrust uses a configured relative URL.

Home URL

This denotes the default URL that the authentication server has to use when redirecting or linking back to the client.

Valid redirect URIs

This refers to the valid URI pattern to which a browser can redirect after a successful login or logout. Enter the desired URI Pattern and click on the '+ Add valid redirect URIs' to add it.

You can select the '-' symbol if you wish to remove a particular URI pattern.

Valid post logout redirect URIs

This pertains to the valid URI pattern to which a browser can redirect after a successful logout.

Enter the desired URI pattern and click on the '+ Add valid post logout redirect URIs' to add it.

You can select the '-' symbol if you wish to remove a particular URI pattern.

Web origins

This setting manages Cross-Origin Resource Sharing (CORS).

The domain URLs listed here are included in the access token sent to the client application. The client application utilizes this data to determine whether to permit a CORS request to be initiated.

You can input any domain URL and click on the '+ Add web origins' symbol to add it.

If you wish to remove a specific URL, you can select the '-' symbol.

Admin URL

This is the URL to the Admin interface of the client.

Capability Config

Client Authentication

This is a toggle button. When enabled (toggled ON), the OIDC type is set to confidential access.

When turned OFF, it is set to public access.

You can switch this ON or OFF based on your requirements.

Authorization

This toggle button, when enabled (toggled ON), activates fine-grained authorization support for a client. When turned OFF, this feature is disabled.

You can adjust this setting based on your specific requirements.

Authentication Flow

You can select the authentication flow by ticking the checkbox beside each of these options.

The table below displays the various types of flows along with a brief description for each.

Type of Flow

Description

Standard flow

This option activates standard OpenID Connect redirect-based authentication using an authorization code. Enabling this checkbox adds support for 'Authorization Code Flow' to this client.

Direct access grants

Implicit flow

Selecting this checkbox enables support for OpenID Connect redirect-based authentication without requiring an authorization code.

Service accounts roles

Selecting this checkbox enables authentication for this client to ZTrust and retrieves an access token specifically dedicated to this client.

OAuth 2.0 Device Authorization Grant

OIDC CIBA Grant

Selecting this checkbox activates support for OIDC CIBA Grant, indicating that the user is authenticated through an external authentication device rather than the user's browser.

The dropdown provides different theme options for the login page, including OTP Entry, New User Registration, and the Login screen for the specific client.

This toggle button determines whether users are required to consent to client access.

When enabled (turned ON), users must provide consent.

Conversely, when disabled (turned OFF), users are not required to give consent.

You can adjust this setting according to your preferences.

Display client on screen

This setting applies only if Consent required is enabled for this client. When deactivated (toggled OFF), the consent screen will only display consents corresponding to configured client scopes.

However, when activated (toggled ON), there will also be an additional item on the consent screen related to the client itself.

You can toggle this setting ON or OFF as per your requirements.

This pertains to the text that will be shown when this client scope is added to a client with consent required.

By default, it displays the name of the client scope if left empty.

Logout Settings

Front channel logout

This toggle button, when activated (turned ON), mandates a browser redirect to the client for logout. When deactivated (turned OFF), the server executes a background invocation for logout.

You can adjust these settings based on your needs.

Once enabled, two additional fields are also activated: Front-Channel Logout URL.

Front-channel logout URL

This field specifies the URL that prompts the client to log itself out when a logout request is sent to this realm via the end_session_endpoint.

If not provided, it defaults to the base URL.

This field is customizable, allowing you to modify it as needed.

Backchannel logout URL

This field specifies the URL that triggers the client to log out when a logout request is sent to the realm via the end_session_endpoint.

If omitted, no logout requests will be sent to the client in this scenario.

You can modify it according to your requirements.

Backchannel logout session required

It is a toggle button, when activated (turned ON), adds the Session ID claim to the Logout Token sent via the Backchannel Logout URL.

When deactivated (turned OFF), the SID isn't included.

You're free to customize this according to your needs.

Backchannel logout revoke offline sessions

This toggle button, when activated (turned ON), adds the revoke_offline_acccess event to the Logout Token sent via the Backchannel Logout URL. ZTrust will then revoke offline sessions upon receiving a Logout Token with this event.

When deactivated (turned OFF), this specific event isn't included in the Logout Token.

You can customize this setting according to your needs.

Save

If you're satisfied with the changes and want to implement them, click on Save.

Revert

If you've made changes that you don't wish to apply, click on Revert.

You can navigate between different setting screens using this section. Simply click on the settings type you wish to configure.

By clicking on the three dots next to a specific client, you will be presented with the following options: Export or Delete.

Export

To download all settings and configurations related to a specific client, click on Export. This action will save all details and configurations in JSON format.

Delete

If you no longer need a specific client, click on Delete to remove it.

Upon clicking Delete, a confirmation prompt will appear as shown below.

Click on Delete to remove it, or click on Cancel to keep it.

PreviousClients NextInitial Access Token

Last updated 1 year ago

Client ID

Name

Type

Description

Home URL

Import Client

Resource file

Clear

Client ID

Name

Description

Always display in UI

Type

Save

Cancel

Create Client

Client type

Client ID

Name

Description

Always display in UI

Next

Back

Cancel

Client Authentication

Authorization

Authentication Flow

Next

Back

Cancel

Root URL

Home URL

Valid redirect URIs

Valid Post redirect URIs

Web Origins

Save

Back

Cancel

General Settings

Client ID

Name

Description

Always display in UI

Access settings

Root URL

Home URL

Valid redirect URIs

Valid post logout redirect URIs

Web origins

Admin URL

Capability Config

Client Authentication

Authorization

Authentication Flow

Login settings

Login Theme

Consent required

Display client on screen

Consent screen text

Logout Settings

Front channel logout

Front-channel logout URL

Backchannel logout URL

Backchannel logout session required

Backchannel logout revoke offline sessions

Save

Revert

Export

Delete