Clients List
Last updated
Last updated
You can search for any specific client by using the search box.
It pertains to the ID referenced in URIs and tokens.
This refers to the display name of the client.
It can be customized, allowing you to set any name according to your needs.
This indicates the protocol utilized for authentication or authorization for this specific client.
You can adjust this setting and choose between two options -
OpenID Connect: This enables clients to verify the identity of the End-User based on authentication conducted by an Authorization Server.
SAML (Security Assertion Markup Language): This facilitates web-based authentication and authorization scenarios, including cross-domain single sign-on (SSO), and utilizes security tokens containing assertions to transmit information.
This pertains to the description for the Client.
You can establish any description that helps you identify the client effectively.
This denotes the default URL that the authentication server has to use when redirecting or linking back to the client.
Once you click Import Client, you will be directed to the screen below.
To upload a file from your local machine or any path, click on Browse to select the file.
You can upload either a JSON or XML file.
If you've selected a file but decide not to upload it, click on Clear.
clicking on Clear will prompt a confirmation message. Choose Clear to remove the file or Cancel to retain it.
This refers to the client identifier registered with the Identity Provider. This field is essential because it is used in URIs and tokens.
It's mandatory when configuring a client.
In the case of SAML, it represents the expected issuer value from authentication requests.
This refers to the display name of the client.
It can be customized, allowing you to set any name according to your needs.
This pertains to the description for the Client.
You can establish any description that helps you identify the client effectively.
This is a toggle button, when enabled (toggled ON), ensures the client is always listed in the Account UI, even if the user has no active session.
If turned OFF, the client will not appear in the Account UI if there is no active session.
You can switch this ON or OFF based on your needs.
This indicates the protocol utilized for authentication or authorization for this specific client.
There are two options -
OpenID Connect: This enables clients to verify the identity of the End-User based on authentication conducted by an Authorization Server.
SAML (Security Assertion Markup Language): This facilitates web-based authentication and authorization scenarios, including cross-domain single sign-on (SSO), and utilizes security tokens containing assertions to transmit information.
If you're satisfied with the changes and want to implement them, click on Save.
If you've made changes that you don't wish to apply, click on Cancel.
Click the Refresh button to see the latest settings.
You can also modify the number of clients displayed per screen by choosing your preferred option from the dropdown menu.
If you want to create a new client, simply click on Create Client.
Upon doing so, you will be directed to the following screen.
This indicates the protocol utilized for authentication or authorization for this specific client.
You can adjust this setting and choose between two options -
OpenID Connect: This enables clients to verify the identity of the End-User based on authentication conducted by an Authorization Server.
SAML (Security Assertion Markup Language): This facilitates web-based authentication and authorization scenarios, including cross-domain single sign-on (SSO), and utilizes security tokens containing assertions to transmit information.
You can choose the most suitable option from the dropdown menu based on your requirements.
This refers to the client identifier registered with the Identity Provider. This field is essential because it is used in URIs and tokens.
It's mandatory when configuring a client.
In the case of SAML, it represents the expected issuer value from authentication requests.
This refers to the display name of the client.
It can be customized, allowing you to set any name according to your needs.
This pertains to the description for the Client.
You can establish any description that helps you identify the client effectively.
This is a toggle button, when enabled (toggled ON), ensures the client is always listed in the Account UI, even if the user has no active session.
If turned OFF, the client will not appear in the Account UI if there is no active session.
You can switch this ON or OFF based on your needs.
Once you've entered the above details, click Next to proceed with creating the Client.
This option is disabled on this screen as it is the initial configuration step for creating a client, and you cannot return to any previous settings.
If you wish to cancel the client creation and discard the changes, click on Cancel.
Clicking Next will redirect you to the following screen.
This is a toggle button. When enabled (toggled ON), the OIDC type is set to confidential access.
When turned OFF, it is set to public access.
You can switch this ON or OFF based on your requirements.
This toggle button, when enabled (toggled ON), activates fine-grained authorization support for a client. When turned OFF, this feature is disabled.
You can adjust this setting based on your specific requirements.
You can choose the authentication flow by ticking the checkbox beside each of these options.
The table below displays the various types of flows along with a brief description for each.
Standard flow
This option activates standard OpenID Connect redirect-based authentication using an authorization code. Enabling this checkbox adds support for 'Authorization Code Flow' to this client.
Direct access grants
By selecting this checkbox, support for Direct Access Grants is enabled. This allows the client to access the user's username/password directly and exchange it with the ZTrust server for an access token.
Implicit flow
Selecting this checkbox enables support for OpenID Connect redirect-based authentication without requiring an authorization code.
Service accounts roles
Selecting this checkbox enables authentication for this client to ZTrust and retrieves an access token specifically dedicated to this client.
OAuth 2.0 Device Authorization Grant
Selecting this checkbox activates support for the OAuth 2.0 Device Authorization Grant. This indicates that the client is an application installed on a device with limited input capabilities or lacking a suitable browser.
OIDC CIBA Grant
Selecting this checkbox activates support for OIDC CIBA Grant, indicating that the user is authenticated through an external authentication device rather than the user's browser.
Once you've entered the above details, click Next to proceed with creating the Client.
To return to the previous settings screen, click Back.
Upon clicking Back, you will be redirected to the previous screen, which is the General Settings page.
If you wish to cancel the client creation and discard the changes, click on Cancel.
Clicking Next will redirect you to the following screen.
This value is added to the beginning of the URL when ZTrust uses a configured relative URL.
This denotes the default URL that the authentication server has to use when redirecting or linking back to the client.
This refers to the valid URI pattern to which a browser can redirect after a successful login or logout. Enter the desired URI Pattern and click on the '+ Add valid redirect URIs' to add it.
You can select the '-' symbol if you wish to remove a particular URI pattern.
This pertains to the valid URI pattern to which a browser can redirect after a successful logout.
Enter the desired URI pattern and click on the '+ Add valid post logout redirect URIs' to add it.
You can select the '-' symbol if you wish to remove a particular URI pattern.
The domain URLs listed here are included in the access token sent to the client application. The client application utilizes this data to determine whether to permit a CORS request to be initiated.
You can input any domain URL and click on the '+ Add web origins' symbol to add it.
If you wish to remove a specific URL, you can select the '-' symbol.
If you're satisfied with the changes and want to implement them, click on Save.
To return to the previous settings screen, click Back.
Upon clicking Back, you will be redirected to the previous screen, which is the Capability Config page.
If you've made changes that you don't wish to apply, click on Cancel.
After selecting Save, you will be directed to the following screen.
This refers to the client identifier registered with the Identity Provider. This field is essential because it is used in URIs and tokens.
It's mandatory when configuring a client.
In the case of SAML, it represents the expected issuer value from authentication requests.
This refers to the display name of the client.
It can be customized, allowing you to set any name according to your needs.
This pertains to the description for the Client.
You can establish any description that helps you identify the client effectively.
This is a toggle button, when enabled (toggled ON), ensures the client is always listed in the Account UI, even if the user has no active session.
If turned OFF, the client will not appear in the Account UI if there is no active session.
You can switch this ON or OFF based on your needs.
This value is added to the beginning of the URL when ZTrust uses a configured relative URL.
This denotes the default URL that the authentication server has to use when redirecting or linking back to the client.
This refers to the valid URI pattern to which a browser can redirect after a successful login or logout. Enter the desired URI Pattern and click on the '+ Add valid redirect URIs' to add it.
You can select the '-' symbol if you wish to remove a particular URI pattern.
This pertains to the valid URI pattern to which a browser can redirect after a successful logout.
Enter the desired URI pattern and click on the '+ Add valid post logout redirect URIs' to add it.
You can select the '-' symbol if you wish to remove a particular URI pattern.
The domain URLs listed here are included in the access token sent to the client application. The client application utilizes this data to determine whether to permit a CORS request to be initiated.
You can input any domain URL and click on the '+ Add web origins' symbol to add it.
If you wish to remove a specific URL, you can select the '-' symbol.
This is the URL to the Admin interface of the client.
This is a toggle button. When enabled (toggled ON), the OIDC type is set to confidential access.
When turned OFF, it is set to public access.
You can switch this ON or OFF based on your requirements.
This toggle button, when enabled (toggled ON), activates fine-grained authorization support for a client. When turned OFF, this feature is disabled.
You can adjust this setting based on your specific requirements.
You can select the authentication flow by ticking the checkbox beside each of these options.
The table below displays the various types of flows along with a brief description for each.
Standard flow
This option activates standard OpenID Connect redirect-based authentication using an authorization code. Enabling this checkbox adds support for 'Authorization Code Flow' to this client.
Direct access grants
By selecting this checkbox, support for Direct Access Grants is enabled. This allows the client to access the user's username/password directly and exchange it with the ZTrust server for an access token.
Implicit flow
Selecting this checkbox enables support for OpenID Connect redirect-based authentication without requiring an authorization code.
Service accounts roles
Selecting this checkbox enables authentication for this client to ZTrust and retrieves an access token specifically dedicated to this client.
OAuth 2.0 Device Authorization Grant
Selecting this checkbox activates support for the OAuth 2.0 Device Authorization Grant. This indicates that the client is an application installed on a device with limited input capabilities or lacking a suitable browser.
OIDC CIBA Grant
Selecting this checkbox activates support for OIDC CIBA Grant, indicating that the user is authenticated through an external authentication device rather than the user's browser.
The dropdown provides different theme options for the login page, including OTP Entry, New User Registration, and the Login screen for the specific client.
This toggle button determines whether users are required to consent to client access.
When enabled (turned ON), users must provide consent.
Conversely, when disabled (turned OFF), users are not required to give consent.
You can adjust this setting according to your preferences.
This setting applies only if Consent required is enabled for this client. When deactivated (toggled OFF), the consent screen will only display consents corresponding to configured client scopes.
However, when activated (toggled ON), there will also be an additional item on the consent screen related to the client itself.
You can toggle this setting ON or OFF as per your requirements.
This pertains to the text that will be shown when this client scope is added to a client with consent required.
By default, it displays the name of the client scope if left empty.
This toggle button, when activated (turned ON), mandates a browser redirect to the client for logout. When deactivated (turned OFF), the server executes a background invocation for logout.
You can adjust these settings based on your needs.
Once enabled, two additional fields are also activated: Front-Channel Logout URL.
This field specifies the URL that prompts the client to log itself out when a logout request is sent to this realm via the end_session_endpoint.
If not provided, it defaults to the base URL.
This field is customizable, allowing you to modify it as needed.
This field specifies the URL that triggers the client to log out when a logout request is sent to the realm via the end_session_endpoint.
If omitted, no logout requests will be sent to the client in this scenario.
You can modify it according to your requirements.
It is a toggle button, when activated (turned ON), adds the Session ID claim to the Logout Token sent via the Backchannel Logout URL.
When deactivated (turned OFF), the SID isn't included.
You're free to customize this according to your needs.
This toggle button, when activated (turned ON), adds the revoke_offline_acccess event to the Logout Token sent via the Backchannel Logout URL. ZTrust will then revoke offline sessions upon receiving a Logout Token with this event.
When deactivated (turned OFF), this specific event isn't included in the Logout Token.
You can customize this setting according to your needs.
If you're satisfied with the changes and want to implement them, click on Save.
If you've made changes that you don't wish to apply, click on Revert.
You can navigate between different setting screens using this section. Simply click on the settings type you wish to configure.
By clicking on the three dots next to a specific client, you will be presented with the following options: Export or Delete.
To download all settings and configurations related to a specific client, click on Export. This action will save all details and configurations in JSON format.
If you no longer need a specific client, click on Delete to remove it.
Upon clicking Delete, a confirmation prompt will appear as shown below.
Click on Delete to remove it, or click on Cancel to keep it.
This setting manages .
This setting manages .
