3.1.3 Client Registration

The Client Registration feature in ZTrust allows administrators to manage how new clients are created and configured within a realm. Using Client Registration Policies, you can enforce various rules and restrictions during client creation or updates.

Features

• Search for existing client policies using the Search box.

• Click Refresh to view the latest policies.

• Control the number of client policies displayed per page using the Rows per page dropdown.

• Create, modify, and delete client registration policies.

• Set limits, whitelists, and security rules for client creation.

Fig 3.1.3.a: Client Registration

Anonymous access policies

These policies are applied when the Client Registration Service is accessed without authentication, i.e., when the request does not include an Initial Access Token or Bearer Token.

Policy Attributes

• Name → The name assigned to the policy during creation.

• Provider ID → The ID of the provider used to implement the policy.

Managing Policies

• To delete an existing policy, click on the three dots next to the policy and select Delete.

• A confirmation dialog will appear:

  • Click Delete to proceed.

  • Click Cancel to abort the operation.

Fig 3.1.3.b: Client registration, to delete

Upon selecting Delete, you will receive the following prompt asking for confirmation.

Fig 3.1.3.c: Client Registration, conformation to delete

Click on Delete if you want to proceed with deletion, or click Cancel to abort the operation

To initiate the creation of a new client policy, click on Create Client Policy.

You will receive a prompt asking for the type of policy provider you wish to create.

Fig 3.1.3.d: Client Registration, to add new policy provider

For example, in this scenario, the max-clients option is selected.

You will be redirected to the below screen.

Fig 3.1.3.e: Client Registration, provide name for new policy

This configuration imposes a cap on the quantity of clients allowed to be added to a realm.

Once this policy is set up, registering new clients will be prohibited if the number of clients in a realm reaches the specified maximum limit.

Creating a New Anonymous Policy

1. Click Create Client Policy.

2. Select the desired Provider from the prompt (e.g., max-clients).

3. You will be redirected to the Policy Configuration Screen.

4. Configure the following:

   • Provider → Automatically populated based on selection.

   • Name → Enter the Display Name for the policy.

   • Max Clients Per Realm → Set the maximum number of clients allowed per realm.

5. Click Save to apply changes.

6. Click Cancel to discard changes.

Once saved, the policy will be listed under Anonymous Access Policies.

The table below lists different providers and the services they offer.

Provider Names	Description
allowed-client-templates	It allows to specify a whitelist of client scopes, which will be permitted in the representation of registered or updated clients.
client-disabled	The newly registered client will be disabled and it will require manual activation by the administrator.
scope	The newly registered client will not be allowed the full scope.
max-clients	New client registration will be prohibited if the number of existing clients in the realm equals the configured limit.
allowed-protocol-mappers	It enables the specification of a whitelist of protocol mapper types that will be permitted in the representation of registered or updated clients.
trusted-hosts	It allows to specify the hosts from which users can register and the redirect URIs that clients can utilize in their configuration.
consent-required	The newly registered client will always have the ConsentRequired switch enabled.

Authenticated access policies

These policies are applied when the Client Registration Service is accessed with authentication, i.e., when the request includes an Initial Access Token or Bearer Token.

Policy Attributes

• Name → The name assigned to the policy during creation.

• Provider ID → The ID of the provider used to implement the policy.

Fig 3.1.3.f: Client Registration, Authenticated access policies

This refers to the Policies used when the Client Registration Service is invoked by an authenticated request, which indicates that the request includes either an Initial Access Token or a Bearer Token.

You can search for any specific client by using the search box.

Click the Refresh button to see the latest settings.

Fig 3.1.3.g: Client Registration, show no of policies per page

You can also modify the number of client policies displayed per screen by choosing your preferred option from the dropdown menu.

Managing Policies

• To delete an existing policy, click on the three dots next to the policy and select Delete.

• A confirmation dialog will appear:

  • Click Delete to proceed.

  • Click Cancel to abort the operation.

Fig 3.1.3.h: Client Registration, to delete existion policies

When you click on the three dots next to any policy, you'll find the Delete option.

If you wish to remove a policy that is no longer needed, simply click on Delete.

After selecting Delete, you will be prompted with the following message for confirmation.

Fig 3.1.3.i: Client Registration, conformation to delete

Click on Delete to proceed with deleting the policy, or click Cancel to abort the operation.

To initiate the creation of a new client policy, click on Create Client Policy.

You will receive a prompt asking for the type of policy provider you wish to create.

Fig 3.1.3.j: Client Registration, to add new policy

For example - if you select the allowed-client-templates option, you'll see the below screen.

Creating a New Authenticated Policy

1. Click Create Client Policy.

2. Select the desired Provider from the prompt (e.g., allowed-client-templates).

3. You will be redirected to the Policy Configuration Screen.

4. Configure the following:

   • Provider → Automatically populated based on selection.

   • Name → Enter the Display Name for the policy.

   • Allow Default Scopes → Toggle ON or OFF:

     • ON → Newly registered clients can include realm default or optional scopes.

     • OFF → Newly registered clients cannot use default or optional scopes.

5. Click Save to add the policy.

6. Click Cancel to discard changes.

Once saved, the policy will be listed under Authenticated Access Policies.

Fig 3.1.3.k: Client Registration, provide name for new policy

This setting enables you to define a whitelist of client scopes that will be allowed for registered or updated clients.

Allowed Client Scopes → Define a whitelist of client scopes permitted for registered or updated clients.

• If a client registration includes scopes not in the whitelist, the request will be rejected.

Fig 3.1.3.l: Client Registration, allowed client scopes

If a client registration attempt includes client scopes which are not on the whitelist, it will be declined.

By default, the whitelist is either empty or consists solely of realm default client scopes, depending on the configuration of the Allow Default Scopes setting.

You can select the required options from the dropdown menu as per your requirements.

• Allow Default Scopes → Toggle ON or OFF:

  • ON → Newly registered clients can include realm default or optional scopes.

  • OFF → Newly registered clients cannot use default or optional scopes.

1. Click Save to add the policy.

2. Click Cancel to discard changes.

Once saved, the policy will be listed under Authenticated Access Policies.