Next-Gen Access

Single Sign-On (SSO) from Next-Gen Access intelligently enables secure access to thousands of cloud, mobile, and on-premises applications from a single identity infrastructure.

The following sections provide prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Next-Gen Access Information
Required Minimum Permissions for Next-Gen Access
Authentication Method for Next-Gen Access
Required Credentials for Next-Gen Access
Integrating Next-Gen Access with SaaS Management
Next-Gen Access API Endpoints

Stored Next-Gen Access Information

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Information Stored

HR Roster

User I. D
Email
First Name
Last Name
Active Date
Status
Department
Location

Application Roster

User ID
Email
First Name
Last Name
Active Date
Status

Application Access

User ID
Occurred (Last Login)

Application Discovery

Application Name
Application Label
Application Description
Instance ID

SSO Application Roster

First Name
Last Name
Unique ID
Email
Application Name
Application Label
Application ID

SSO Application Access

Unique ID
Occurred (Application Launch)
Application Name
Application Label
Application ID
Application Instance ID

Note:The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Next-Gen Access

The following minimum permissions are required.

Read-only System Administrator
Application Management

Authentication Method for Next-Gen Access

OAuth 2.0 With Client Credentials

Required Credentials for Next-Gen Access

Tenant URL
Client ID
Client Secret

Integrating Next-Gen Access with SaaS Management

Perform the following tasks in sequential order to to integrate Next-Gen Access with SaaS Management.

Creating an OAuth Client for Next-Gen Access
Obtaining Your Next-Gen Access Client ID and Client Secret
Integrating Next-Gen With SaaS Management

Creating an OAuth Client for Next-Gen Access

Complete the following steps to create an OAuth client.

To create an OAuth client:

1. To import a Web App, sign in to your Next-Gen Access admin portal.
2. Go to Web Apps and click the Add Web Apps button. The Add Web Apps page opens.
3. Select the Import tab.
4. Download the OauthClientApp.zip folder from the SaaS Management Resources drive.
5. Click Upload and upload the OauthClientApp.zip folder to add the application. After the application is added, the application’s Overview tab opens.

Important:Do not change the Application ID.

6. To create a client credential user, go to the General Usage tab and click the link to create a user.

The Login Name and Password given by the user will be the respective Client ID and Client Secret. These two fields are needed as user input. After these values are provided, click the Create User button. An example Client ID is clientID@metasaas.com.

You are now able to see the new user under the All Service Users listing.

7. To create a new role, click Roles on the Core Services menu. Then click Add Role. The Add Role page opens.
a. In the Name field, enter the name of the role and click Save.
b. On the Add Role page, click the Members tab. The Add Members page opens. Add the client credential user that was created in step 2 and click Add.
c. On the Add Role page, click the Administrative Rights tab. The Add Rights window opens. Select Read Only System Administration and Application Management. Then click Add.
d. Click Save. The Role has been added to the Web App.
8. Go back to the General Usage tab for the Web App that was imported.
a. Select the Permissions tab. The Select User, Group, or Role page opens. Add the new permission (Role) and (User) that was created in steps 6 and 7 and click Add.
b. Click Save. The deployment is complete.
9. Continue to Obtaining Your Next-Gen Access Client ID and Client Secret.

Obtaining Your Next-Gen Access Client ID and Client Secret

The following section explains how to obtain Next-Gen Access information that is needed to integrate with SaaS Management. After you have this information, proceed to Integrating Next-Gen With SaaS Management.

For the Tenant URL, use the URL that you received as the Next-Gen Access URL in your welcome email. Enter the URL without https://.

For example, if the Tenant URL is https://aaa1234.my.idaptive.app/manage, enter only aaa1234.my.idaptive.app 

For the Client ID and Client Secret, see step 6 in Creating an OAuth Client for Next-Gen Access.

Note:Do not enable Two-Factor Authentication.

Integrating Next-Gen With SaaS Management

To Integrate Next-Gen with SaaS Management, perform the following steps.

To integrate Next-Gen with SaaS Management:

1. In SaaS Management, add the Next-Gen application. For details, see Adding an Application.
2. Copy and paste the following Next-Gen information from Creating an OAuth Client for Next-Gen Access into SaaS Management:
Client ID 
Client Secret 
3. Click Authorize.

Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For details, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Next-Gen Access API Endpoints

HR Roster, Application Roster, Application Discovery, Application Access, and SSO Application Access

https://<TenantURL>/Redrock/query

SSO Application Roster

https://<TenantURL>/UPRest/GetUPData