- 10 May 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
Proxy Application
- Updated on 10 May 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
What is a proxy application?
Sometimes you may need to connect to an application that does not have an API that Clarity can connect to. Common examples are in-house developed applications or applications that rely on Active Directory to provision their users' access.
If the application supports provisioning through a 3rd party app, like Active Directory or Okta, you are in luck! This is where Proxy Applications come in. By creating a proxy application, you can still keep track of your users' access by tracking the entitlements in the 3rd party application.
Let's say that we have a custom-built application called "TuneTracker" which we use to catalog rights management for songs, performers, and songwriters. TuneTracker handles user management through direct integration with Active Directory. In Active Directory, you have three groups set up for TuneTracker to use: Admins, Managers, and Users. To give someone access to TuneTracker, they must exist in Active Directory and be a member of one or more of these groups. We can set up a proxy application for TuneTracker within Clarity that will track the Active Directory groups, and allow you to provision into those groups as if you were provisioning into TuneTracker directly.
Entitlement Group: This is a "virtual" entitlement that can be made to represent more than one entitlement in your tenant. This is a one to many relationship between a "virtual" entitlement and one or more real entitlements from your Downstream Applications.
Proxy Entitlement: This is a Entitlement group with only one entitlement added during configuration, creating a one to one relationship between a real entitlement and a "virtual" one.
Both of the phrases above are represented by the entitlement type entitlementGroup in Clarity.
App Setup
First, we want to start by selecting "Proxy Service" from the Application Marketplace.
On the application onboarding screen, pick a unique name and identifier. For our example, we'll use "TuneTracker" and "tunetracker" respectively. You can leave appIcon blank to use Clarity's default, or you can input a url to the app icon of your choice. You would see something like this:
Once you hit the "validate" button, on the next page,select "Manual" for the sync option, select the appropriate application owner from your organization, and then for trust relationship and trust permissions, select "Recipient only" and "Read + Provision/DeProvision". You do not need to select a default entitlement at this time.
On the last page of the application configuration select your desired preference for "Allow automatic account creation". The rest of the values should be left as "No".
Once you are done, click Save.
Configuring your proxy entitlements
Now that the application configuration is done, we can start to set up our proxy entitlements. When you view any proxy application, you'll notice a button in the header marked "Create Entitlement".
Clicking this button will take you to the workflow for create an entitlement/entitlement group. In our example, we'll want to create one entitlement for every entitlement in TuneTracker that we want to provision using our corresponding Active Directory groups.
First off, we need to give our proxy entitlement a name; in this case "Users". I'll then select "TuneTracker" under "Application to add entitlement/group to". Then using the table below, I can filter the list of entitlements to find the specific entitlement in Active Directory that I want to provision into. We'll select that entitlement by clicking the checkbox next to it, then "review entitlements" to finalize our selection.
Once you are satisfied, click "Create Entitlement/Group". We'll repeat this process for our other two entitlement for Admins and Managers.
So what?
Now that we've gone through all that effort, what can we do? Well, we can now treat the proxy application as if it were any other application within Clarity. We can see all of its users, we can provision the entitlements, remove entitlements, and run reports. The only difference is that when we provision or deprovision entitlements, we aren't actually interacting with TuneTracker directly, we're really interacting with the Active Directory groups.
But why don't we just provision the Active Directory groups directly instead? Well, that is certainly an option, but Proxy Apps allow you to create easy-to-use, easy-to-remember placeholders for your Active Directory entitlements. For instance, instead of "TuneTracker_Admin" it could have been called "TnTkADM" which only an internal user familiar with the product would be familiar with. By creating Proxy Applications and Proxy Entitlements, you can have the best of both worlds. The functionality as well as ease of use for access management and certification.
Adding, Removing Entitlements vs Entitlement Groups
Adding an entitlment group to an identity
If you add an entitlement group to an identity in Clarity, then Clarity will provision that group, as well as the entitlements grouped during configuration.
If you create an entitlement group (called "Groups A and B") with 2 entitlements from Active Directory ("Group A" and "Group B"), then add this entitlement to an Identity. You should see "Groups A and B" from your custom Proxy Application, as well as "Group A" and "Group B" as entitlements listed on this Identity by the next sync.
Removing an entitlement group
If you remove only the entitlement group from an Identity, but leave the entitlements which are part of this entitlement group, then on the next sync, the entitlement group will appear again on the Identity, since this user satisfies all the requirements for the entitlement group.
Using the scenario above where "Groups A and B" is an entitlement group made up of the entitlements "Group A" and "Group B" from Active Directory.
If you remove only the "Groups A and B" entitlement from the identity, but leave "Group A" and Group B", then on the next sync "Groups A and B" will appear again on this Identity, since all criteria for this entitlement group (having the 2 entitlements "Group A" and "Group B") are met, this person is determined to have this proxy entitlement.
Removing an entitlement thats part of a proxy entitlement
If you remove an entitlement that is part of the entitlement group, then on the next sync Clarity will determine that the Identity no longer meets all of the requirements for the entitlement group, and proceed to remove the entitlement group from the Identity.
Using the scenario above where "Groups A and B" is an entitlement group made up of the entitlements "Group A" and "Group B" from Active Directory.
If you remove Group A from an Identity (that already has all 3 entitlements: "Groups A and B", "Group A", and "Group B"), then on the next sync Clarity will determine that this Identity no longer meets the requirements for the entitlement group "Groups A and B", and remove this from the identity. This identity would be left with just "Group B" in this exmaple.
Automatic entitlement group visibiltiy
If you already have an Identity that meets all the requirements for an entitlement group you create, then that identity will also automatically receive the entitlement group on the next sync.
If you have users who already have the entitlement TuneTracker_Users in Microsoft Active Directory, and that is the only entitlement part of the entitlement group, then those users will automatically be added to the entitlement group on the next sync.
If an entitlement group has more than one entitlement as part of its configuration, then users must have each of those entitlements to be automatically added to the group.
Need help?
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.