# IDaaS Documentation

> Your guide to Entrust Identity as a Service

Markdown mirrors of the published docs and API reference for LLM and agent use.

## Docs

- [Getting Started](/developer.md): A comprehensive guide to getting started with IDaaS for developers.
- [Pass-through authenticator](/developer/passthrough/pass-through-authenticator.md): A pass-through authenticator uses HTTP connectors to interact with external services through APIs. Authentication is determined by the API response values. Only responses with a status code of 200 proceed to the next evaluation flow.
- [Webhooks](/developer/webhook.md): Entrust Identity as a Service (IDaaS) webhooks deliver real-time event notifications to your systems over HTTPS, so you don't need to poll for changes. When an event occurs, IDaaS sends an HTTP POST request with a JSON payload to a callback URL that you configure.
- [Common webhook use cases](/developer/webhook/common-webhook-use-cases.md): Use Entrust Identity as a Service (IDaaS) webhooks when you need another system to react to identity and access events in real time without polling. This page focuses on practical webhook use cases that align with the event types supported by IDaaS.
- [Events](/developer/webhook/events.md): Webhook events notify you when authentication, user account, or authenticator-related changes occur. When an event is triggered, IDaaS sends an HTTP POST request to your configured webhook URL with a JSON payload that describes the event.
- [Authentication events](/developer/webhook/events/authentication-events.md): Authentication success and failure notifications
- [Face biometric events](/developer/webhook/events/face-biometric-events.md): Face biometric event notifications
- [Grid card events](/developer/webhook/events/grid-card-events.md): Grid card event notifications
- [Knowledge-based question events](/developer/webhook/events/knowledge-based-question-events.md): Knowledge-based question event notifications
- [Magic link events](/developer/webhook/events/magic-link-events.md): Magic link event notifications
- [Passkey events](/developer/webhook/events/passkey-events.md): Passkey lifecycle event notifications
- [Password events](/developer/webhook/events/password-events.md): Password lifecycle event notifications
- [User events](/developer/webhook/events/user-events.md): User account lifecycle event notifications
- [Manage Webhooks](/developer/webhook/manage-webhooks.md): Use webhooks to send event notifications from Entrust Identity as a Service (IDaaS) to an external endpoint. Before IDaaS can deliver webhook events, you must register a webhook for your tenant.
- [Webhook Signature Verification](/developer/webhook/webhook-signature-verification.md): IDaaS webhook requests use RFC 9421 HTTP Message Signatures.
- [Applications and SSO](/docs/applications-and-sso.md): Add and manage SAML, OIDC, OAuth, and RADIUS applications. Use these guides to set up application access and single sign-on.
- [IDaaS integrations](/docs/applications-and-sso/identity-as-a-service-integration-guides.md): You can integrate Identity as a Service with the following:
- [Generic API Risk Engine](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-a-generic-api-risk-engine.md): An external risk engine provider is a source of risk alerts or risk events. The IDaaS Generic API risk engine supports integration with external risk engines. IDaaS evaluates risk contexts from an external risk engine to build risk engine rules. With an external risk engine API integration, your organization implements a service that can be reached by REST. The integration works as shown in the following figure:
- [IDaaS AD FS Adapter](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-idaas-ad-fs-adapter.md): The IDaaS AD FS Adapter uses the pluggable multi-factor authentication (MFA) option of AD FS to integrate Identity as a Service with AD FS. The IDaaS AD FS Adapter includes an installer to install the Identity as a Service plug-in.
- [IDaaS Apache Filter](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-idaas-apache-filter.md): The IDaaS Apache Filter solution uses Identity as a Service to provide strong second-factor authentication to generic forms-based and Identity as a Service password authentication types. The solution consists of the filter component and the Authentication Application (AuthApp) component. You can use the Apache Filter with the Identity as a Service authentication methods
- [IDaaS Desktop](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-idaas-desktop.md): IDaaS Desktop provides strong second-factor authentication to Windows Desktop Login (online or offline). Local users of the computer on which the IDaaS Desktop for Microsoft Windows is installed are not required to use second-factor authentication to log in.
- [IDaaS ISAPI Filter](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-idaas-isapi-filter.md): The IDaaS ISAPI Filter solution provides strong second-factor authentication to Microsoft Outlook Web Access (OWA), Remote Desktop Web Access (RD Web Access), Integrated Windows Authentication (IWA), SharePoint, and generic TMG forms-based authentication types. The solution is made up of two components: the filter component and the authentication application component.
- [PSD2 compliance](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-identity-as-a-service-for-psd2-compliance.md): You can integrate Identity as a Service for PSD2 compliance with European Banking Authority (EBA) Regulatory Technical Standards for Strong Customer Authentication, Article 98 of Directive 2015/2366 (PSD2) (see Article 5, Dynamic Linking).
- [SIEM Syslog](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-siem-syslog.md): SIEM integration with Identity as a Service allows audit logs to be sent to syslog through an Enterprise Service Gateway. The Syslog SIEM application downloads audit logs from Identity as a Service into your Enterprise Service Gateway and publishes them to your on-premise SIEM syslog server. For more information on audit logs, see View and export audit logs.
- [Splunk SIEM](/docs/applications-and-sso/identity-as-a-service-integration-guides/integrate-splunk-siem.md): The Entrust Identity as a Service Add-on for Splunk enables centralizing your Identity as a Service authentication and management audit events in Splunk™ Enterprise and Splunk™ Cloud. The Identity as a Service Splunk Add-On is located at https://splunkbase.splunk.com/app/4204.
- [Manage applications](/docs/applications-and-sso/manage-applications.md): Identity as a Service provides secure access to cloud, legacy, and on-premise applications. Adding an application to Identity as a Service configures that application for single sign-on (SSO) access through Identity as a Service.
- [Edit and delete applications](/docs/applications-and-sso/manage-applications/edit-and-delete-applications.md): If you need to make changes to an application after you have added to Identity as a Service, you can edit the application settings following the instructions you used to create it as a guideline. If you no longer want to protect an application with Identity as a Service, you can delete it.
- [Integrate API applications](/docs/applications-and-sso/manage-applications/integrate-api-applications.md): This section describes how to integrate Identity as a Service APIs into your application account. These APIs allow you to incorporate specific parts of Identity as a Service functionality into your application. Once you integrate an API, you can perform the Identity as a Service action provided by that API without navigating to your Identity as a Service account.
- [Integrate Administration API](/docs/applications-and-sso/manage-applications/integrate-api-applications/integrate-administration-api.md): Administrators can integrate Identity as a Service user administration into their application by using the Identity as a Service Administrator REST APIs. This API allows you to seamlessly perform administrative actions on Identity as a Service users and authenticators without logging in to the Identity as a Service administrator portal. Identity as a Service provides a JSON file that contains the credentials needed for the API integration to authenticate to Identity as a Service.
- [Integrate Authentication API](/docs/applications-and-sso/manage-applications/integrate-api-applications/integrate-authentication-api.md): Adding an Authentication API application on Identity as a Service enables integration between the application using the Identity as a Service authentication APIs and Identity as a Service. Once configured, users are prompted to enter Identity as a Service challenge responses into their application user interface. The application communicates with Identity as a Service using the API calls to authenticate each response and grant access to the application.
- [Regenerate API shared secret](/docs/applications-and-sso/manage-applications/integrate-api-applications/regenerate-api-shared-secret.md): If needed, you can regenerate the shared secret for Administration API applications. If you regenerate the shared secret, you must reconfigure the API application with the newly generated shared secret in order for authentications to be successful.
- [Integrate OIDC and OAuth Cloud applications](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications.md): OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. OIDC allows applications to verify the identity of an end-user and obtain basic user profile information. OAuth allows applications to obtain JWT access tokens for use as authorization to invoke resource server APIs on behalf of users. You can configure your applications so that they are accessible to only specific resource server APIs. Identity as a Service supports both OIDC and OAuth (2.0 and 2.1).
- [Configure an OIDC and OAuth claim](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/configure-an-oidc-and-oauth-claim.md): You can include Identity as a Service authenticators, groups, and organizations as part of the OIDC claim to an application during authentication. These are called User Related Attributes on Identity as a Service. For example, if a user authenticated using an OTP and Password authenticator and belonged to Group1, Group2, and Group3, and were associated with organizations MyOrganization and Beta, then the token responses can be configured to include these claims, as shown in this example:
- [Create and manage OIDC signing certificates](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/create-and-manage-oidc-signing-certificates.md): OIDC signing certificates contain a key pair that you associate with an OIDC application. The private key signs the OIDC tokens that Identity as a Service returns to an OIDC service provider for OIDC authentication. The signing certificate and associated public key are available through the OIDC JWKS endpoint. This endpoint is used by The OIDC service provider uses the endpoint to validate the signature of the OIDC token.
- [Create OIDC custom claims](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/create-oidc-custom-claims.md): You can create custom claims for OIDC applications. Claims appear on the OIDC Custom Claims page. If required, custom claims can be deleted from this page.
- [Integrate generic OIDC and OAuth Device application](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/integrate-a-generic-oidc-and-oauth-device-application.md): You can configure access to custom OpenID Connect (OIDC) device applications by integrating a generic OIDC Device application (SPA) on Identity as a Service. A device application is a client application that runs on an input-constrained or browserless device (for example, a TV set top box, a picture frame, or a printer). In order to obtain authorization to access resources on the user's behalf (for example, access to movies or photos), the user authentication and authorization does not occur on the device, but rather on a separate user-controlled computer or mobile device based on a supplied URL and user code. After the user completes the authentication, the device application is able to acquire the required tokens to access the resource on the user's behalf.
- [Integrate a generic OIDC and OAuth Embedded application](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/integrate-a-generic-oidc-and-oauth-embedded-application.md): You can configure an OpenID Connect (OIDC) IDaaS JWT Grant application type by integrating a generic OIDC and OAuth Embedded application with Identity as a Service. A generic Embedded application provides a custom self-hosted login interface that authenticates users within the application itself while still relying on an OpenID Connect provider to issue standards-compliant tokens.
- [Integrate a generic OIDC and OAuth Native application](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/integrate-a-generic-oidc-and-oauth-native-application.md): You can configure access to custom OpenID Connect (OIDC) applications by integrating a generic OIDC Native application with Identity as a Service. A Native application is a client application that cannot communicate securely with Identity as a Service using a client secret in order to obtain various tokens. Tokens are returned directly to the Native application (possibly through an Operating System specific in-app view controller or a system browser).
- [Integrate a generic OIDC and OAuth Server application](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/integrate-a-generic-oidc-and-oauth-server-application.md): You can configure access to custom OpenID Connect (OIDC) applications by integrating a generic OIDC Server application on Identity as a Service. A Server application is a client application that can communicate security with Identity as a Service using a client secret in order to obtain access tokens. Tokens are requested directly from and returned to the client application.
- [Integrate a generic OIDC and OAuth SPA application](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/integrate-a-generic-oidc-and-oauth-spa-application.md): You can configure access to custom OpenID Connect (OIDC) applications by integrating a generic OIDC Single-Page Application (SPA) on Identity as a Service. An SPA application is a client application that cannot communicate securely with Identity as a Service using a client secret in order to obtain various tokens. Tokens are returned directly to the SPA.
- [Integrate a generic OIDC and OAuth Web application](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/integrate-a-generic-oidc-and-oauth-web-application.md): You can configure access to custom OpenID Connect (OIDC) applications by integrating a generic OIDC Web application on Identity as a Service. A Web application is a client application that can communicate securely with Identity as a Service using a client secret in order to obtain various tokens.
- [Manage OIDC and OAuth tokens](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/manage-oidc-and-oauth-tokens.md): The number of tokens a user can have for any OIDC/OAuth application is limited to 50. This applies to Userinfo Access Tokens and JWT Access Tokens issued with a Refresh Token. Once the limit is reached, the oldest token (based on when it was last issued) is removed. For a description of the different OIDC and OAuth tokens, see Integrate OpenID Connect and OAuth Cloud applications.
- [Revoke OIDC and OAuth tokens](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/manage-oidc-and-oauth-tokens/revoke-oidc-and-oauth-tokens.md): You can revoke tokens. For example, you may want to revoke tokens if a user is an unauthorized user of the resource or a user has left your organization.
- [Manage Resource Servers](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/manage-resource-servers.md): If you have an OAuth client application and you want to allow the application to access resource server APIs/URLs, you need to set up OAuth authorization. OAuth allows you to grant applications access to resources of another entity on behalf of a user by obtaining JWT access tokens for this purpose. Consider the following example:
- [Add an API/URL resource server](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/manage-resource-servers/add-an-api-url-resource-server.md): Manage OAuth authorization with a resource server.
- [Configure client credential grants](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/manage-resource-servers/configure-client-credential-grants.md): For every resource server that you define, you can configure OIDC and OAuth Web and Server applications to request a server-based JWT access token. The token can be used by client applications to communicate directly with the resource server API.
- [Configure Role-Based Access Control (RBAC)](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/manage-resource-servers/configure-role-based-access-control-rbac.md): Role-based access control allows you to configure the scopes that are contained within OAuth access tokens requested by client applications on behalf of users in order to access protected APIs/URLs. You create Access Management Roles and link them to scopes and users. Consider the following example:
- [OIDC and OAuth configurations and certificates](/docs/applications-and-sso/manage-applications/integrate-oidc-and-oauth-cloud-applications/oidc-and-oauth-configurations-and-certificates.md): The OIDC and OAuth JWKS files define the public signing key. The same key signs the ID token, user info data (available from the issued access token), and the JWT access token.
- [Integrate RADIUS applications](/docs/applications-and-sso/manage-applications/integrate-radius-applications.md): You can configure a Generic RADIUS client to make it accessible through RADIUS authentication.
- [Integrate generic RADIUS applications](/docs/applications-and-sso/manage-applications/integrate-radius-applications/integrate-generic-radius-applications.md): Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.
- [RADIUS integration prerequisites](/docs/applications-and-sso/manage-applications/integrate-radius-applications/radius-integration-prerequisites.md): Use the Generic RADIUS Client to configure your Virtual Private Network (VPN) server for RADIUS authentication. The Generic RADIUS client works with the Identity as a Service gateway and its RADIUS agent. The Identity as a Service gateway and RADIUS agent act as the RADIUS server in this configuration.
- [Integrate SAML applications](/docs/applications-and-sso/manage-applications/integrate-saml-applications.md): Identity as a Service can act as an Identity Provider (IDP) in order to perform SAML-based single sign-on (SSO) to 3rd-party applications. Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If you want to protect a cloud service that is not pre-configured with Identity as a Service, you can add it as a generic SAML service provider application.
- [Create SAML signing certificates](/docs/applications-and-sso/manage-applications/integrate-saml-applications/create-and-manage-saml-signing-certificates.md): SAML signing certificates contain a key pair that you associate with a SAML application. The private key signs the SAML responses that Identity as a Service returns to a SAML service provider for SAML authentication. You can export the signing certificate and import it into the SAML service provider to validate the signature that the SAML assertion returns.
- [Download SAML metadata](/docs/applications-and-sso/manage-applications/integrate-saml-applications/download-or-copy-saml-metadata.md): If your SAML service provider supports updating SAML configuration using metadata, you can download the metadata from Identity as a Service. The download contains the signing certificate and other information you need to configure your service provider for Identity as a Service authentication.
- [Integrate a generic SAML application](/docs/applications-and-sso/manage-applications/integrate-saml-applications/integrate-a-generic-saml-application.md): Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If the you want to protect a cloud service that is not preconfigured with Identity as a Service, you can integrate it as a generic SAML service provider application.
- [OIDC](/docs/applications-and-sso/oidc.md): Topics in this section
- [Creating an OIDC Application](/docs/applications-and-sso/oidc/configuring-idaas.md): Follow these steps to create an OpenID Connect integration in your IDaaS account.
- [FAQs](/docs/applications-and-sso/oidc/faq.md): Frequently asked questions when integrating with IDaaS OIDC applications
- [OAuth and OIDC Basics](/docs/applications-and-sso/oidc/oauth-oidc-basics.md): Overview
- [Integrations](/docs/applications-and-sso/oidc/oidc-and-oauth-integration-guides.md): You can configure your applications so that they are accessible to Identity as a Service accounts through OpenID Connect (OIDC) authentication and OAuth authorization. Identity as a Service supports both the Code (or Basic) Authentication Flow use case and the Implicit Authentication Flow use case.
- [ConnectWise Home](/docs/applications-and-sso/oidc/oidc-and-oauth-integration-guides/integrate-connectwise-home.md): You can configure ConnectWise Home to use Identity as a Service for multifactor authentication. ConnectWise Home is a business process automation platform (see https://www.connectwise.com/). This integration provides instructions to integrate ConnectWise Home with Identity as a Service. Once integrated, users can use single sign-on to log in to their ConnectWise account using Identity as a Service
- [ForgeRock](/docs/applications-and-sso/oidc/oidc-and-oauth-integration-guides/integrate-forgerock.md): You can configure ForgeRock to use Identity as a Service for multi-factor authentication.
- [Microsoft Conditional Access Custom Controls](/docs/applications-and-sso/oidc/oidc-and-oauth-integration-guides/integrate-microsoft-conditional-access-custom-controls.md): Microsoft Entra ID (formerly Azure AD) Conditional Access Custom Controls is being deprecated and will no longer be supported by Microsoft on September 30, 2026. It will be replaced with Microsoft Entra ID. See Integrate Microsoft Entra ID External Authentication Methods. Entrust recommends migrating Custom Controls to External Authentication Methods.
- [Microsoft Entra ID External Authentication Methods](/docs/applications-and-sso/oidc/oidc-and-oauth-integration-guides/integrate-microsoft-entra-id.md): Microsoft Entra ID is a customer identity and access management (CIAM) solution for managing external identities. See the following documentation for more help:
- [Salesforce](/docs/applications-and-sso/oidc/oidc-and-oauth-integration-guides/integrate-salesforce-oidc.md): You can configure Salesforce to use Identity as a Service for multi-factor authentication.
- [Protecting a Mobile App](/docs/applications-and-sso/oidc/protecting-mobile-app.md): This document describes how to add OIDC authentication to a mobile application using IDaaS and the open-source project AppAuth.
- [Protecting a Single Page Application (SPA)](/docs/applications-and-sso/oidc/protecting-spa.md): Integrating the IDaaS Auth SDK in your SPA
- [Protecting AWS API Gateway](/docs/applications-and-sso/oidc/secure-aws-api.md): Please note that this guide applies specifically to the AWS REST API Gateway. If you're using the AWS HTTP API Gateway, you can use the
- [Protecting Application Endpoints](/docs/applications-and-sso/oidc/using-access-tokens.md): Learn how to use access tokens and make requests to protected endpoints.
- [RADIUS and VPN](/docs/applications-and-sso/radius-and-vpn-integration-guides.md): You can integrate RADIUS applications with Identity as a Service to provide strong, second-factor authentication for your application solution using Identity as a Service.
- [Barracuda Web Application Firewall](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-barracuda-web-application-firewall.md): This technical integration guide describes how to integrate Barracuda and Identity as a Service. This integration assumes that you are familiar with the administration interface of the Barracuda SSL VPN appliance.
- [Check Point Security Gateway](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-check-point-security-gateway.md): This technical integration guide describes how to integrate Check Point Security Manager Gateway and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your Check Point Security Manager Gateway using Identity as a Service.
- [Cisco ASAv Series Adaptive Security Appliance](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-cisco-asav-series-adaptive-security-appliance.md): This technical integration guide describes how to integrate Cisco ASAv Series Adaptive Security Appliances and Identity as a Service. To set up the Cisco ASAv Series appliance, you must add the Entrust Identity as a Service RADIUS proxy as an AAA (Authentication Authorization Accounting) client, and then configure an IPSec connection profile, or a Clientless SSL connection profile, or both.
- [Cisco Identity Services Engine](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-cisco-identity-services-engine.md): This technical integration guide describes how to integrate a Cisco ISE Series Adaptive Security Appliance and Identity as a Service. The Cisco ISE allows your remote access Gateway (IPsec or SSL) to communicate with Identity as a Service. The Cisco ISE allows your remote access Gateway (IPsec or SSL) to communicate with Identity as a Service. You can integrate Identity as a Service with a RADIUS server. In this environment, the Identity as a Service RADIUS agent intercepts messages between the VPN server and the RADIUS agent.
- [Citrix Netscaler](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-citrix-netscaler.md): This technical integration describes how to integrate Citrix NetScaler and Identity as a Service. Once integrated, access to the server will require Identity as a Service authentication. The NetScaler details, such as the IP address, name, configuration secret, and ports can be added or modified during the VPN server configuration.
- [F5 BIG-IP Access Policy Manager (APM)](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-f5-big-ip-access-policy-manager-apm.md): This technical integration guide describes how to integrate a F5 BIG-IP Access Policy Manager (APM) Appliance and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your F5 BIG-IP Access Policy Manager (APM) appliance solution using Identity as a Service.
- [Fortinet-FortiGate](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-fortinet-fortigate.md): This technical integration guide describes how to integrate a Fortinet-Fortigate and Identity as a Service. The aim of this integration is to provide strong, second-factor authentication for your Fortinet-Fortigate VPN solution using Identity as a Service.
- [NetMotion Mobility XE VPN](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-netmotion-mobility-xe-vpn.md): This technical integration guide describes how to integrate a NetMotion Mobility Software and an Identity as a Service Authentication Service account. Although this document specifically covers the NetMotion Mobility Software, the information provided applies to all NetMotion appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your NetMotion Mobility Software solution using Identity as a Service.
- [OpenVPN](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-openvpn.md): OpenVPN is a virtual private network system to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. See https://www.openvpn.net. You can protect access to OpenVPN by integrating OpenVPN with Identity as a Service. Once integrated, users can use single sign-on to log in to their OpenVPN account through Identity as a Service.
- [Palo Alto Virtual Appliance](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-palo-alto-virtual-appliance.md): This technical integration guide describes how to integrate a Palo Alto VM-300 and Identity as a Service. Although this document specifically covers the Palo Alto KVM appliance, the information provided applies to all Palo Alto PA-VM Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your Palo Alto PA-VM Series appliance solution using Identity as a Service.
- [PAM RADIUS](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-pam-radius.md): This technical integration guide describes how to integrate a PAM RADIUS and Identity as a Service. Although this document specifically covers the PAM RADIUS, the information provided applies to RHEL 8 and RHEL 9. The aim of this integration is to provide strong, second-factor authentication for your PAM RADIUS solution using Identity as a Service.
- [Pulse Secure](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-pulse-secure.md): This technical integration guide describes how to integrate a Pulse Secure and Identity as a Service. Although this document specifically covers the Pulse Secure KVM appliance (PA VM), the information provided applies to all Pulse Secure VM Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your Pulse Secure VM Series appliance solution using Identity as a Service.
- [SonicWall](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-sonicwall.md): This technical integration guide describes how to integrate SonicWall and Identity as a Service.
- [Sophos XG Virtual Appliance](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-sophos-xg-virtual-appliance.md): This technical integration guide describes how to integrate Sophos XG and Identity as a Service.
- [VMware Horizon View](/docs/applications-and-sso/radius-and-vpn-integration-guides/integrate-vmware-horizon-view.md): This technical integration guide describes how to integrate a VMware Horizon View and Identity as a Service. Although this document specifically covers the VMware View KVM appliance (v), the information provided applies to all VMware View Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your VMware View Series appliance solution using Identity as a Service.
- [SAML](/docs/applications-and-sso/saml-integration-guides.md): Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If you want to protect a cloud service that is not pre-configured with Identity as a Service, you can add it as a generic SAML service provider application (see Add a Generic SAML application in the Administrator Help).
- [15Five](/docs/applications-and-sso/saml-integration-guides/integrate-15five.md): 15Five is a performance management platform. You can protect access to 15Five by integrating 15Five with Identity as a Service. Once integrated, users can use single sign-on to log in to their 15Five account through Identity as a Service.
- [ADP](/docs/applications-and-sso/saml-integration-guides/integrate-adp.md): ADP is a cloud-based HR solution for payroll, benefits, and tax management. You can configure ADP for single sign-on (SSO) through Entrust Identity as a Service (Entrust IDaaS).
- [Air](/docs/applications-and-sso/saml-integration-guides/integrate-air.md): Air is a tool that is used to manage creative assets. It automates the way teams collect, approve, and share creative content.
- [Alibaba Cloud](/docs/applications-and-sso/saml-integration-guides/integrate-alibaba-cloud.md): Alibaba Cloud is a cloud computing company that provides computing services to online businesses and Alibaba's own e-commerce ecosystem. You can integrate Alibaba with IDaaS to perform the following options:
- [Role-based Alibaba Cloud](/docs/applications-and-sso/saml-integration-guides/integrate-alibaba-cloud/integrate-role-based-alibaba-cloud.md): Role-based Alibaba Cloud allows an enterprise to manage users in IDaaS without the need to synchronize users from IDaaS to Alibaba and allows users of the enterprise to access Alibaba Cloud using a specific RAM role. See https://www.alibabacloud.com/help/en/ram/user-guide/role-based-sso-by-using-saml/ for more information.
- [User-based Alibaba Cloud](/docs/applications-and-sso/saml-integration-guides/integrate-alibaba-cloud/integrate-user-based-alibaba-cloud.md): User-based Alibaba Cloud allows a user to access Alibaba Cloud resources as a RAM user. See https://www.alibabacloud.com/help/en/ram/user-guide/overview-of-user-based-sso for more information.
- [Amazon Business](/docs/applications-and-sso/saml-integration-guides/integrate-amazon-business.md): Amazon Business is a purchasing solution for small businesses. You can configure your Amazon Business account for Single Sign-On (SSO) through Identity as a Service.
- [Amazon Web Services (AWS)](/docs/applications-and-sso/saml-integration-guides/integrate-amazon-web-services.md): Amazon Web Services is a secured cloud web services platform that provides a large bundle of cloud-based services (see https://aws.amazon.com/). You can configure your Amazon Web Services account for Single Sign-On (SSO) through Identity as a Service.
- [AppDynamics](/docs/applications-and-sso/saml-integration-guides/integrate-appdynamics.md): AppDynamics is an application performance monitoring solution to provide real-time visibility and insight into IT environments (see https://www.appdynamics.com/). You can protect access to AppDynamics by integrating AppDynamics with Identity as a Service. Once integrated, users can use single sign-on to log in to their AppDynamics account through Identity as a Service.
- [Asana Enterprise](/docs/applications-and-sso/saml-integration-guides/integrate-asana-enterprise.md): Asana Enterprise offers a Web and mobile application that offers a work management platform that provides powerful admin controls and advanced data protection. (see https://asana.com/). This integration provides instructions to integrate Asana with Identity as a Service. Once integrated, users can use single sign-on to log in to their Asana account using Identity as a Service.
- [Atlassian](/docs/applications-and-sso/saml-integration-guides/integrate-atlassian.md): Atlassian Access offers enhanced security and centralized administration that works across Atlassian cloud products (see https://www.atlassian.com/). You can protect access to Atlassian by integrating Atlassian with Identity as a Service. Once integrated, users can use single sign-on to log in to their Atlassian account through Identity as a Service.
- [AwardCo](/docs/applications-and-sso/saml-integration-guides/integrate-awardco.md): AwardCo is an employee recognition platform that offers millions of rewards, free shipping, and no markups through Amazon Business (see https://www.award.co/). You can protect access to AwardCo by integrating AwardCo with Identity as a Service. Once integrated, users can use single sign-on to log in to their AwardCo account through Identity as a Service.
- [BambooHR](/docs/applications-and-sso/saml-integration-guides/integrate-bamboohr.md): BambooHR is a cloud-based human resource management platform that collects and organizes all the information gathered throughout the employee lifecycle (see https://www.bamboohr.com). You can protect access to BambooHR by integrating BambooHR with Identity as a Service. Once integrated, users can use single sign-on to log in to their BambooHR account through Identity as a Service.
- [Bonusly](/docs/applications-and-sso/saml-integration-guides/integrate-bonusly.md): Bonusly is an employee recognition and rewards program. See https://www.bonusly.com.
- [Box](/docs/applications-and-sso/saml-integration-guides/integrate-box.md): Box is a secure cloud content management and file managing service (see https://www.box.com/en-ca/home). You can configure your Box account to Single Sign-On (SSO) through Identity as a Service. More information on configuring Box for SSO with Identity as a Service as an Identity Provider can be found at the Box Community Website.
- [Citrix ADC](/docs/applications-and-sso/saml-integration-guides/integrate-citrix-adc.md): Citrix ADC (formerly Citrix Netscaler) is an application delivery and load balancing solution (see https://www.citrix.com/products/citrix-adc/). This integration provides instructions to integrate Citrix ADC with Identity as a Service. Once integrated, users can use single sign-on to log in to their Citrix ADC account using Identity as a Service
- [Citrix Workspace](/docs/applications-and-sso/saml-integration-guides/integrate-citrix-workspace.md): Citrix Workspace is a complete digital workspace solution that allows you to deliver secure access to the information, apps, and other content that are relevant to a person's role in your organization (see https://www.citrix.com/products/citrix-workspace/). This integration provides instructions to integrate Citrix Workspace with Identity as a Service. Once integrated, users can use single sign-on to log in to their Citrix Workspace account using Identity as a Service.
- [Confluent Cloud](/docs/applications-and-sso/saml-integration-guides/integrate-confluent-cloud.md): Confluent Cloud is a fully managed, cloud-native event streaming platform powered by Apache Kafka. See https://www.confluent.io/. You can configure your Confluent Cloud account for Single Sign-On (SSO) through Identity as a Service.
- [ConnectWise ScreenConnect](/docs/applications-and-sso/saml-integration-guides/integrate-connectwise-screenconnect.md): ConnectWise ScreenConnect is a self-hosted desktop software application that allows users to host software on their own servers (see https://screenconnect.connectwise.com). This integration provides instructions to integrate ConnectWise ScreenConnect with Identity as a Service. Once integrated, users can use single sign-on to log in to their ConnectWise ScreenConnect account using Identity as a Service.
- [Coupa](/docs/applications-and-sso/saml-integration-guides/integrate-coupa.md): Coupa Software is a global technology platform for Business Spend Management (see https://www.coupa.com). You can protect access to Coupa by integrating Coupa with Identity as a Service. Once integrated, users can use single sign-on to log in to their Coupa account through Identity as a Service.
- [Datadog](/docs/applications-and-sso/saml-integration-guides/integrate-datadog.md): Datadog is a monitoring service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform (see https://www.datadoghq.com/). You can protect access to Datadog by integrating Datadog with Identity as a Service. Once integrated, users can use single sign-on to log in to their Datadog account through Identity as a Service.
- [Dell Boomi](/docs/applications-and-sso/saml-integration-guides/integrate-dell-boomi.md): Dell Boomi is a cloud integration platform for connecting cloud and on-premises applications and data (see https://boomi.com/). You can protect access to Dell Boomi by integrating Dell Boomi with Identity as a Service. Once integrated, users can use single sign-on to log in to their Dell Boomi account through Identity as a Service.
- [DocuSign](/docs/applications-and-sso/saml-integration-guides/integrate-docusign.md): DocuSign is a cloud-based transaction platform that lets users send, sign and manage legally binding documents securely (see https://www.docusign.com/). You can protect access to DocuSign by integrating DocuSign with Identity as a Service. Once integrated, users can use single sign-on to log in to their DocuSign account through Identity as a Service.
- [Dropbox Business](/docs/applications-and-sso/saml-integration-guides/integrate-dropbox-business.md): Dropbox Business is cloud-based storage, sharing, and collaboration solution (see https://www.dropbox.com/business). You can protect access to Dropbox Business by integrating Dropbox Business with Identity as a Service. Once integrated, users can use single sign-on to log in to their Dropbox Business account through Identity as a Service.
- [Druva](/docs/applications-and-sso/saml-integration-guides/integrate-druva.md): Druva provides SaaS-based data protection and management products. Druva supports SSO for Managed Services Providers to access a Managed Services Center. See https://www.druva.com.
- [Envoy](/docs/applications-and-sso/saml-integration-guides/integrate-envoy.md): Envoy offers visitor management, employee sign-in, desk reservations, room booking, and delivery management software (see https://envoy.com/). You can protect access to Envoy by integrating Envoy with Identity as a Service. Once integrated, users can use single sign-on to log in to their Envoy account through Identity as a Service.
- [Epic Hyperdrive](/docs/applications-and-sso/saml-integration-guides/integrate-epic-hyperdrive.md): Epic Hyperdrive is a web-based application for healthcare providers and administrators using the Epic system. See https://open.epic.com/Hyperdrive/Hyperdrive. This Technical Integration Guide describes how to integrate Entrust IDaaS multi-factor authentication (MFA) with EPIC Hyperdrive. Entrust Identity Epic Plug-in 2.0 uses the pluggable multi-factor authentication (MFA) option of Epic to integrate Identity as a Service MFA with Epic. Once integrated with Identity as a Service, users can use single sign-on to log in to their Epic Hyperdrive account through Identity as a Service.
- [Expensify](/docs/applications-and-sso/saml-integration-guides/integrate-expensify.md): Expensify provides automation tools for expense management receipt tracking (see https://www.expensify.com). You can protect access to Expensify by integrating Expensify with Identity as a Service. Once integrated, users can use single sign-on to log in to their Expensify account through Identity as a Service.
- [Fastly](/docs/applications-and-sso/saml-integration-guides/integrate-fastly.md): Fastly is a cloud computer services provider that helps developers run, secure, and deliver websites and applications by generating an admin panel on top of their data. See https://www.fastly.com. You can protect access to Fastly by integrating Fastly with Identity as a Service. Once integrated, users can use single sign-on to log in to their Fastly account through Identity as a Service.
- [FiveTran](/docs/applications-and-sso/saml-integration-guides/integrate-fivetran.md): FiveTran is cloud-based data movement platform (see https://www.fivetran.com/). You can protect access to FiveTran by integrating FiveTran with Identity as a Service. Once integrated, users can use single sign-on to log in to their FiveTran account through Identity as a Service.
- [Forest Admin](/docs/applications-and-sso/saml-integration-guides/integrate-forest-admin.md): Forest Admin enables organizations to easily create an Admin panel to manage their data. See https://www.forestadmin.com. You can protect access to Forest Admin by integrating Forest Admin with Identity as a Service. Once integrated, users can use single sign-on to log in to their LogMeIn account through Identity as a Service.
- [FortiSIEM](/docs/applications-and-sso/saml-integration-guides/integrate-fortisiem.md): FortiSIEM is an advanced Security Information and Event Management (SIEM) solution that combines advanced log and traffic analysis with performance/availability monitoring, change analysis, and accurate knowledge of the infrastructure to provide accurate threat detection, remediation, incident response, and compliance reporting. See https://www.fortinet.com/products/siem. You can protect access to FortiSIEM by integrating FortiSIEM with Identity as a Service. Once integrated, users can use single sign-on to log in to their FortiSIEM account through Identity as a Service.
- [Freshservice](/docs/applications-and-sso/saml-integration-guides/integrate-freshservice.md): Freshservice is cloud-native IT service desk software developed by Freshworks. See https://www.freshworks.com/. You can protect access to Freshservice by integrating Freshservice with Identity as a Service. Once integrated, users can use single sign-on to log in to their Freshservice account through Identity as a Service.
- [Freshworks](/docs/applications-and-sso/saml-integration-guides/integrate-freshworks.md): Freshworks. Inc. is a cloud-based software-as-a-service company that provides cloud-based tools for customer relationship managing, IT service management, and e-commerce marketing. See https://support.freshworks.com/support/solutions/articles/237923. You can protect access to Freshworks by integrating Freshworks with Identity as a Service. Once integrated, users can use single sign-on to log in to their Freshworks account through Identity as a Service.
- [Gong](/docs/applications-and-sso/saml-integration-guides/integrate-gong.md): Gong is a reality platform that captures what is going on with a company's customers and team to deliver insights and guidance that allows companies to adapt, upskill, and hit company targets. See https://www.gong.io. You can protect access to Gong by integrating Gong with Identity as a Service. Once integrated, users can use single sign-on to log in to their Gong account through Identity as a Service.
- [Google Workspace](/docs/applications-and-sso/saml-integration-guides/integrate-google-workspace.md): Google Workspace is a suite of cloud collaboration tools. You can configure Google Workspace for single sign-on (SSO) with Entrust Identity as a Service (Entrust IDaaS).
- [HubSpot](/docs/applications-and-sso/saml-integration-guides/integrate-hubspot.md): HubSpot is a CRM platform with all the software, integrations, and resources needed to connect marketing, sales, content management, and customer service (see https://www.hubspot.com). You can protect access to HubSpot by integrating HubSpot with Identity as a Service. Once integrated, users can use single sign-on to log in to their HubSpot account through Identity as a Service.
- [Huddle](/docs/applications-and-sso/saml-integration-guides/integrate-huddle.md): Huddle allows you to create secure workspaces and portals to collaborate around content, track activity, and communicate securely on projects o client engagements. See https://my.huddle.net. You can protect access to Huddle by integrating Huddle with Identity as a Service. Once integrated, users can use single sign-on to log in to their Huddle account through Identity as a Service.
- [Jamf Pro](/docs/applications-and-sso/saml-integration-guides/integrate-jamf-pro.md): Jamf Pro is comprehensive enterprise management software for the Apple platform to simplify IT management for Mac, iPad, iPhone and Apple TV (see https://www.jamf.com/products/jamf-pro/). You can protect access to Jamf Pro by integrating Jamf Pro with Identity as a Service. Once integrated, users can use single sign-on to log in to their Jamf Pro account through Identity as a Service.
- [Jenkins](/docs/applications-and-sso/saml-integration-guides/integrate-jenkins.md): Jenkins is an open-source automation tool written in Java with plugins built for continuous integration (see https://www.jenkins.io). You can protect access to Jenkins by integrating Jenkins with Identity as a Service. Once integrated, users can use single sign-on to log in to their Jenkins account through Identity as a Service.
- [Keeper Security](/docs/applications-and-sso/saml-integration-guides/integrate-keeper-security.md): Keeper Security provides a password protection tool for your organization. Keeper Security supports SSO for Managed Services Providers (MSP) to access Managed Services Center (MSC) without the need for a separate login. An SSO login validates usernames and passwords against your corporate user database that is protected by IDaaS. See https://www.keepersecurity.com/. You can protect access to Keeper Security by integrating Keeper Security with Identity as a Service. Once integrated, users can use single sign-on to log in to their Keeper Security account through Identity as a Service.
- [KnowBe4](/docs/applications-and-sso/saml-integration-guides/integrate-knowbe4.md): KnowBe4 provides an integrated platform for security awareness combined with simulated phishing attacks (see https://knowbe4.com). You can protect access to KnowBe4 by integrating KnowBe4 with Identity as a Service. Once integrated, users can use single sign-on to log in to their KnowBe4 account through Identity as a Service.
- [LeaveWizard](/docs/applications-and-sso/saml-integration-guides/integrate-leavewizard.md): LeaveWizard is a cloud-based software that helps organizations track employee leave and absence management. See https://www.leavewizard.com. You can protect access to LeaveWizard by integrating LeaveWizard with Identity as a Service. Once integrated, users can use single sign-on to log in to their LeaveWizard account through Identity as a Service.
- [LogMeIn](/docs/applications-and-sso/saml-integration-guides/integrate-logmein.md): LogMeIn provides cloud-based remote work tools for collaboration, IT management and customer engagement (see https://logmein.com). You can protect access to LogMeIn by integrating LogMeIn with Identity as a Service. Once integrated, users can use single sign-on to log in to their LogMeIn account through Identity as a Service.
- [Lucidchart](/docs/applications-and-sso/saml-integration-guides/integrate-lucidchart.md): Lucidchart is a web-based diagramming application that allows users to visually collaborate on drawing, revising and sharing charts and diagrams. It also users to improve processes, systems, and organizational structures. See https://www.lucidchart.com. You can protect access to Lucidchart by integrating Lucidchart with Identity as a Service. Once integrated, users can use single sign-on to log in to their Lucidchart account through Identity as a Service.
- [Mimecast](/docs/applications-and-sso/saml-integration-guides/integrate-mimecast.md): Mimecast is a cloud subscription service that combines solutions for email security, archiving, and continuity. See https://www.mimecast.com/. You can protect access to Mimecast by integrating Mimecast with Identity as a Service. Once integrated, users can use single sign-on to log in to their Mimecast account through Identity as a Service.
- [Miro](/docs/applications-and-sso/saml-integration-guides/integrate-miro.md): Miro is a digital collaborative platform to facilitate remote and distributed team communication and project management (see https://www.miro.com). You can protect access to Miro by integrating Miro with Identity as a Service. Once integrated, users can use single sign-on to log in to their Miro account through Identity as a Service.
- [Mobile Microsoft Office 365 Applications](/docs/applications-and-sso/saml-integration-guides/integrate-mobile-microsoft-office-365-applications.md): Identity as a Service supports accessing Microsoft Office applications by logging in to your Microsoft Office 365 account. Once configured, a user can log in to the Microsoft Office 365 account through Identity as a Service authentication. There are some exceptions which are described in the sections below.
- [Monday.com](/docs/applications-and-sso/saml-integration-guides/integrate-monday-com.md): Monday provides an operating to run processes, projects, and workflows in one digital workspace (see https://www.monday.com/). You can protect access to Monday.com by integrating Monday.com with Identity as a Service. Once integrated, users can use single sign-on to log in to their Monday.com account through Identity as a Service.
- [MuleSoft](/docs/applications-and-sso/saml-integration-guides/integrate-mulesoft.md): MuleSoft offers an integration platform helping businesses connect data, applications and devices across on-premises and cloud computing environments (see https://www.mulesoft.com/). You can protect access to MuleSoft by integrating MuleSoft with Identity as a Service. Once integrated, users can use single sign-on to log in to their MuleSoft account through Identity as a Service.
- [Netskope](/docs/applications-and-sso/saml-integration-guides/integrate-netskope.md): Netskope is a cloud-based zero-trust service that secures access to enterprise applications and data in hybrid IT environments while reducing risk and simplifying security operations. See https://www.netskope.com. You can protect access to Netskope by integrating Netskope with Identity as a Service. Once integrated, users can use single sign-on to log in to their Netskope account through Identity as a Service.
- [New Relic](/docs/applications-and-sso/saml-integration-guides/integrate-new-relic.md): New Relic is a Web application performance service that works in real-time with live Web apps. (see https://newrelic.com). You can protect access to New Relic by integrating New Relic with Identity as a Service. Once integrated, users can use single sign-on to log in to their New Relic account through Identity as a Service.
- [Office 365](/docs/applications-and-sso/saml-integration-guides/integrate-office-365.md): You must configure Microsoft Office 365 for Entrust Identity as a Service (Entrust IDaaS) before configuring mobile Microsoft Office 365 applications for single sign-on.
- [Onfido](/docs/applications-and-sso/saml-integration-guides/integrate-onfido.md): Onfido is a technology company that helps businesses verify people's identities using a photo-based identity document, a selfie, and artificial intelligence algorithms (see https://onfido.com). You can protect access to Onfido by integrating Onfido with Identity as a Service. Once integrated, users can use single sign-on to log in to their Onfido account through Identity as a Service.
- [Oracle Eloqua](/docs/applications-and-sso/saml-integration-guides/integrate-oracle-eloqua.md): Oracle Eloqua is a software as a service platform for marketing automation that aims to help organizations manage marketing campaigns and sales lead generation (see https://www.oracle.com/cx/marketing/automation/). You can protect access to Oracle Eloqua by integrating Oracle Eloqua with Identity as a Service. Once integrated, users can use single sign-on to log in to their Oracle Eloqua account through Identity as a Service.
- [Oracle EPM](/docs/applications-and-sso/saml-integration-guides/integrate-oracle-epm-cloud.md): Oracle EPM (Enterprise Performance Management) Cloud software helps users analyze, understand, and report on their business (see https://oracle.com/performance-management). You can protect access to Oracle EPM Cloud by integrating Oracle EPM Cloud with Identity as a Service. Once integrated, users can use single sign-on to log in to their Oracle EPM Cloud account through Identity as a Service.
- [PagerDuty](/docs/applications-and-sso/saml-integration-guides/integrate-pagerduty.md): PagerDuty offers a cloud-based incident management platform for IT departments (see https://www.pagerduty.com). You can protect access to PagerDuty by integrating PagerDuty with Identity as a Service. Once integrated, users can use single sign-on to log in to their PagerDuty account through Identity as a Service.
- [PingDom](/docs/applications-and-sso/saml-integration-guides/integrate-pingdom.md): PingDom offers a cloud-based incident management platform for IT departments (see https://www.pingdom.com). You can protect access to PingDom by integrating PingDom with Identity as a Service. Once integrated, users can use single sign-on to log in to their PingDom account through Identity as a Service.
- [ProdPad](/docs/applications-and-sso/saml-integration-guides/integrate-prodpad.md): ProdPad is a product management software to help teams build products. See https://www.prodpad.com. You can protect access to ProdPad by integrating ProdPad with Identity as a Service. Once integrated, users can use single sign-on to log in to their ProdPad account through Identity as a Service.
- [ReviewInc](/docs/applications-and-sso/saml-integration-guides/integrate-reviewinc.md): ReviewInc is a leading provider of Business Reputation Management Services (see https://reviewinc.com). You can protect access to ReviewInc by integrating ReviewInc with Identity as a Service. Once integrated, users can use single sign-on to log in to their ReviewInc account through Identity as a Service.
- [RingCentral](/docs/applications-and-sso/saml-integration-guides/integrate-ringcentral.md): RingCentral is a cloud-based business communication system with enterprise-grade voice, fax, text, online meetings, conferencing and collaboration (see https://www.ringcentral.ca). You can protect access to RingCentral by integrating RingCentral with Identity as a Service. Once integrated, users can use single sign-on to log in to their RingCentral account through Identity as a Service.
- [SailPoint IdentityIQ](/docs/applications-and-sso/saml-integration-guides/integrate-sailpoint-identityiq.md): SailPoint IdentityIQ is a cloud-based application that manages files and applications across your IT environment (see https://www.sailpoint.com). You can protect access to SailPoint IdentityIQ by integrating SailPoint IdentityIQ with Identity as a Service. Once integrated, users can use single sign-on to log in to their SailPoint IdentityIQ account through Identity as a Service.
- [Salesforce](/docs/applications-and-sso/saml-integration-guides/integrate-salesforce.md): A Salesforce account is automatically configured for single logout (SLO) when it is set up for Identity as a Service authentication. When the user logs out of a Salesforce account that is set up for Identity as a Service authentication, the user is also logged out of Identity as a Service. When the user logs out of Identity as a Service, the user is not automatically logged out of Salesforce.
- [ServiceNow](/docs/applications-and-sso/saml-integration-guides/integrate-servicenow.md): ServiceNow provides a cloud computing platform to help companies manage digital workflows for enterprise operations (see https://www.servicenow.com). You can protect access to ServiceNow by integrating ServiceNow with Identity as a Service. Once integrated, users can use single sign-on to log in to their ServiceNow account through Identity as a Service.
- [Sharefile](/docs/applications-and-sso/saml-integration-guides/integrate-sharefile.md): ShareFile is a secure content collaboration, file sharing and sync software that supports all the document-centric tasks and workflow needs of small and large businesses. The company also offers cloud-based or on-premises storage, virtual data rooms and client portals. ShareFile is owned by Citrix Systems. See https://www.sharefile.com. You can protect access to ShareFile by integrating ShareFile with Identity as a Service. Once integrated, users can use single sign-on to log in to their Freshworks account through Identity as a Service.
- [SiteMinder](/docs/applications-and-sso/saml-integration-guides/integrate-siteminder.md): SiteMinder provides policy-based authentication and single sign-on for Web-based applications. See https://www.broadcom.com/products/identity/siteminder. You can protect access to SiteMinder by integrating SiteMinder with Identity as a Service. Once integrated, users can use single sign-on to log in to their SiteMinder account through Identity as a Service.
- [Slack](/docs/applications-and-sso/saml-integration-guides/integrate-slack.md): Slack provides a business communication platform. Slack offers many IRC-style features, including persistent chat rooms organized by topic, private groups, and direct messaging (see https://slack.com/). You can protect access to Slack by integrating Slack with Identity as a Service. Once integrated, users can use single sign-on to log in to their Slack account through Identity as a Service.
- [Smartsheet](/docs/applications-and-sso/saml-integration-guides/integrate-smartsheet.md): Smartsheet is a software service used to assign tasks, track project progress, manage calendars, share documents, and manage other work, using a tabular user interface (see https://www.smartsheet.com/). You can protect access to Smartsheet by integrating Smartsheet with Identity as a Service. Once integrated, users can use single sign-on to log in to their Smartsheet account through Identity as a Service.
- [Snowflake](/docs/applications-and-sso/saml-integration-guides/integrate-snowflake.md): Snowflake offers a cloud-based data storage and analytics service (see https://www.snowflake.com/). You can protect access to Snowflake by integrating Snowflake with Identity as a Service. Once integrated, users can use single sign-on to log in to their Snowflake account through Identity as a Service.
- [Soloinsight](/docs/applications-and-sso/saml-integration-guides/integrate-soloinsight.md): Soloinsight is a global recognition software platform that provides solutions for digital and physical threats. See https://www.soloinsight.com. You can protect access to Soloinsight by integrating Soloinsight with Identity as a Service. Once integrated, users can use single sign-on to log in to their Soloinsight account through Identity as a Service.
- [Splunk SOAR](/docs/applications-and-sso/saml-integration-guides/integrate-splunk-soar.md): Splunk SOAR (On-premises) is a Security Orchestration, Automation, and Response (SOAR) system (see https://www.splunk.com/enus/form/soar-tour.html?utmcampaign=googleamerensearchbrand&utmsource=google&utmmedium=cpc&utmcontent=SOARTour&utmterm=splunk%20soar&bk=splunk%20soar&bt=660036319642&bm=p&bn=g&bg=122074808302&device=c&gclid=EAIaIQobChMI88i8iMeEgQMVyUFyCh3rQx4EAAYAiAAEgIKRPDBwE). You can protect access to Splunk SOAR by integrating Splunk SOAR with Identity as a Service. Once integrated, users can use single sign-on to log in to their Splunk SOAR account through Identity as a Service.
- [Splunk](/docs/applications-and-sso/saml-integration-guides/integrate-splunk.md): Splunk software allows you to search, monitor, and analyze machine data (see https://www.splunk.com). You can protect access to Splunk by integrating Splunk with Identity as a Service. Once integrated, users can use single sign-on to log in to their Splunk account through Identity as a Service.
- [Sumo Logic](/docs/applications-and-sso/saml-integration-guides/integrate-sumo-logic.md): Sumo Logic provides cloud monitoring, log management, Cloud SIEM tools, and real-time insights for Web and SaaS-based apps (see https://www.sumologic.com). This integration provides instructions to integrate Sumo Logic with Identity as a Service. Once integrated, users can use single sign-on to log in to their Sumo Logic account using Identity as a Service
- [Tableau Online](/docs/applications-and-sso/saml-integration-guides/integrate-tableau-online.md): Tableau is a cloud-based data visualization software used for data science and business intelligence (see https://www.tableau.com). You can protect access to Tableau Online by integrating Tableau with Identity as a Service. Once integrated, users can use single sign-on to log in to their Tableau Online account through Identity as a Service.
- [WebEx](/docs/applications-and-sso/saml-integration-guides/integrate-webex.md): Webex is a cloud-based collaborative video conferencing product suite (see https://webex.com/). You can protect access to Webex by integrating Webex with Identity as a Service. Once integrated, users can use single sign-on to log in to their WebEx account through Identity as a Service.
- [WhiteSource](/docs/applications-and-sso/saml-integration-guides/integrate-whitesource.md): WhiteSource provides an open source security and license compliance management platform for organizations to manage their open source assets (see https://www.whitesourcesoftware.com/). You can protect access to WhiteSource by integrating WhiteSource with Identity as a Service. Once integrated, users can use single sign-on to log in to their WhiteSource account through Identity as a Service.
- [Workday](/docs/applications-and-sso/saml-integration-guides/integrate-workday.md): Workday provides on-demand financial management and human capital management (see https://www.workday.com/). You can protect access to Workday by integrating Workday with Identity as a Service. Once integrated, users can use single sign-on to log in to their Workday account through Identity as a Service.
- [Workfront](/docs/applications-and-sso/saml-integration-guides/integrate-workfront.md): Workfront offers online work management and project management software (see https://www.workfront.com/). This integration provides instructions to integrate Workfront with Identity as a Service. Once integrated, users can use single sign-on to log in to their Workfront account using Identity as a Service
- [Zendesk](/docs/applications-and-sso/saml-integration-guides/integrate-zendesk.md): Zendesk provides cloud-based support, sales and customer engagement software (see https://www.zendesk.com/).You can protect access to Zendesk by integrating Zendesk with Identity as a Service. Once integrated, users can use single sign-on to log in to their Zendesk account through Identity as a Service.
- [Ziflow](/docs/applications-and-sso/saml-integration-guides/integrate-ziflow.md): Ziflow is an enterprise online proofing tool that helps teams handle high workloads, streamline complex workflows, and ensure regulatory and brand compliance. See https://www.ziflow.com. You can protect access to Ziflow by integrating Ziflow with Identity as a Service. Once integrated, users can use single sign-on to log in to their Ziflow account through Identity as a Service.
- [Zoho One](/docs/applications-and-sso/saml-integration-guides/integrate-zoho-one.md): Zoho One offers a customizable system of integrated software for sales, marketing, support. accounting, operations, and HR (see https://www.zoho.com/one/). You can protect access to Zoho One by integrating Zoho One with Identity as a Service. Once integrated, users can use single sign-on to log in to their Zoho One account through Identity as a Service.
- [Zoom](/docs/applications-and-sso/saml-integration-guides/integrate-zoom.md): Zoom provides video-telephony and online chat services through a cloud-based peer-to-peer software platform and is used for teleconferencing, telecommuting, distance education, and social relations (see https://zoom.us/). You can protect access to Zoom by integrating Zoom with Identity as a Service. Once integrated, users can use single sign-on to log in to their Zoom account through Identity as a Service.
- [Zuora](/docs/applications-and-sso/saml-integration-guides/integrate-zuora.md): Zuora offers cloud-based software enabling companies to launch, manage and transform into a subscription business. (see https://zuora.com/). You can protect access to Zuora by integrating Zuora with Identity as a Service. Once integrated, users can use single sign-on to log in to their Zuora account through Identity as a Service.
- [Authentication and security](/docs/authentication-and-security.md): Use IDaaS authentication and security features to protect access to your applications and APIs. This section explains how to configure authenticators, group policies, risk engines, resource rules, CORS, and IP lists.
- [Configure domain controller certificates](/docs/authentication-and-security/configure-domain-controller-certificates.md): Users of IDaaS with smart credentials who want to use Smart Card Login with PKI as a Service (PKIaaS) require a domain controller certificate to enable Smart Card Login. To use a domain controller, you need a Premium Account entitlement that allows PKIaaS CAs and a PKIaaS Certificate Authority (see Configure an Entrust Managed PKI CA).
- [Export a domain controller certificate](/docs/authentication-and-security/configure-domain-controller-certificates/export-a-domain-controller-certificate.md): After you create a domain controller certificate, you need to export it and then upload it to your domain controller.
- [Manage domain controller certificates](/docs/authentication-and-security/configure-domain-controller-certificates/manage-domain-controller-certificates.md): After you create a domain controller certificate, you can view, delete, renew, revoke, and put your certificate on hold.
- [Create and manage resource rules](/docs/authentication-and-security/create-and-manage-resource-rules.md): Protect applications with resource rules
- [Add Authentication Context References](/docs/authentication-and-security/create-and-manage-resource-rules/add-authentication-context-references.md): Authentication Context References (ACRs) are labels that are used by SAML or OIDC and OAuth Identity Providers to set the type of authentication that should take place to allow access. IDaaS provides a number of System ACRs, but you can also add custom ACRs. In IDaaS, ACRs are used in resource rules to determine the type of authentication required to either allow or deny access to the protected Identity Provider.
- [Create authentication flows](/docs/authentication-and-security/create-and-manage-resource-rules/create-authentication-flows.md): Built-in Login Flows
- [Create resource rules](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules.md): Resource rules protect access to your applications by requiring users to pass a predetermined risk assessment and authentication requirements. You can create a new resource rule for an application or clone an existing resource rule.
- [Add resource rules](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/add-a-resource-rule.md): Building a resource graph involves several steps, depending on the type of resource rule you want to create. If you simply want the most basic resource rule that has Skip Password for first-factor authentication and default second-factor, just add the resource rule and the basic template is configured with these settings.
- [Add Access Controls](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/add-a-resource-rule/add-access-controls.md): Access Controls further streamline the users that can access the protected resource with this resource rule.
- [Add Risk Evaluation](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/add-a-resource-rule/add-risk-evaluation.md): Risk evaluation calculates the risk result and sets the access based on low, medium, and high risk. All risk factors are connected to the Risk Evaluation node. The Risk Evaluation must include an access result to set authentication requirements to allow or deny access.
- [Add Risk Factors](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/add-a-resource-rule/add-risk-factors.md): Risk factors are either connected to the Access Evaluation node or the Start node if no Access Filters have been added to the graph. Risk factors are then connected to the Risk Evaluation node. The following figures provide examples.
- [Error messages](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/error-messages.md): When building a resource rule graph, the Side panel displays error messages if any are found in the graph, using the following icons:
- [Manage resource rules](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/manage-resource-rules.md): After you create a resource rule, you can edit, delete, and enable or disable them as required.
- [Sample resource rule graphs](/docs/authentication-and-security/create-and-manage-resource-rules/create-resource-rules/sample-resource-rule-graphs.md): A resource rule follows this flow:
- [Edit User Profile resource rule for step-up authentication](/docs/authentication-and-security/create-and-manage-resource-rules/edit-user-profile-resource-rule.md): An Edit User Portal resource rule placeholder is added to configure step-up authentication rules to enforce user to perform step-up authentication when they edit their user profile.
- [Manage authenticators](/docs/authentication-and-security/manage-authenticators.md): An authenticator helps protect an application from unauthorized access. It requires the user to respond to a security challenge before granting access.
- [Authenticator lockout behavior](/docs/authentication-and-security/manage-authenticators/authenticator-lockout-behavior.md): The authenticators allowed to access applications are set by the resource rules (see Create and manage resource rules). If a user enters an incorrect authentication response more times than the value set in the Lockout Count, the authenticator is locked and the user cannot access the application using that authenticator. See Manage General settings for more information about account lockout.
- [Manage Device fingerprint attributes](/docs/authentication-and-security/manage-authenticators/manage-device-fingerprint-attributes.md): Device fingerprint attributes validate a machine authentication when Device Fingerprint Required is selected in the machine authenticator settings.
- [Manage Face Biometrics by Onfido](/docs/authentication-and-security/manage-authenticators/manage-face-biometrics-by-onfido.md): The Face Biometric authenticator uses Onfido identity verification to verify users. Registration and authentication can be performed using the web to store the user's face biometric in the Onfido cloud, or using the Entrust Identity Mobile application to store the user's biometric information on a mobile device.
- [Step A: Set up your Onfido account](/docs/authentication-and-security/manage-authenticators/manage-face-biometrics-by-onfido/step-a-set-up-your-onfido-account.md): Before you begin, open two browser windows side-by-side: one logged into your IDaaS administrator account, and the other one logged in to your Onfido administrator account.
- [Step B: Set up a Face Biometric authenticator](/docs/authentication-and-security/manage-authenticators/manage-face-biometrics-by-onfido/step-b-set-up-a-face-biometric-authenticator.md): To use Face Biometrics with IDaaS for either registration or authentication, you need to create a workflow in Onfido and copy the Workflow ID into IDaaS. Depending on your infrastructure, you create a workflow based on the following requirements:
- [Manage General settings](/docs/authentication-and-security/manage-authenticators/manage-general-settings.md): After you create a user, you must assign one or more authenticators to that user. The General settings control how authenticators work and whether the system automatically assigns authenticators when you create a user account.
- [Manage grid card authenticators](/docs/authentication-and-security/manage-authenticators/manage-grid-cards.md): Grid authentication uses cards with a grid as the authentication lookup tool. When asked to authenticate with a grid, the challenge presents the user with coordinates, for example, B3, H1. The user references the challenge coordinates on their grid card and responds by typing the corresponding values.
- [Create or assign grid cards](/docs/authentication-and-security/manage-authenticators/manage-grid-cards/create-and-assign-user-grid-cards.md): When you create a grid card for a user, IDaaS generates a serial number that the user can use to register the card. To assign an existing grid card, enter its serial number. Users can also create their own grid cards from the User Portal.
- [Create unassigned grid cards](/docs/authentication-and-security/manage-authenticators/manage-grid-cards/generate-unassigned-grid-cards.md): The maximum number of grid cards that you can create at one time is your user entitlement quantity multiplied by 3 or 100,000, whichever is lower. If you do not have any user entitlements or your entitlements have expired, you cannot generate any grid cards.
- [Manage assigned grid cards](/docs/authentication-and-security/manage-authenticators/manage-grid-cards/manage-assigned-grid-cards.md): You can manage grid cards for an individual user or multiple users simultaneously. Assigned grid cards can be:
- [Manage unassigned grid cards](/docs/authentication-and-security/manage-authenticators/manage-grid-cards/manage-unassigned-grid-cards.md): When you unassign a grid card from a user, it moves to the unassigned list and can be reassigned to another user. You can also filter by state to view assigned and unassigned grid cards, and export unassigned grid cards for bulk operations.
- [Modify grid card authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-grid-cards/modify-grid-card-authenticator-settings.md): Use this procedure to update grid card settings for your account. These settings apply to all grid cards assigned to users. An IDaaS account can include up to 5,000 unassigned grid cards.
- [Search and export grids](/docs/authentication-and-security/manage-authenticators/manage-grid-cards/search-and-export-grid-cards.md): You can search grids using filters and export them to a CSV file for use in bulk operations.
- [Manage hardware token authenticators](/docs/authentication-and-security/manage-authenticators/manage-hardware-tokens.md): Users assigned a hardware token can authenticate using a dynamic password (a number generated by the hardware token device) in response to an IDaaS challenge. When using RADIUS authentication, tokens support PAP/CHAP/MSCHAP and EAP.
- [Assign hardware tokens](/docs/authentication-and-security/manage-authenticators/manage-hardware-tokens/assign-hardware-tokens.md): You can assign a hardware token to a user after the token seed file is imported into your IDaaS account. A hardware token can be assigned to only one user at a time, but a user can have multiple hardware tokens. After users are assigned hardware tokens, update your resource rules as required so they can authenticate to their application accounts using hardware tokens.
- [Manage hardware tokens](/docs/authentication-and-security/manage-authenticators/manage-hardware-tokens/manage-hardware-tokens.md): Hardware tokens have an Active or Inactive status. Inactive tokens cannot be used for authentication. If a user misplaces their hardware token, you can disable it to reduce the risk of anyone else using it. If the user finds the token later, you can re-enable the token and it can be used again.
- [Modify hardware token settings](/docs/authentication-and-security/manage-authenticators/manage-hardware-tokens/modify-hardware-token-settings.md): 1. Click  \> Policies \> Authenticators. The Authenticators page appears.
- [Modify Legacy Token settings](/docs/authentication-and-security/manage-authenticators/manage-hardware-tokens/modify-legacy-token-settings.md): Legacy tokens are older model tokens supported by Entrust Identity Enterprise (formerly Entrust IdentityGuard). IDaaS supports legacy tokens for the migration of Entrust Identity Enterprise users to the cloud.
- [Manage Knowledge-based (KBA) authenticators](/docs/authentication-and-security/manage-authenticators/manage-knowledge-based-authenticators-kba.md): Knowledge-based authentication, or knowledge-based authenticators (KBA), also known as question-and-answer (Q&A) authentication, lets a user authenticate to an application using IDaaS by providing the correct answer to one or more preregistered questions.
- [Create and manage KBA questions for users](/docs/authentication-and-security/manage-authenticators/manage-knowledge-based-authenticators-kba/create-and-manage-kba-questions.md): During registration or enrollment of a knowledge-based authenticator (KBA), the user selects several questions and provides easily-remembered answers. Later, when they are challenged with one or more knowledge-based questions, they can answer them to authenticate. You can allow the user to alter the answers at any time, provided they are logged in to IDaaS.
- [Create Word Maps](/docs/authentication-and-security/manage-authenticators/manage-knowledge-based-authenticators-kba/create-word-maps.md): The Word Map feature lets administrators define synonyms for words in expected answers to a user's assigned knowledge-based authenticator (KBA) questions. When a synonym is configured, users can enter that synonym instead of the expected word and still provide a valid answer.
- [Delete KBA question and answer pairs](/docs/authentication-and-security/manage-authenticators/manage-knowledge-based-authenticators-kba/delete-kba-question-and-answer-pairs.md): This procedure explains how to delete one or more question-and-answer (Q&A) pairs from a knowledge-based authenticator (KBA). Before you begin, note the following:
- [Delete retained challenges](/docs/authentication-and-security/manage-authenticators/manage-knowledge-based-authenticators-kba/delete-retained-challenges.md): A retained challenge is a set of KBA questions that a user did not answer correctly. The user must continue answering the same question set until the challenge time limit expires. This time limit is controlled by the Q&A Challenge Lifetime setting, which can be changed at any time. For more information, see Modify knowledge-based authentication settings.
- [Modify knowledge-based authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-knowledge-based-authenticators-kba/modify-kba-settings.md): Knowledge-based authentication (KBA) allows a user to authenticate to an application account using IDaaS. There are three parts to setting up knowledge-based authentication:
- [Manage machine authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-machine-authenticator-settings.md): Machine Authentication provides identification information on the Web browser being used to access an application. The resource rules that protect your applications can then be configured to check for registered machine authentication when assessing a user's risk. When configured, the resource rule compares the attributes of a Web browser's Machine Authentication with the copy of the machine authentication information recorded in the IDaaS account.
- [Manage Magic Links](/docs/authentication-and-security/manage-authenticators/manage-magic-links.md): Use this section to configure and operate Magic Links in Entrust IDaaS, and to choose the right implementation pattern for your users and applications.
- [Configure Magic Links](/docs/authentication-and-security/manage-authenticators/manage-magic-links/Configure-magic-links.md): A Magic Link allows a user to authenticate without using entering their username or password. When enabled, the user receives an email with a Magic Link that is used to authenticate. Magic Links are time-sensitive and for single use only.
- [Magic Links solution guide](/docs/authentication-and-security/manage-authenticators/manage-magic-links/magic-links-solution-guide.md): Magic Links in Entrust Identity as a Service (IDaaS) let users sign in or confirm email ownership using a single-use, time-limited link delivered by email instead of a password. This guide explains how Magic Links work, the problems they solve, when to use them, and how to integrate them with your existing IDaaS policies and authentication flows.
- [Manage One Time Password (OTP) settings](/docs/authentication-and-security/manage-authenticators/manage-one-time-passwords-otp.md): A one time password (OTP) authenticator is a random series of characters that are sent to the mobile device number or email address of a user during authentication. If you are using WeChat or WhatsApp for OTP delivery, ensure that you have completed the prerequisites.
- [Manage pass-through authenticators](/docs/authentication-and-security/manage-authenticators/manage-pass-through-authenticators.md): Pass-through authenticators use an HTTP connector to make a call outside of IDaaS for authentication. When configured, pass-through authenticators can be used as a second-factor authenticator to authenticate users with an user to IDaaS with an external service. For example, an IDaaS user wants to authenticate to an external portal that asks for the user's father's name, (it could be any information that is not captured in IDaaS). The pass-through authenticator is configured to use to use an HTTP connector to authenticate to the external portal. An HTTP response code determines whether authentication is allowed. Using the example provided, if the user responds with their correct father's name, and the connector returns 200 as a response code, the user is then authenticated to the portal.
- [Create pass-through authenticator definitions](/docs/authentication-and-security/manage-authenticators/manage-pass-through-authenticators/create-pass-through-authenticator-definitions.md): Pass-through authenticator definitions define the information sent to an external service through an HTTP connector. The external service uses the information configured in the pass-through connector to allow a user to use a pass-through authenticator for second-factor authentication. If the user provides the correct information as configured in the HTTP connector, the connector returns a response code to allow the user to access the protected external service.
- [Manage pass-through authenticator policies](/docs/authentication-and-security/manage-authenticators/manage-pass-through-authenticators/manage-pass-through-authenticator-policies.md): You must first configure a pass-through authenticator definition before configuring the pass-through authenticator policy.
- [Manage Passkey/FIDO2 authenticators](/docs/authentication-and-security/manage-authenticators/manage-passkey-fido2-authenticators.md): A Passkey/FIDO2 token can be used for second-factor authentication for user ID log in or Passkey log in. When the user attempts to authenticate, a challenge is sent to the Passkey/FIDO2 token. The Passkey/FIDO2 token signs the challenge with a private key associated with the application to allow the user to log in.
- [Community authenticator list](/docs/authentication-and-security/manage-authenticators/manage-passkey-fido2-authenticators/manage-passkey-fido2-tokens/community-authenticators.md): IDaaS maintains a local metadata repository for authenticators that are not covered by the official FIDO Metadata Service (MDS). For each authenticator in this list, only the display name and icon are available.
- [Glossary](/docs/authentication-and-security/manage-authenticators/manage-passkey-fido2-authenticators/manage-passkey-fido2-tokens/glossary.md): This page defines all technical terms and field values of the Passkey/FIDO2 Tokens feature.
- [View and manage Passkey/FIDO2 tokens](/docs/authentication-and-security/manage-authenticators/manage-passkey-fido2-authenticators/manage-passkey-fido2-tokens/view-and-manage-tokens.md): The Passkey/FIDO2 Tokens page provides a complete list of all passkeys and FIDO2 tokens registered by users in your tenant. It shows administrators which Passkey/FIDO2 tokens are enrolled and the security of their devices.
- [Modify Passkey/FIDO2 authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-passkey-fido2-authenticators/modify-passkey-fido2-authenticator-settings.md): Use this page to configure tenant-level Passkey/FIDO2 authenticator settings, including policy, timeout, and custom app origins.
- [Manage password authenticators](/docs/authentication-and-security/manage-authenticators/manage-password-authenticators.md): There are two types of password authenticators available on IDaaS:
- [Assign password authenticator](/docs/authentication-and-security/manage-authenticators/manage-password-authenticators/assign-a-password-authenticator.md): You can assign passwords to users. Before assigning passwords to users, modify the password settings as required.
- [Manage password blocklist](/docs/authentication-and-security/manage-authenticators/manage-password-authenticators/manage-password-blocklist.md): Blocklisted passwords are a list of words disallowed as user passwords.
- [Modify password authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-password-authenticators/modify-password-authenticator-settings.md): Password settings determine the requirements for IDaaS passwords, including password reset.
- [View, edit, delete password authenticators](/docs/authentication-and-security/manage-authenticators/manage-password-authenticators/view-edit-delete-password-authenticators.md): After you assign a user a password authenticator, you can manage the following features of a user's password authenticator:
- [Reset a password](/docs/authentication-and-security/manage-authenticators/manage-password-reset.md): By default, if users forget their password used to access IDaaS or an application, they must contact an account administrator to have it reset.
- [Enable password reset](/docs/authentication-and-security/manage-authenticators/manage-password-reset/enable-password-reset.md): Complete this procedure to enable users to reset their password during authentication.
- [Manage Risk-based authentication (RBA) settings](/docs/authentication-and-security/manage-authenticators/manage-risk-based-authenticator-settings.md): Risk-based authentication (RBA) identifies the level of risk associated with every user who attempts to authenticate to your IDaaS account. This feature is useful when you want your users who access IDaaS to be
- [Manage transactions](/docs/authentication-and-security/manage-authenticators/manage-risk-based-authenticator-settings/manage-transactions.md): Authentication API and OIDC and OAuth applications can use transaction details. You can also define context rules based on the transaction details being used. To define transaction context rules, you need to first define Transaction Items and Transaction Rules. See Manage resource rules for more information.
- [Manage user risk-based authentication settings](/docs/authentication-and-security/manage-authenticators/manage-risk-based-authenticator-settings/manage-user-risk-based-authenticator-settings.md): You can manage a user's risk-based authentication settings. When you change these settings, the user's settings override the system-wide settings you set in the general system-wide risk-based authentication settings (see Modify risk-based authentication general settings.
- [Modify risk-based authenticator general settings](/docs/authentication-and-security/manage-authenticators/manage-risk-based-authenticator-settings/modify-risk-based-authenticator-settings.md): These settings control the system-wide risk-based authentication (RBA) restrictions applied to users of your IDaaS account. If a system-wide RBA setting conflicts with a user-specific RBA setting, the user-specific setting overrides the system-wide setting (see Manage user risk-based authentication settings).
- [Manage smart credential authenticators](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials.md): Smart Credentials allow users to authenticate to their IDaaS account and configured applications. IDaaS supports the following smart credentials:
- [Add a smart credential](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/add-a-smart-credential.md): You enroll smart credentials for users.
- [Clone a smart credential definition](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/clone-a-smart-credential-definition.md): You can create a copy of a smart credential definition.
- [Configure smart credential definitions](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/configure-smart-credential-definitions.md): A smart credential has two types of digital IDs:
- [Edit smart credential settings](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/edit-smart-credential-settings.md): After the smart credential has been enrolled, review the smart credential settings to confirm they are configured as required. Changes made to the smart credential settings are uploaded to the Identity on your smart credential application during activation.
- [Manage and revoke Smart Credential certificates](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/manage-and-revoke-smart-credential-certificates.md): Once you activate a mobile smart credential for a Certificate Authority, you can manage the certificates issued to the smart credential. See Manage Certificate Authorities for more information about creating and managing certificate authorities.
- [Manage assigned smart credentials](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/manage-assigned-smart-credentials.md): After you add a mobile smart credential to a user, you can make the following changes:
- [Modify smart credential authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-smart-credentials/modify-smart-credential-settings.md): Before you assign a smart credential to users, review the smart credential authenticators settings, and modify them as required. You can also make changes to the settings after you assign smart credentials. Changes made are applied to all smart credentials assigned to users in your IDaaS account.
- [Manage soft token authenticators](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators.md): Available soft token authenticators
- [Activate a Google authenticator](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/activate-a-google-authenticator.md): You can assign a Google Authenticator to yourself or any user that you manage. Before you begin, ensure that you have access to a mobile device with a Google Authenticator application installed.
- [Assign and activate Entrust Soft Token authenticators](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/assign-and-activate-entrust-st-tokens.md): Assign Entrust Soft Tokens to users
- [Edit a token label](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/edit-a-token-label.md): This option enables you to edit a soft token label. This is useful is you have multiple soft tokens or want to replace a serial number with an easy to remember label. For example, a user might be assigned a soft token to use on their phone and another soft token for their tablet. The labels My Phone and My Tablet are easier to identify than a serial number.
- [Manage Soft Token SDKs](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/manage-soft-token-sdks.md): If you have a custom Soft Token SDK, use this procedure to add your custom Soft Token SDK to Identity as a Service. Once you add the Soft Token SDK, you can configure custom push messages.
- [Manage soft tokens](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/manage-soft-tokens.md): You can enable, disable, and delete Entrust Soft Token and Google authenticators. You can also view the details of the soft token authenticator, such as the date it was created, when it was last used, its state, type, and whether it supports push authentication.
- [Modify Entrust Soft Token authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/modify-entrust-st-authenticator-settings.md): Review the Entrust Soft Token authenticator settings, and edit them as required. Changes made to these settings apply to all assigned Entrust Soft Tokens in your account.
- [Modify Google authenticator settings](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/modify-google-authenticator-settings.md): Changes made to Google authenticator settings apply to all assigned Google authenticators in your account.
- [Synchronize a soft token authenticator](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/synchronize-a-soft-token-authenticator.md): If a user tries to use their soft token to authenticate and it does not work, it is possible there is a difference between the time settings on the user's mobile device and those on your Identity as a Service account. Use the Synchronize function to resolve this issue. Before you begin, ask the user to ensure that the clock of their mobile device and cell carrier are synchronized.
- [Unlock an Entrust Soft Token app](/docs/authentication-and-security/manage-authenticators/manage-soft-token-authenticators/unlock-an-entrust-st-app.md): If a user enters an incorrect log in PIN in their Entrust Soft Token app too many times, the application is locked. The user must provide you with the PIN Reset code that appears on their Entrust Soft Token app for you to complete this procedure and unlock the Entrust Soft Token app.
- [Manage Temporary Access Codes](/docs/authentication-and-security/manage-authenticators/manage-temporary-access-codes.md): Temporary Access Codes can be used to log in when a user cannot access their one-time passcode (OTP), Grid Card, or token authenticator (for example, if a user has misplaced the mobile device containing their soft token application.
- [Assign a Temporary Access Code](/docs/authentication-and-security/manage-authenticators/manage-temporary-access-codes/assign-a-temporary-access-code.md): Create a Temporary Access Code for users when they need to authenticate, but cannot access the token or OTP required for authentication.
- [Modify Temporary Access Code settings](/docs/authentication-and-security/manage-authenticators/manage-temporary-access-codes/modify-temporary-access-codes.md): If a Temporary Access Code has expired or is about to expire, you can modify the expiry information so that a user can still authenticate with it. Modify the Temporary Access Code if the user still does not have a new authenticator (a token, for example) when the Temporary Access Code expires.
- [Manage user certificate authenticators](/docs/authentication-and-security/manage-authenticators/manage-user-certificate-authenticators.md): A User Certificate can be used for the following:
- [Modify user certificate settings](/docs/authentication-and-security/manage-authenticators/manage-user-certificate-authenticators/modify-user-certificate-authenticator-settings.md): Configure a policy to allow User Certificate authentication. Before you begin, ensure that you review the limitations and steps required to set up user certificate authentication. See Manage user certificate authenticators.
- [Manage Certificate Authorities](/docs/authentication-and-security/manage-certificate-authorities.md): You can create the following types of Certificate Authorities:
- [Configure a Microsoft CA](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca.md): To configure a Microsoft Certificate Authority (Microsoft CA), you must complete procedures on two different machines.
- [Configure a certificate subject DN attribute for Microsoft CA](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-a-certificate-subject-dn-attribute-for-microsoft-ca.md): Identity as a Service supports a user DN if you want to publish certificates to Active Directory.
- [Configure a Microsoft CA in IDaaS](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-a-microsoft-ca-in-idaas.md): Before you begin this procedure, ensure that you have completed all the previous steps in this section, Configure a Microsoft CA. This procedure outlines how to configure a Microsoft CA in Identity as a Service. You need to upload the certificate and key files that you created in earlier sections.
- [Configure Microsoft CA for PIV certificate templates](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates.md): About PIV certificate templates and permissions
- [Create the Digital Signature certificate template](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/create-the-digital-signature-certificate-template.md): 1. On the Microsoft CA machine, go to Start \> Windows Administrative Tools \> Certification Authority.
- [Create the PIV - Card Authentication certificate template](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/create-the-piv-card-authentication-certificate-template.md): 1. On the Microsoft CA machine, go to Start \> Windows Administrative Tools \> Certification Authority.
- [Create the PIV - Content Signer (device) certificate template](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/create-the-piv-content-signer-device-certificate-template.md): 1. On the Microsoft CA machine, go to Tools and select Certification Authority.
- [Create the PIV - Key Management template](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/create-the-piv-key-management-template.md): 1. On the Microsoft CA machine, go to Start \> Windows Administrative Tools \> Certification Authority.
- [Create the PIV - PIV Authentication certificate template](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/create-the-piv-piv-authentication-certificate-template.md): Use this procedure to create the PIV-PIV Authentication certificate template.
- [Make PIV certificates available for issuance](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/make-piv-certificates-available-for-issuance.md): Once you have created the certificates, you need to make them available for issuance. You also need permit the serialNumber to be added to the Subject DN of issued certificates and permit the piv-interim extension in issued certificates.
- [Set Certificate Authority permissions](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-for-piv-certificate-templates/set-certificate-authority-permissions.md): After you create the PIV-PIV Authentication certificate template, you need to set the following permissions required to issue certificates with Microsoft CA:
- [Configure Microsoft CA Proxy](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/configure-microsoft-ca-proxy.md): Complete the following to configure the Microsoft CA Proxy:
- [Create a Microsoft CA Enrollment Agent](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/create-a-microsoft-ca-enrollment-agent.md): You need an Enrollment agent to publish a certificate in Active Directory.
- [Create a Microsoft CA Key Recovery Agent](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/create-a-microsoft-ca-key-recovery-agent.md): You need a Key Recovery agent to perform a key recovery operation.
- [Create PIV CS PKCS12 store (PIV PFX)](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/create-piv-cs-pkcs12-store-piv-pfx.md): 1. Create a new user in Active Directory, as follows:
- [Edit, refresh, and test a Microsoft CA](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/edit-test-and-refresh-a-microsoft-ca.md): If you make changes to the Microsoft Certification Authority, in Identity as a Service you must refresh the Microsoft CA to ensure that the Microsoft CA Gateway picks up the latest configuration changes. This is particular necessary if changes are made to the configuration of the Certification Authority, for example, editing certificate templates. If you need to make changes to your Microsoft CA in Identity as a Service, for example, change the Microsoft Proxy Server certification, you can edit and save the changes. You can also test the connection to your Microsoft CA to help troubleshoot connection issues.
- [Export a Microsoft CA trust chain](/docs/authentication-and-security/manage-certificate-authorities/configure-a-microsoft-ca/export-a-microsoft-ca-trust-chain.md): You must export a user's smart credential certificate authority to their Windows Domain if a user wants to use their smart credential for Windows Smart Card Logon (SCLO). The CA certificates exported from an Identity as a Service account are contained in a zip file. The zip file contains the following files:
- [Configure a Trusted CA](/docs/authentication-and-security/manage-certificate-authorities/configure-a-trusted-ca.md): Devices, such as a phone or a laptop, may include a device certificate to identify the device. This certificate can be used for device verification. For example, in a laptop there is a certificate that identifies both you and the laptop. That certificate is issued by a Certificate Authority. For the device to be trusted, you need to upload the CA certificate that issued the device certificate as a Trusted CA.
- [Configure an Entrust Managed PKI certificate authority (CA)](/docs/authentication-and-security/manage-certificate-authorities/configure-an-entrust-managed-pki-ca.md): This procedure outlines how to configure an Entrust Managed PKI. Before you begin, obtain a certificate file from Entrust. You need the .EPF file when you configure the CA in Identity as a Service. You need both an XAP EPF and a PIV EPF.
- [Export an Entrust Managed PKI CA trust chain](/docs/authentication-and-security/manage-certificate-authorities/configure-an-entrust-managed-pki-ca/export-an-entrust-managed-pki-ca-trust-chain.md): You must export a user's smart credential certificate authority to their Windows Domain if a user wants to use their smart credential for Windows Smart Card Logon (SCLO). The CA certificates exported from an Identity as a Service account are contained in a zip file. The zip file contains the following files:
- [Configure an Entrust PKIaaS CA](/docs/authentication-and-security/manage-certificate-authorities/configure-an-entrust-pkiaas-ca.md): Entrust PKI as a Service (PKIaaS) is a certificate authority provided by Entrust that you can use as the CA used to issue smart credentials. There are two options available:
- [Edit a PKIaaS CA](/docs/authentication-and-security/manage-certificate-authorities/configure-an-entrust-pkiaas-ca/edit-a-pkiaas-ca.md): Once you create the PIV Content Signer for a PKIaaS CA, you can edit the digital ID configurations.
- [Export a PKIaaS CA trust chain](/docs/authentication-and-security/manage-certificate-authorities/configure-an-entrust-pkiaas-ca/export-a-pkiaas-ca-trust-chain.md): If you want to use your smart credential to perform Microsoft Windows Login, you need to import the CA certificate into the Windows Domain Controller. Use this procedure to export that CA certificate so that you have it available to import into the domain controller.
- [Export a PKIaaS PIV Content Signer certificate](/docs/authentication-and-security/manage-certificate-authorities/configure-an-entrust-pkiaas-ca/export-a-pkiaas-piv-content-signer-certificate.md): The PIV Content Signer signs the contents of the smart credential. For example, if you have an application and want to verify the contents of the smart credential, you need the PIV Content Signer certificate to verify the signatures on the smart credential contents.
- [Edit or delete an Entrust CA or a Trusted CA](/docs/authentication-and-security/manage-certificate-authorities/edit-or-delete-an-entrust-or-a-trusted-ca.md): If you need to make changes to the CA, you can edit it as follows:
- [Manage Cross Origin Resource Sharing (CORS)](/docs/authentication-and-security/manage-cross-origin-resource-sharing-cors.md): The Cross Origin Resource Sharing (CORS) feature prevents a Web page from making a request initiated from another origin. When enabled, other origins can make API calls to your account. By default, CORS is enabled for new IDaaS accounts.
- [Manage Device Verification](/docs/authentication-and-security/manage-device-verification.md): The Device Agent is a software component for Windows and Mac systems that focuses on secure access and authentication. It has two main features:
- [Configure Device Agent on Apple Macintosh](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh.md): This section describes configuration and other tasks that typically require administrative privileges on Apple Macintosh computers.
- [MacOS: Capture Device Agent Logs](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-capture-device-agent-logs.md): Device Agent includes a Mac SmartCard Reader driver that uses the OS log. Additionally, it features a service that initiates upon MacOS boot-up and performs its own logging.
- [MacOS: Configure certificates and CAs](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-configure-certificates-and-cas.md): The Entrust Device Agent supports client authentication through a device certificate on both Windows and MacOS systems. The Entrust Device Agent receives a list of acceptable Certificate Authorities (CAs) from IDaaS, locates a local device certificate issued by one of these CAs, and forwards it to IDaaS to finalize the client authentication process.
- [MacOS: Configure Device Agent for Device Verification](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-configure-device-agent-for-device-verification.md): Manage Allowed SSL Server Urls for certificate-based client authentication
- [MacOS: Configure Device Agent settings](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-configure-device-agent-settings.md): The Device Agent Service uses defaults to save a user's settings for Smart Login and client authentication.
- [MacOS: Install Device Agent](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-install-device-agent.md): When all the prerequisites are met, install the Entrust Device Agent for Mac.
- [Mac: Prepare for Device Agent Installation](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-prepare-for-device-agent-installation.md): Entrust Device Agent for Mac is software that allows a Smart Identity on a mobile device to communicate with an Apple® Macintosh® (Mac®) computer. The main use case for this communication is allow users to log in to their Mac computer with a Smart Identity in the Entrust Identity app (or custom smart credential app).
- [MacOS: Uninstall Device Agent](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-uninstall-device-agent.md): The Device Agent is not an application, so it cannot be uninstalled in the same way as applications. Instead, a script is provided to perform the necessary actions for uninstallation.
- [MacOS: Verify Device Agent](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-apple-macintosh/macos-verify-device-agent.md): To verify the installation of Device Agent
- [Configure Device Agent on Windows](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows.md): This section describes configuration and other tasks that typically require administrative privileges on Microsoft Windows computers.
- [Windows: Capture Device Agent Logs](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-capture-device-agent-logs.md): The following logs can help you troubleshoot the Device Agent.
- [Windows: Configure certificates and CAs](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-configure-certificates-and-cas.md): The Entrust Device Agent supports client authentication through a device certificate on both Windows and MacOS systems. The Entrust Device Agent receives a list of acceptable Certificate Authorities (CAs) from IDaaS, locates a local device certificate issued by one of these CAs, and forwards it to IDaaS to finalize the client authentication process.
- [Windows: Configure Device Agent for Device Verification](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-configure-device-agent-for-device-verification.md): Manage Allowed SSL Server Urls for certificate based client authentication
- [Windows: Configure Device Agent settings](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-configure-device-agent-settings.md): Registry location
- [Windows: Install Device Agent](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-install-device-agent.md): When all the requirements in this section are met, install the Device Agent.
- [Windows: Prepare Device Agent installation](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-prepare-device-agent-installation.md): Complete this task if you want to set up Smart Login with iOS devices. This step is not necessary for Android devices.
- [Windows: Verify Device Agent](/docs/authentication-and-security/manage-device-verification/configure-device-agent-on-windows/windows-verify-device-agent.md): After installing the Entrust Device Agent, an administrator should verify that the software was installed properly.
- [Device Verification checklist](/docs/authentication-and-security/manage-device-verification/device-verification-checklist.md): Use this checklist to assist with setting up client authentication with Identity as a Service.
- [Manage external risk engines](/docs/authentication-and-security/manage-external-risk-engines.md): External risk engines allow you to assess risk of user activity and incorporate the risk assessment into resource rules. To use this feature, you must configure an external risk engine and add risk assessment rules.
- [Configure a Feedzai Digital Trust external risk engine](/docs/authentication-and-security/manage-external-risk-engines/configure-a-feedzai-digital-trust-external-risk-engine.md): To configure a Feedzai Digital Trust external risk engine:
- [Configure a Generic API external risk engine](/docs/authentication-and-security/manage-external-risk-engines/configure-a-generic-api-risk-engine.md): Configure a Generic API external risk engine to support the IDaaS API or you need to develop an intermediate proxy server to convert between the IDaaS API and the external risk engine API.
- [Configure Connector-based risk engines](/docs/authentication-and-security/manage-external-risk-engines/configure-connector-based-risk-engines.md): Connector-based risk engines support configuration of the IDaaS API to support third-party risk engines without the need to do development. Before you begin, review the information about placeholders. Placeholders are optional and can be used in the HTTP Connector to further define the data requested from the external risk engine.
- [Manage group policies](/docs/authentication-and-security/manage-group-policies.md): Group policies let you override global settings for specific groups of users. When you create a group policy and change a setting, the change applies only to the users in the group assigned to that group policy.
- [Manage IP Lists](/docs/authentication-and-security/manage-ip-lists.md): You can configure IPs and CIDRs (Classless Inter-Domain Routing) as IP Lists and add them to an Administration API application. IP Lists restrict user access only to IDaaS Admin API applications linked to the IP addresses included in the IP List. IP Lists can also be associated to IP source addresses in resource rules to be used to restrict user access based on the IPs defined in the list.
- [Manage Smart Login](/docs/authentication-and-security/manage-smart-login.md): Smart Login allows Passwordless authentication to Identity as a Service. When enabled, a user who has logged in to their Windows desktop using the Entrust Identity Bluetooth Smart Credential Reader 3.0.1 can authenticate to their Identity as a Service account without the need to provide a username and password. This feature is available only for the Identity as a Service Admin Portal, User Portal, and OIDC or SAML applications integrated with the Identity as a Service account.
- [Configure passwordless computer login with mobile smart credentials through Bluetooth](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth.md): This section describes prerequisites and configuration for using mobile smart credentials for logging in to computers and for locking computers when the smart credential moves out of Bluetooth range. Configuration of some of these features requires administrative privileges. This section also includes troubleshooting advice and other topics related to supporting this feature.
- [Mac: Configure passwordless computer login for smart card login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login.md): This section describes configuration and other tasks that typically require administrative privileges on Apple Macintosh computers.
- [Mac: Admin tasks to configure computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-admin-tasks-to-configure-computer-login.md): This section describes configuration and other tasks that typically require administrative privileges on Apple Macintosh computers.
- [Associate a smart credential and a Mac user](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-admin-tasks-to-configure-computer-login/associate-a-smart-credential-with-a-mac-user.md): To log in to a Mac with a smart credential, the smart credential must be associated with the Mac user. There are a number of ways to do this.
- [Mac: Configure the screen to lock when a smart credential is disconnected](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-admin-tasks-to-configure-computer-login/configure-the-screen-to-lock-when-a-smart-credential-is-disconnected.md): The typical scenario for use of mobile smart credential login to a Mac computer is the following:
- [Find information about smart credential identities and Mac users](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-admin-tasks-to-configure-computer-login/find-information-about-smart-credential-identities-and-mac-users.md): To see a list of all paired identities used for authentication, in a command window, enter the command sc_auth identities
- [Remove associations of smart credential identities and Mac users](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-admin-tasks-to-configure-computer-login/remove-associations-of-smart-credential-identities-and-mac-users.md): If a smart credential is re-encoded, it is possible to disassociate the original identity from a Mac user. This can be done using the built-in sc_auth utility.
- [Mac: Troubleshooting computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-troubleshooting-computer-login.md): Mac only
- [Mac: User tasks to complete computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/apple-macintosh-configure-passwordless-computer-login/mac-user-tasks-to-complete-computer-login.md): In addition to the administrator tasks described in this section, login to a computer requires some configuration by users in the Entrust Identity mobile app (formerly the Entrust IdentityGuard Mobile Smart Credential app) and on the computer to which they will log in. Some organizations might have administrators perform some of the configuration on the computers.
- [Windows: Configure passwordless computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/windows-configure-passwordless-computer-login.md): This section describes configuration and other tasks that typically require administrative privileges on Microsoft Windows computers.
- [Windows: Admin tasks to configure computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/windows-configure-passwordless-computer-login/windows-admin-tasks-to-configure-computer-login.md): This section describes configuration and other tasks that typically require administrative privileges on Microsoft Windows computers. In a large deployment, configuration tasks could be completed by an IT administrator through a Windows group policy.
- [Configure the screen to lock when smart credential is disconnected (Windows)](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/windows-configure-passwordless-computer-login/windows-admin-tasks-to-configure-computer-login/configure-the-screen-to-lock-when-smart-credential-is-disconnected.md): If your mobile smart credential communicates with your computer using a Bluetooth connection, you can configure your computer to lock when you move out of Bluetooth range. The following procedure describes how to configure this loss of connection to lock your computer.
- [Enable biometric login to Windows](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/windows-configure-passwordless-computer-login/windows-admin-tasks-to-configure-computer-login/enable-biometric-login-to-windows.md): The Entrust Device Agent allows users to log in to Windows computers with biometrics (face recognition or a fingerprint) instead of a smart credential PIN. This feature is disabled by default and must be enabled after installation of Device Agent. This feature is supported only on 64-bit Windows computers.
- [Windows: Troubleshooting computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/windows-configure-passwordless-computer-login/windows-troubleshooting-computer-login.md): I cannot get my computer paired with my Smart Identity over Bluetooth
- [Windows: User tasks to configure computer login](/docs/authentication-and-security/manage-smart-login/configure-passwordless-computer-login-through-bluetooth/windows-configure-passwordless-computer-login/windows-user-tasks-to-configure-computer-login.md): In addition to the administrator tasks described in this section, login to a computer requires some configuration by users in the Entrust Identity mobile app (formerly the Entrust IdentityGuard Mobile Smart Credential app) and on the computer to which they will log in. Some organizations might have administrators perform some of the configuration on the computers.
- [Configure the Domain Controller to trust the issuing CA](/docs/authentication-and-security/manage-smart-login/configure-the-domain-controller-to-trust-the-issuing-ca.md): You need to configure the domain controller to trust the Certificate Authority that issues the smart credential.
- [Configure Windows clients protected by another Credential Provider](/docs/authentication-and-security/manage-smart-login/configure-windows-clients-protected-by-another-credential-provider.md): If another credential provider (such as, McAfee or Symantec) overwrites Windows login, you must add a new Windows registry key to enable Smart Login with Identity as a Service.
- [Map a User Principal Name to a Smart Credential definition](/docs/authentication-and-security/manage-smart-login/map-a-user-principal-name-attribute-for-smart-login.md): Users require a User Principal Name to use a Smart Credential for Smart Login. Smart credentials configured on Identity as a Service do not have a User Principal Name (UPN)value by default if the user does not have a value defined for User Principal Name system attribute. You may want a User Principal Name value to be auto-populated for every smart credential if smart cards are being used for Smart Login.
- [Smart Login set up checklist](/docs/authentication-and-security/manage-smart-login/smart-login-checklist.md): Use this checklist to help you set up Smart Login with Identity as a Service. Along with this Identity as a Service Administrator Help, you also need the following documentation to complete Smart Login set up for Identity as a Service:
- [Passkey/FIDO2 API Error Reference](/docs/authentication-and-security/passkey/passkey-api-errors.md): Common API errors and resolutions for Passkey/FIDO2 registration and authentication.
- [Passkey basics](/docs/authentication-and-security/passkey/passkey-basics.md): What is a passkey?
- [Passkey Mobile Integration Guide](/docs/authentication-and-security/passkey/passkey-mobile.md): How to integrate passkey registration and authentication in your native mobile app using IDaaS.
- [Passkey Web Integration Guide](/docs/authentication-and-security/passkey/passkey-web.md): How to integrate passkey registration and authentication in your web app using IDaaS.
- [Customization](/docs/customization.md): Customize the look and feel of your IDaaS tenant, including themes, branding, and user interface settings.
- [Customize account appearance and language](/docs/customization/customize-account-appearance-and-language.md): You can change the colors, company name, logo, default language, and add a message of the day to your account login page.
- [Directories and provisioning](/docs/directories-and-provisioning.md): Connect directories and configure provisioning to sync users and groups into IDaaS.
- [Manage directories](/docs/directories-and-provisioning/manage-directories.md): You can add an on-premise directory or an Microsoft Entra ID directory to sync your directory users and groups with Identity as a Service. Users synced with your Active Directory or Microsoft Entra ID can use their directory password to log in to Identity as a Service.
- [Configure an AD Connector directory (Preview)](/docs/directories-and-provisioning/manage-directories/configure-an-ad-connector-directory.md): You can configure an AD Connector directory to sync users from an on-premises Active Directory using a lightweight AD Connector native Windows application. Changes made to your Active Directory are automatically synced with Identity as a Service. You do not need to trigger synchronization.
- [Add AD Connector directory](/docs/directories-and-provisioning/manage-directories/configure-an-ad-connector-directory/add-an-ad-connector-directory.md): 1.  Click  \> Resources \> Directories. The Directories List page appears.
- [Install AD Connector and add groups](/docs/directories-and-provisioning/manage-directories/configure-an-ad-connector-directory/install-ad-connector-and-add-groups.md): The AD Connector handles passwords and password change requests. To ensure redundancy in the event of failure, you should sync suers to Identity as a Service and add more than one AD Connector. To do this
- [Configure an LDAP directory](/docs/directories-and-provisioning/manage-directories/configure-an-ldap-directory.md): Configure an LDAP directory to on-board users and groups that are stored in an LDAP directory other than Active Directory. When configured, users can use their LDAP directory password for first-factor authentication.
- [Configure an on-premises Active Directory](/docs/directories-and-provisioning/manage-directories/configure-an-on-premises-active-directory.md): You can create an on-premises directory to sync users and groups from your Active Directory to Identity as a Service.
- [Configure Microsoft Entra ID](/docs/directories-and-provisioning/manage-directories/configure-microsoft-entra-id.md): You can configure an Microsoft Entra ID directory to manage your users and groups through Identity as a Service. You can also manage your Microsoft Entra ID password (change or reset) through Identity as a Service and can use them to log in to Identity as a Service.
- [Integrate Microsoft Entra ID with Identity as a Service](/docs/directories-and-provisioning/manage-directories/integrate-microsoft-entra-id-with-identity-as-a-service.md): This integration guide describes how to integrate Microsoft Entra ID with Identity as a Service. There are two ways to do this:
- [Block Microsoft Entra ID users](/docs/directories-and-provisioning/manage-directories/integrate-microsoft-entra-id-with-identity-as-a-service/block-microsoft-entra-id-users.md): You can block specific Microsoft Entra ID  users from signing in to Identity as a Service.
- [Configure Microsoft Entra ID to support LDAP](/docs/directories-and-provisioning/manage-directories/integrate-microsoft-entra-id-with-identity-as-a-service/configure-microsoft-entra-id-to-support-ldap.md): This section describes how to connect Microsoft Entra ID Directory (AD) using LDAP. Before you begin, ensure that you have completed the prerequisites described in  Integrate Microsoft Entra ID with Identity as a Service.
- [Sync an on-premise AD with Microsoft Entra ID External](/docs/directories-and-provisioning/manage-directories/integrate-microsoft-entra-id-with-identity-as-a-service/sync-an-on-premise-ad-with-microsoft-entra-id.md): You need to sync an on-premises AD with Microsoft Entra ID External and then sync it with Identity as a Service.
- [Synchronize Microsoft Entra ID users to Identity as a Service](/docs/directories-and-provisioning/manage-directories/integrate-microsoft-entra-id-with-identity-as-a-service/synchronize-microsoft-entra-id-users-with-idaas.md): You must synchronize Microsoft Entra ID users to an Identity as a Service directory so that your users can log in to Microsoft Entra ID from Identity as a Service. Synchronization of users from Microsoft Entra ID supports synchronizing the Security ID value into IDaaS. The Security ID uniquely identifies users in a Microsoft Windows environment.
- [Manage configured directories](/docs/directories-and-provisioning/manage-directories/manage-configured-directories.md): This section reviews tasks that you can complete after you configure a directory.
- [Map Immutable ID to the directory attribute](/docs/directories-and-provisioning/manage-directories/map-immutableid-attribute-to-the-directory-attribute.md): Complete this procedure to map an Identity as a Service custom user attribute to the user’s objectGUID value in your directory account. The objectGUID attribute value is imported and applied to the ImmutableID attribute in Identity as a Service through Active Directory Sync. Being able to map the Immutable ID attribute to an objectGUID helps to streamline the configuration of specific SAML applications (such as Office 365) with Identity as a Service.
- [Trigger on-demand synchronization](/docs/directories-and-provisioning/manage-directories/trigger-on-demand-synchronization.md): For on-premises directory, the Crawl Frequency setting defines how often (in milliseconds) the directory information on your Identity as a Service account is updated to match the information in the corporate directory it is synchronized with. The crawl frequency is set to 1 hour by default. For Microsoft Entra ID, automatic synchronization occurs every 8 hours. You cannot change this value.
- [Manage provisioners using SCIM](/docs/directories-and-provisioning/manage-provisioners-using-scim.md): IDaaS allows you to create a Provisioner to provision users with a third-party service that supports System Cross Domain Identity Management (SCIM) in two ways:
- [Provision users and groups from Microsoft Entra ID to IDaaS](/docs/directories-and-provisioning/manage-provisioners-using-scim/integrate-microsoft-entra-id-for-inbound-provisioning.md): This procedure describes how to configure Microsoft Entra ID (formerly Azure AD) as a SCIM 2.0 client to provision users and groups FROM Entra to Entrust Identity as a Service. When configured, user and group changes in Microsoft Entra ID automatically synchronize to IDaaS approximately every 40 minutes.
- [Integrations](/docs/directories-and-provisioning/manage-provisioners-using-scim/integrate-services-for-user-provisioning.md): IDaaS allows you to create a Provisioner to provision users from IDaaS to a third-party service that supports System Cross Domain Identity Management (SCIM). When configured, IDaaS provisions users as they are added, modified, or removed from IDaaS to the third-party service. The provisioning process includes using groups and user attributes to identify the users that need to be provisioned. IDaaS integration templates include the mandatory user attributes needed for user provisioning, but custom attributes can also be included as part of the provisioning process.
- [AWS](/docs/directories-and-provisioning/manage-provisioners-using-scim/integrate-services-for-user-provisioning/integrate-aws-for-user-provisioning.md): This procedure describes how to integrate Amazon Web Services (AWS) for user provisioning.
- [GitHub](/docs/directories-and-provisioning/manage-provisioners-using-scim/integrate-services-for-user-provisioning/integrate-github-for-user-provisioning.md): This procedure describes how to integrate GitHub for user provisioning.
- [Microsoft Entra ID (Inbound)](/docs/directories-and-provisioning/manage-provisioners-using-scim/integrate-services-for-user-provisioning/integrate-microsoft-entra-id-for-inbound-provisioning.md): This integration allows Microsoft Entra ID (formerly Azure AD) to provision users and groups to IDaaS using SCIM 2.0. This is an inbound provisioning scenario where IDaaS acts as the SCIM server receiving user data from Entra.
- [Salesforce](/docs/directories-and-provisioning/manage-provisioners-using-scim/integrate-services-for-user-provisioning/integrate-salesforce-for-user-provisioning.md): This procedure describes how to integrate Salesforce for user provisioning.
- [Provision users and groups into IDaaS](/docs/directories-and-provisioning/manage-provisioners-using-scim/provision-users-and-groups-into-idaas.md): Use this procedure to add users and groups to IDaaS from a third-party application (SCIM 2.0 client), such as Microsoft Entra ID, to IDaaS. When configured, changes to user and group information in the third-party application are made to the users that are mapped to IDaaS.
- [Provision users from IDaaS](/docs/directories-and-provisioning/manage-provisioners-using-scim/provision-users-from-idaas.md): Use this procedure to add users from IDaaS to your third-party application. The outbound provisioning process includes using groups and user attributes to identify the users that need to be provisioned. IDaaS integration templates include the mandatory user attributes needed for the user provisioning, but custom attributes can also be included as part of the provisioning process.
- [Gateways](/docs/gateways.md): A Gateway is a grouping of Gateway Instances that share the same configuration. To ensure high availability, Entrust recommends that you add at least two instances to your gateway.
- [Add a Gateway Instance](/docs/gateways/add-a-gateway-instance.md): For high availability, add additional Gateway Instances to your exiting Gateway.
- [Create and configure a Gateway Instance](/docs/gateways/create-and-configure-a-gateway.md): The first time you create a Gateway, you must download the Enterprise Service Gateway image file and register it with Identity as a Service.
- [Enable and disable Gateways, Gateway Instances, and Gateway agents](/docs/gateways/enable-rename-and-delete-gateways.md): Once you have configured a Gateway Instance, you can see the status of the Gateway agents. If required, you can disable an agent. This might be useful in order to better manage the traffic on your network. You can also delete a Gateway. When you delete a Gateway, you also delete every Gateway Instance and all configurations associated with the Gateway.
- [Enable SSH on an Enterprise Service Gateway](/docs/gateways/enable-ssh-on-an-enterprise-service-gateway.md): You can modify the settings of your Enterprise Service Gateway so that users can log in over Secure Shell (SSH).
- [Manage Gateway certificates](/docs/gateways/manage-gateway-certificates.md): By default, a Gateway Instance on Identity as a Service contains a self-signed SSL certificate that you can download. You can replace the self-signed certificate with one signed by a certificate authority (CA). The CA can be a public CA such as Entrust Certificate Services (ECS) or a private CA.
- [Set Gateway Advanced Gateway settings](/docs/gateways/set-gateway-advanced-gateway-settings.md): Advanced Gateway settings control traffic over your VPN network using worker threads to manage password authentication requests to the Password Agent, and client rate limiting to manage authentication requests to the RADIUS Agent from the same client IP address.
- [Upgrade a Gateway Instance](/docs/gateways/upgrade-a-gateway-instance.md): Before upgrading a Gateway Instance, take a snapshot of the Enterprise Service Gateway image. In the event of a failure, the upgrade logs should be captured and the appliance rolled back to the snapshot. Once rolled back, reactivate the Gateway Instance following the instructions in Create and configure a Gateway.
- [Getting started](/docs/get-started.md): Identity as a Service (IDaaS) is available in different bundles. The bundle type along with your user role determines the IDaaS features available to you. This Administration Guide describes all features. Some of these features may not be visible to you.
- [Bundles](/docs/get-started/identity-as-a-service-bundles.md): Identity as a Service bundles group the IDaaS features that users and administrators can access. The features you see depend on your bundle and your role, so some features may not be available. The table below shows which features are included in each bundle.
- [Dashboard](/docs/get-started/identity-as-a-service-dashboard.md): By default, if you are Super Administrator or Auditor, you see the Dashboard after you log in to your IDaaS account. The Dashboard allows you to monitor account activity. See Getting started for a description of IDaaS system administrator roles.
- [System requirements](/docs/get-started/requirements.md): This section describes the system requirements to use IDaaS.
- [Search the IDaaS UI](/docs/get-started/search-the-idaas-ui.md): When you sign in to IDaaS as an administrator, a search bar appears in the banner. Use it to find menu pages.
- [Set up your account](/docs/get-started/set-up-your-identity-as-a-service-account.md): To use IDaaS, you need to create or import your users and groups, set up authenticators, and add applications that users will authenticate to using IDaaS.
- [Identity Providers](/docs/identity-providers.md): You can integrate Identity Providers with Identity as a Service to allow authentication with either IDaaS or the Identity Provider (IDP). When integrated, IDaaS acts as an OIDC or SAML client to connect to the Identity Provider. For example, you configure Application XYZ as the Identity Provider and integrate it with IDaaS. When you log in to IDaaS you have the option to log in using IDaaS authentication or log in to Application XYZ using your ApplicationA credentials. You can also integrate Identity Providers with Identity as a Service for the purpose of creating or verifying a user prior to the user using Identity as a Service applications.
- [Add generic OIDC Identity Provider](/docs/identity-providers/add-generic-oidc-identity-provider.md): Before you begin, you need to obtain the following from your Identity Provider:
- [Add generic SAML Identity Provider](/docs/identity-providers/add-generic-saml-identity-provider.md): Before you begin, you need to obtain the following from your Identity Provider:
- [Integrations](/docs/identity-providers/identity-provider-integration-guides.md): You can integrate Identity Providers with Identity as a Service to allow authentication with either IDaaS or the Identity Provider. When integrated, IDaaS acts as an SAML or OIDC client to connect to the Identity Provider. For example, you configure Application XYZ as the Identity Provider and integrate it with IDaaS. When you log in to IDaaS you have the option to log in using IDaaS authentication or log in to Application XYZ using your Application XYZ credentials.
- [Other IDaaS accounts](/docs/identity-providers/identity-provider-integration-guides/configure-idaas-as-an-idp.md): You can configure IDaaS as an Identity Provider to be used with other IDaaS accounts. When configured, users log into IDaaS as an IDP and are then redirected to another IDaaS account. You might want to do this in some of the following situations:
- [Facebook](/docs/identity-providers/identity-provider-integration-guides/integrate-facebook.md): Using the provided template, you can integrate your Identity Provider to use the information from your users' Facebook account to log in to your protected applications. Once integrated, users can use IDaaS or their Facebook credentials to log in to your application.
- [Google](/docs/identity-providers/identity-provider-integration-guides/integrate-google.md): Using the provided template, you can integrate Google as an Identity Provider. When integrated, a user's Google account credentials and profile data can be used for single sign-on to your applications protected by IDaaS.
- [Identity Verification as a Service](/docs/identity-providers/identity-provider-integration-guides/integrate-identity-verification-as-a-service.md): Identity Verification as a Service (IDVaaS) allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery. When integrated, with Identity as a Service, IDaaS acts as an OIDC client to connect to Identity Verification as a Service, allowing users to use their IDVaaS to verify their identity or allowing users to use their identity for authentication, or both. This integration guide discusses how to set up IDaaS for IDVaaS identity verification and/or authentication.
- [Microsoft Entra ID](/docs/identity-providers/identity-provider-integration-guides/integrate-microsoft-entra-id.md): Microsoft Entra ID is Microsoft’s cloud-based identity and access management service. You can integrate Microsoft Entra ID with IDaaS. When integrated, your users can log in using IDaaS authentication or log in using their Microsoft Entra ID credentials.
- [Nets E-Ident IDP Broker](/docs/identity-providers/identity-provider-integration-guides/integrate-nets-e-ident-idp-broker.md): Nets E-Ident is an identification broker service. You can integrate Nets E-Ident with IDaaS. When integrated, your users can log in using IDaaS authentication or log in using their Nets E-Ident credentials. For more information about Nets E-Ident Identity Provider, see https://www.nets.eu/developer/E-Ident/getstarted/Pages/default.aspx.
- [Twitter](/docs/identity-providers/identity-provider-integration-guides/integrate-twitter.md): Using the provided template, you can integrate Twitter as an Identity Provider. When integrated, a user's Twitter account credentials and profile data can be used for single sign-on to your applications protected by IDaaS.
- [Migration](/docs/migration.md): Use these guides to move users, authenticators, and configuration data from other identity platforms into Entrust Identity as a Service (IDaaS). Each guide covers prerequisites, export steps, and validation checks to help you complete the move with minimal downtime.
- [Configuring an Identity Enterprise Agent](/docs/migration/ide/ide-agent.md): The Identity Enterprise Agent (IDE Agent) is a software application that is bundled into a Gateway Instance in Identity as a Service (IDaaS).
- [Migrating User Data](/docs/migration/ide/migrating-user-data1.md): If you are using an Entrust Identity Enterprise 13.0 installation, you must update to Patch 452872 or newer. If using Entrust Identity Enterprise Self-Service, upgrade to Patch 452874 or newer.
- [Migration overview](/docs/migration/ide/overview.md): This section describes how to prepare for and proceed through migrating data in a standard, on-premises installation of Entrust Identity Enterprise (formerly known as IdentityGuard) to Entrust Identity as a Service.
- [Setup for Migration](/docs/migration/ide/setup-for-migration.md): Download the required software
- [Transitional tasks](/docs/migration/ide/transitional-tasks1.md): Consider completing the following tasks to help ensure a smooth transition to Entrust Identity as a Service.
- [Update the IdP URL for mobile tokens](/docs/migration/ide/update-the-idp-url-for-mobile-tokens.md): This migration procedure is required only if your organization uses
- [Notifications and email](/docs/notifications-and-email.md): Configure notification workflows, templates, and mail servers for IDaaS communications.
- [Customize email templates](/docs/notifications-and-email/customize-email-templates.md): You can customize the email messages sent from your Identity as a Service account from the Email Templates page. Identity as a Service processes the email body as a Mustache template, which allows you to use variables in your emails. For more information about template syntax options, see the Mustache documentation.
- [Manage mail servers](/docs/notifications-and-email/manage-mail-servers.md): The Mail Server setting allows you to use your own SMTP mail server to send emails. By default, email messages are sent from the Identity as a Service built-in mail server. When you configure a custom SMTP server, all messages sent from Identity as a Service are sent from the custom SMTP server.
- [Manage notifications](/docs/notifications-and-email/manage-notifications.md): This section describes how to manage notifications, which are emails users receive to advise them of changes to their accounts, such as entitlements usage or contact information. IDaaS provides customized email templates for notifications. To update the messages sent to your users, see Customize email templates.
- [Manage entitlement usage and expiration notifications](/docs/notifications-and-email/manage-notifications/manage-entitlement-usage-and-expiration-notifications.md): This feature allows you to enable notifications. When set, Tenants and Managed Service Providers receive an email with entitlement usage notifications and expiration warnings, for example, entitlements consumed reaching 75% or account expiration notification for trial accounts. Notification emails are sent as follows:
- [Manage user notifications](/docs/notifications-and-email/manage-notifications/manage-user-notifications.md): Administrators can enable user notifications for user contact information changes or authenticator changes. When enabled, users receive an automatic system notification of the changes.
- [People and access](/docs/people-and-access.md): Manage users, roles, groups, and profiles. Use these features to set up who can sign in and what they can access.
- [Manage members](/docs/people-and-access/manage-members.md): Members are users of Identity as a Service (IDaaS). Group membership, assigned roles, and user attributes determine which IDaaS features a user can access.
- [Add users to IDaaS](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service.md): Anyone who can sign in to IDaaS is a user. The assigned role determines which features the user can access. See Create, assign, and manage roles and Set up your IDaaS account for more information.
- [Add users](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/add-users.md): You can add users in the following ways:
- [Assign user authenticators](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/assign-user-authenticators.md): You can assign authenticators to a single user. To assign authenticators to many users at once, see Bulk assign authenticators.
- [Configure an External ID for users](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/configure-external-id-for-users.md): Customer Identity and Access Management (CIAM) platforms use directories or external identity providers to identify users with unique IDs, such as UUIDs. End users do not see these IDs, but integrations such as OIDC, SAML, and SCIM rely on them to consistently identify users across customer‑managed systems.
- [Configure Magic Links for users](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/configure-magic-link-for-users.md): Magic Links allow unregistered users to bypass the need to enter their username and password to register their authenticators. When a Magic Link is configured for a user, the user receives an email with a Magic Link.
- [Edit, delete, unlock and disable users](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/edit-delete-unlock-and-disable-users.md): From the Users List page, you can do the following:
- [User verification](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/require-user-verification.md): User verification requires a user to provide an administrator with a response from an OTP, grid card, token, or token push authentication. This feature allows administrators to verify the user based on their response to the authentication request.
- [Unlink users from an Active Directory](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/unlink-users-from-active-directory.md): You can unlink individual users that are synchronized from a directory. This feature lets administrators remove problem accounts that no longer exist in Active Directory but are still synchronized with IDaaS. When a user is unlinked, the user becomes locally managed in IDaaS.
- [View, filter, and export a user list](/docs/people-and-access/manage-members/add-users-to-identity-as-a-service/view-filter-and-export-user-list.md): From the Users List page, you can do the following:
- [Create and manage groups](/docs/people-and-access/manage-members/create-and-manage-groups.md): A group in IDaaS is a set of users. You can add users to groups or remove users from groups that your role allows you to manage. If your role includes permission to Manage All Groups (see Create, assign, and manage roles), you can create as many groups needed to control which applications users can access.
- [Create and manage organizations](/docs/people-and-access/manage-members/create-and-manage-organizations.md): An organization is an entity in IDaaS to which users can be associated. An IDaaS user can belong to one or more organizations. When the user authenticates using SAML or OIDC, the authentication response indicates the organizations to which the user belongs. Organizations can then be returned from an OIDC and OAuth as claim values or a SAML application as attribute values, as follows:
- [Create and manage user attributes](/docs/people-and-access/manage-members/create-and-manage-user-attributes.md): User attributes are the information fields stored in a User Profile. IDaaS supports two types of attributes:
- [Create, assign, and manage roles](/docs/people-and-access/manage-members/create-assign-and-manage-roles.md): Roles control what users can do in IDaaS. Each role defines which system entities a user can access and which actions they can perform on those entities. System entities represent different IDaaS management areas. For example, a role that includes the User Passkey/FIDO2 Token Management entity allows a user to view, add, edit, or remove Passkey/FIDO2 tokens, depending on the permissions assigned to the role.
- [Manage user policies](/docs/people-and-access/manage-user-policies.md): Use the Policies > Registration page to configure user policies for registration and verification. You can do the following:
- [Configure authenticator provisioning](/docs/people-and-access/manage-user-policies/configure-authenticator-provisioning.md): Authenticator provisioning sets the authenticators that are provisioned automatically for users. You can automatically provision the following for users:
- [User registration](/docs/people-and-access/manage-user-policies/configure-user-registration.md): User registration requires a user to register their authenticators at login.
- [User verification](/docs/people-and-access/manage-user-policies/configure-user-verification.md): User verification prompts a user to verify through an admin-configured external SAML or OIDC Identity Provider before registration or authentication.
- [Bulk operations](/docs/perform-bulk-operations.md): What are bulk operations?
- [Bulk assign authenticators](/docs/perform-bulk-operations/bulk-assign-authenticators.md): Use this procedure to assign Entrust Soft Token (ST), Google authenticators, grid cards, hardware tokens, or passwords to multiple users on your Identity as a Service account. When performing a bulk assign soft token operation, the following occurs:
- [Bulk import operations](/docs/perform-bulk-operations/bulk-import-operations.md): Identity as a Service supports the following bulk import operations:
- [Import grid cards](/docs/perform-bulk-operations/bulk-import-operations/import-grid-cards.md): Use the Import Grid Cards bulk operation to import grid cards and associate their contents with users or add them as unassigned grid cards. You also assign grid cards. This section provides details to import grid cards in bulk. See Bulk assign authenticators for more information on bulk assigning grid cards.
- [Import groups](/docs/perform-bulk-operations/bulk-import-operations/import-groups.md): Use the Bulk import groups bulk operation to import groups in bulk. Before you begin, review the information in Bulk operations.
- [Import hardware tokens](/docs/perform-bulk-operations/bulk-import-operations/import-hardware-tokens.md): Use the Bulk import hardware tokens bulk operation to import hardware tokens in bulk. When you import hardware tokens in bulk, Entrust or OATH Compliant Token data files have a .pskc file extension. Legacy Token data files have a .sds file extension.
- [Import users and groups](/docs/perform-bulk-operations/bulk-import-operations/import-users-and-groups.md): Use the Bulk import users and groups bulk operation to assign users to groups. Before you begin, review the information in Bulk operations.
- [Import users](/docs/perform-bulk-operations/bulk-import-operations/import-users.md): Use the Import Users bulk operation to import a large amount of users into your Identity as a Service account. Before you begin, review the information on Bulk operations and the attribute information on this page.
- [Migrate Entrust Identity Enterprise users to IDaaS](/docs/perform-bulk-operations/bulk-import-operations/migrate-entrust-identity-enterprise-users-to-idaas.md): You can bulk import Entrust Identity Enterprise user/group associations and authenticators. For users that already exist in Identity as a Service, only their authenticators are migrated.
- [Bulk password reset](/docs/perform-bulk-operations/bulk-password-reset.md): Bulk password reset is available only for users that have an email address.
- [Bulk user registration](/docs/perform-bulk-operations/bulk-user-registration.md): You can set bulk user registration. This feature allows you to perform one of the following actions:
- [Bulk user verification](/docs/perform-bulk-operations/bulk-user-verification.md): User verification allows an IDaaS user to be verified by using an Identity Provider. Administrators can set user verification in bulk in the following ways:
- [Delete grid cards](/docs/perform-bulk-operations/delete-grid-cards.md): You can delete assigned and unassigned grid cards simultaneously using a CSV file. To delete grid cards in bulk, you need to a CSV file containing the list of assigned and unassigned grid cards.
- [Delete groups in bulk](/docs/perform-bulk-operations/delete-groups.md): You can delete groups simultaneously using a CSV file. To delete groups in bulk, you need a CSV file containing the groups list.
- [Delete tokens](/docs/perform-bulk-operations/delete-tokens.md): You can delete tokens simultaneously using a CSV file. To delete tokens in bulk, you need a CSV file containing the list of assigned and unassigned tokens.
- [Bulk delete users or groups](/docs/perform-bulk-operations/delete-users.md): You can delete users simultaneously using a CSV file. Your role must include the permission to delete users. To delete users in bulk, you need to download the CSV file containing the user list.
- [Manage bulk operations](/docs/perform-bulk-operations/manage-bulk-operations.md): You can perform the following actions for bulk operations:
- [Reset tokens](/docs/perform-bulk-operations/reset-tokens.md): You can bulk reset tokens (both soft tokens and hardware tokens). To reset tokens, they must be assigned and in either an Active or Inactive state. Tokens in an Activating state cannot be reset.
- [Set grid card state in bulk](/docs/perform-bulk-operations/set-grid-card-state.md): The grid card Set bulk operation allows you to modify the state of existing assigned user grid cards. The following restrictions apply:
- [Set users in bulk](/docs/perform-bulk-operations/set-users.md): The Set users options allows you to Update users in bulk and create users in bulk.
- [Reports and audits](/docs/reports-and-audits.md): Run reports and Bulk operations to manage users and data at scale.
- [Manage reports](/docs/reports-and-audits/manage-reports.md): You can create reports and export data from the following tables:
- [View and export audit logs](/docs/reports-and-audits/view-and-export-audit-logs.md): From the Dashboard page you can view and export audit logs. Authentication audit logs track authentications made to your Identity as a Service account by location, user, and authentication type. Management audit logs track actions performed in your Identity as a Service account by action and user.
- [Service Provider](/docs/service-provider.md): Entrust Identity as a Service (IDaaS) has a multi-tier account structure. The Service Provider portal lets partners and resellers manage the tenant accounts they own, including high-level tasks such as unlocking accounts or reviewing account metrics for billing.
- [Allow Service Provider users to perform tenant management](/docs/service-provider/allow-service-provider-users-to-perform-tenant-management.md): You can allow Service Provider users to perform tenant management. For example, you might use this feature in the following scenario:
- [Manage Notifications](/docs/service-provider/manage-notifications.md): This feature allows you to enable notifications. When set, Tenants and Managed Service Providers receive an email with entitlement usage notifications and expiration warnings, for example, entitlements consumed reaching 75% or account expiration notification for trial accounts. Notification emails are sent as follows:
- [Manage Service Provider roles](/docs/service-provider/manage-service-provider-roles.md): An administrator becomes a Service Provider by being assigned a Service Provider role. Only Service Providers with a Super Account Manager role can view and manage the Service Provider roles assigned to users on their account.
- [Manage tenants](/docs/service-provider/manage-tenants.md): You can perform management functions on the accounts under your account. Identity as a Service accounts allow you to manage access to protected resources and create Identity as a Service Authentication Tenant accounts.
- [Create Tenant accounts](/docs/service-provider/manage-tenants/create-tenant-accounts.md): When creating new tenants accounts, you can add tenants in Production mode or Trial mode. Trial accounts are valid for 60 days. If your Service Provider account is a Trial account, you can only add Trial Tenant accounts.
- [Enable Smart Login](/docs/service-provider/manage-tenants/enable-smart-login.md): Smart Login allows users with a Mobile Smart Credential paired to their account to authenticate to the Entrust Identity as a Service Admin Portal, User Portal, and SAML or OIDC and OAuth applications integrated with the Identity as a Service account without the need to enter a user name and password.
- [Enable tenant management](/docs/service-provider/manage-tenants/enable-tenant-management.md): Tenant management allows a Service Provider administrator to set up an Identity Provider relationship with a child tenant. When enabled, tenant users can administer the tenant and log in to the tenant using Identity Provider authentication.
- [Modify Tenant accounts and entitlements](/docs/service-provider/manage-tenants/modify-tenant-accounts-and-entitlements.md): Account entitlements determine the number of users allowed on a Service Provider account. To complete this procedure, you must have a role that allows you to modify entitlements. See Managing Service Provider roles for more information.
- [Promote Tenant account to a Service Provider](/docs/service-provider/manage-tenants/promote-tenant-account-to-a-service-provider.md): 1. Click  \> Service Provider \> Tenants. The Tenants List page appears.
- [Reset mail server](/docs/service-provider/manage-tenants/reset-mail-server.md): The Reset Mail Server feature enables you to change a Tenant account mail server to use the IDaaS default mail server. This feature is useful if the Tenant configured a custom mail server used to deliver email OTPs and the mail server is misconfigured preventing users from authenticating to their IDaaS account.
- [Reset system resource rules](/docs/service-provider/manage-tenants/reset-system-resource-rules.md): Resource rules control access to the user portal of a Tenant account. If they are improperly configured, resource rules can prevent users from logging in to their account. This procedures describes how to reset the default system-defined resource rules of a Tenant account if that happens. Once reset, users can log in again. For more information on resource rules, see Manage resource rules in the Administrator Help.
- [Show Tenants in the User Portal](/docs/service-provider/manage-tenants/show-tenants-in-the-user-portal.md): To allow users to see their Tenants in the User Portal, you need to enable the feature.
- [Unlock account administrators](/docs/service-provider/manage-tenants/unlock-account-administrators.md): Administrators can be locked out of their account for too many failed authentication attempts or account inactivity. The Service Provider portal can be used to unlock all locked administrators of a given account.
- [Update Tenant hostnames](/docs/service-provider/manage-tenants/update-tenant-hostnames.md): You can change the hostname of child accounts of your Tenant account. This feature is useful if, for example, your company rebrands and changes its company name, you can update the hostname to reflect the rebranding.
- [Upgrade trial accounts](/docs/service-provider/manage-tenants/upgrade-trial-accounts.md): If your Service Provider account is a Production account, you can upgrade Trial or Unknown tenant accounts to production accounts. See Account entitlements and Add Tenant accounts for more information on Trial and Production accounts.
- [Managing Tenant accounts](/docs/service-provider/manage-tenants/view-delete-unlock-tenant-accounts.md): Locking and unlocking Tenant accounts
- [Manage usage reports](/docs/service-provider/manage-usage-reports.md): You can view, generate, and schedule Usage Reports that provide information about the use of your Tenant accounts. The system uses aggregate data in the report information, which includes information such as the number of users, and the number of voice/SMS credits.
- [Troubleshoot](/docs/troubleshooting.md): This section contains troubleshooting help for common issues. For issues not addressed in this section, contact Entrust Support at contact support@entrust.com.
- [Application Help](/docs/troubleshooting/application-help.md): The tables below provide troubleshooting information for problems those setting up and accessing Web applications could encounter. The information is organized into four tables:
- [Known Issues & Limitations](/docs/troubleshooting/known-issues.md): This section describes known issues and limitations of Entrust Identity as a Service.
- [Login Help](/docs/troubleshooting/login-help.md): Login troubleshooting
- [Resource rule help](/docs/troubleshooting/resource-rule-help.md): The table below provides information for problems that those attempting to create or modify resource rules could encounter.
- [Update account password help](/docs/troubleshooting/update-account-password-help.md): The table below provides information for those who may encounter problems when updating their password. For additional assistance, please contact support@entrust.com.
- [User Help](/docs/troubleshooting/user-help.md): The table below provides information for problems that those attempting to create or modify Identity as a Service users could encounter. For additional assistance, contact support@entrust.com.
- [User Portal](/docs/user-portal-settings.md): Managing the User Portal involves setting up what a user sees and can do when they log into their IDaaS account. This includes configuring what information they can change in their profile, the types of authenticators they can use, what they can see in their account, customize the language used, and set whether registration and verification is required for users to access their account.
- [Configure authenticator policies](/docs/user-portal-settings/configure-authenticators-policies.md): The authenticator policies set the authenticators available to users in the User Portal and the authenticator permissions available to users.
- [Configure Device policies](/docs/user-portal-settings/configure-device-policies.md): The device policies set the whether users can see and manage their devices.
- [Configure user applications policies](/docs/user-portal-settings/configure-user-applications-policies.md): The applications policies determine whether applications are available to users on the User Portal.
- [Configure user My Activity policy](/docs/user-portal-settings/configure-user-my-activity-policy.md): The My Activity policy sets whether users can see the My Activity page.
- [Configure User Portal policies](/docs/user-portal-settings/configure-user-portal-policies.md): The User Portal configuration sets the following:
- [Configure user profile policies](/docs/user-portal-settings/configure-user-profile-policies.md): The user profile policies set the whether users can see and manage their user attributes.
- [Support](/support.md): Entrust recognizes the importance of providing quick and easy access to our support resources. The following subsections provide details about the technical support and professional services available to you.

## API

- [Administration API](/api/admin-api.md)
- [Administration API categories](/api/admin-api/api-categories.md): Use this page to understand how Entrust Identity as a Service Administration API endpoints are grouped before you browse the generated reference. Each category name below links to the matching reference section.
- [Client Installation](/api/admin-api/api-client-install.md): System Requirements
- [Authentication and authorization](/api/admin-api/authentication-and-authorization.md): Use this page to understand how Administration API authentication works before you call protected endpoints. For complete operation details, see the Administration API reference.
- [Getting Started](/api/admin-api/getting-started.md): The Administration API lets you manage your IDaaS account programmatically without signing in to the Administrator Portal. Use this guide to create an Administration API application, initialize a client, and make your first request.
- [Admin API](/api/admin-api/reference.md)
- [Administration API REST examples](/api/admin-api/rest-examples.md): Use this section when you want raw HTTP request and response examples for common Administration API tasks.
- [Authenticate an Admin API application](/api/admin-api/rest-examples/authentication/authenticate-admin-application.md): Use this example to authenticate an Admin API application and obtain the auth token required by later Administration API requests.
- [Create a grid](/api/admin-api/rest-examples/grids/create-grid.md): Use this example to create and assign a grid card with a raw Administration API request.
- [Get a grid by ID](/api/admin-api/rest-examples/grids/get-grid-by-id.md): Use this example to retrieve grid card details by ID with a raw Administration API request.
- [Create a user](/api/admin-api/rest-examples/users/create-user.md): Use this example to create a user with a raw Administration API request.
- [Get a user by user ID](/api/admin-api/rest-examples/users/get-user-by-user-id.md): Use this example to retrieve a user's details by user ID with a raw Administration API request.
- [Configure Settings](/api/admin-api/sdk-examples/configure-settings.md): Manage authenticators settings for your users
- [Manage Token](/api/admin-api/sdk-examples/manage-token.md): Manage users with IDaaS Administration API client
- [Manage User](/api/admin-api/sdk-examples/manage-user.md): Manage users with IDaaS Administration API Client
- [Authentication API](/api/auth-api.md)
- [Client Installation](/api/auth-api/api-client-install.md): System Requirements
- [Authentication and support](/api/auth-api/authentication-and-support.md): Use this page when you need a quick reference for the Authentication API security scheme or support details.
- [Authentication overview](/api/auth-api/core-concepts/authentication-overview.md): Use this page to understand prerequisites, the three-call Authentication API lifecycle, and the supported authenticators before you start integrating. For complete operation details, see the Authentication API reference.
- [Risk-based authentication and machine authentication](/api/auth-api/core-concepts/risk-based-authentication-and-machine-authentication.md): Use this page to understand how risk evaluation and machine authentication affect Authentication API flows.
- [Transaction details and mobile SDK push messages](/api/auth-api/core-concepts/transaction-details-and-push-messages.md): Use this page when you need to attach transaction data to an Authentication API request or customize Soft Token SDK push notifications.
- [Getting Started](/api/auth-api/getting-started.md): IDaaS provides an Authentication API that lets you authenticate users programmatically with supported authenticators. Use this guide to create an Authentication API application, review the authentication flow, initialize a client, and make your first authentication request.
- [OIDC/OAuth authentication and authorization flows and resource server API protection](/api/auth-api/oidc-oauth/flows-and-endpoints.md): Use this page to understand the OIDC and OAuth endpoints that work with Entrust Identity as a Service Authentication API integrations.
- [OIDC/OAuth token examples](/api/auth-api/oidc-oauth/token-examples.md): Use this page to review example token payloads and sample values returned by Entrust Identity as a Service.
- [Auth API](/api/auth-api/reference.md)
- [EXTERNAL plus second-factor authentication](/api/auth-api/rest-examples/external-plus-second-factor.md): Use this page when your client completes first-factor authentication outside of Entrust Identity as a Service and then calls the Authentication API to determine whether second-factor authentication is required.
- [One-factor authentication](/api/auth-api/rest-examples/one-factor-authentication.md): Use this page when you want raw HTTP examples for one-factor Authentication API flows.
- [Two-factor authentication](/api/auth-api/rest-examples/two-factor-authentication.md): Use this page when you want the raw HTTP flow for first-factor plus second-factor Authentication API challenges.
- [User logout](/api/auth-api/rest-examples/user-logout.md): Use this page to end an Entrust Identity as a Service user session with the Authentication API.
- [Entrust Soft Token](/api/auth-api/sdk-examples/entrust-soft-token.md): This is an example of how to authenticate a user with Entrust Soft Token.
- [Get Users Authenticators](/api/auth-api/sdk-examples/get-users-authenticators.md): This is an example of how to get user's authenticators.
- [One Time Password](/api/auth-api/sdk-examples/one-time-password.md): This is an example of how to authenticate a user with OTP.
- [Self passkey registration](/api/auth-api/sdk-examples/self-passkey-registration.md): This example demonstrates how to register a passkey using the Authentication API instead of the Administration API. This is useful when you want to let users register passkeys directly through your application's frontend.
- [Deprecation Policy](/api/deprecation-policy.md): As Identity as a Service evolves with new features and capabilities we must occasionally make changes to our APIs that modify or remove certain functionalities.
- [Account Info](/api/openapi/admin-api/account-info.md): Account Info
- [Activate a smart credential](/api/openapi/admin-api/activate-smart-credential-using-put.md): Activate the specified smart credential. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Add a knowledge-based authenticator](/api/openapi/admin-api/add-knowledge-based-authenticator-using-post.md): Add a knowledge-based authenticator for the specified user. Caller requires the USERQUESTIONANSWERS:ADD permission.
- [Admin Auth](/api/openapi/admin-api/admin-auth.md): Admin Auth
- [Applications](/api/openapi/admin-api/applications.md): Applications
- [Assign a grid to a user by serial number](/api/openapi/admin-api/assign-grid-by-id-using-put.md): Assign the specified grid to a user. Caller requires the GRIDS:EDIT permission.
- [Assign a user to a grid](/api/openapi/admin-api/assign-grid-by-serial-number-using-put.md): Assign the specified user a grid. Caller requires the GRIDS:EDIT permission.
- [Assign token to user](/api/openapi/admin-api/assign-token-by-id-using-put.md): Given a hardware token, assign it to a user. Caller requires the TOKENS:EDIT permission.
- [Assign user to token](/api/openapi/admin-api/assign-token-by-serial-number-using-put.md): Given a user assign a hardware token. Caller requires the TOKENS:EDIT permission.
- [Get the result of an asynchronous list assigned grids operation](/api/openapi/admin-api/assigned-grids-page-async-result-using-get.md): Get the result of an asynchronous list assigned grids operation. Caller requires the GRIDS:VIEW permission.
- [Get the status of an asynchronous list assigned grids operation](/api/openapi/admin-api/assigned-grids-page-async-status-using-get.md): Get the status of an asynchronous list assigned grids operation. Caller requires the GRIDS:VIEW permission.
- [Lists a page of assigned grids asynchronously](/api/openapi/admin-api/assigned-grids-page-async-using-post.md): Returns assigned grids for the provided search parameters. Caller requires the GRIDS:VIEW permission. The following searchByAttributes are supported: <ul><li>serialNumber: a numeric value. Allowed operators are: EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>state: ACTIVE, INACTIVE, PENDING, CANCELED. Allowed operator: EQUALS.</li><li>expired: 'true' is the only value allowed. Allowed operator: EQUALS. </li><li>createDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>expiryDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>lastUsedDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>userId: a String value. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: serialNumber, state, createDate, expiryDate, lastUsedDate, userId.<br />The results will only include grids that contain data in the orderByAttribute selected.
- [Lists a page of assigned grids](/api/openapi/admin-api/assigned-grids-page-using-post.md): Returns assigned grids for the provided search parameters. Caller requires the GRIDS:VIEW permission. The following searchByAttributes are supported: <ul><li>serialNumber: a numeric value. Allowed operators are: EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>state: ACTIVE, INACTIVE, PENDING, CANCELED. Allowed operator: EQUALS.</li><li>expired: 'true' is the only value allowed. Allowed operator: EQUALS. </li><li>createDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>expiryDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>lastUsedDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>userId: a String value. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: serialNumber, state, createDate, expiryDate, lastUsedDate, userId.<br />The results will only include grids that contain data in the orderByAttribute selected.
- [Get the result of an asynchronous list assigned tokens operation](/api/openapi/admin-api/assigned-token-page-async-result-using-get.md): Get the result of an asynchronous list assigned grids operation. Caller requires the TOKENS:VIEW permission.
- [Get the status of an asynchronous list assigned tokens operation](/api/openapi/admin-api/assigned-token-page-async-status-using-get.md): Get the status of an asynchronous list assigned grids operation. Caller requires the TOKENS:VIEW permission.
- [Lists a page of assigned tokens asynchronously](/api/openapi/admin-api/assigned-token-page-async-using-post.md): Returns assigned tokens for the provided search parameters. Caller requires the TOKENS:VIEW permission.The following searchByAttributes are supported: <ul><li>state: NEW, ACTIVE, ACTIVATING or INACTIVE. Allowed operator: EQUALS.</li><li>serialNumber: a String up to 100 characters. Allowed operators are: EQUALS, CONTAINS, STARTS_WITH.</li><li>type: ENTRUST_SOFT_TOKEN, GOOGLE_AUTHENTICATOR, OATH_PHYSICAL_TOKEN or ENTRUST_LEGACY_TOKEN. Allowed operator: EQUALS.</li><li>loadDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>lastUsedDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li><li>label: a String up to 100 characters. Allowed operator: CONTAINS. </li></ul>The orderByAttribute supports these attribute names: serialNumber, state, loadDate or lastUsedDate.Sorting by attributes containing Null values such as lastUsedDate is not possible. Therefore, any record containing Null in the orderByAttribute will be filtered out before doing the sorting.
- [Lists a page of assigned tokens](/api/openapi/admin-api/assigned-token-page-using-post.md): Returns assigned tokens for the provided search parameters. Caller requires the TOKENS:VIEW permission.The following searchByAttributes are supported: <ul><li>state: NEW, ACTIVE, ACTIVATING or INACTIVE. Allowed operator: EQUALS.</li><li>serialNumber: a String up to 100 characters. Allowed operators are: EQUALS, CONTAINS, STARTS_WITH.</li><li>type: ENTRUST_SOFT_TOKEN, GOOGLE_AUTHENTICATOR, OATH_PHYSICAL_TOKEN or ENTRUST_LEGACY_TOKEN. Allowed operator: EQUALS.</li><li>loadDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>lastUsedDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li><li>label: a String up to 100 characters. Allowed operator: CONTAINS. </li></ul>The orderByAttribute supports these attribute names: serialNumber, state, loadDate or lastUsedDate.Sorting by attributes containing Null values such as lastUsedDate is not possible. Therefore, any record containing Null in the orderByAttribute will be filtered out before doing the sorting.
- [Lists a page of audit events](/api/openapi/admin-api/audit-event-page-using-post.md): Returns audit events for the provided search parameters. Caller requires the REPORTS:VIEW permission.The following searchByAttributes are supported: <ul><li>eventTime: a <b>mandatory</b> String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are: GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL. </li><li>outcome: SUCCESS or FAIL. Allowed operator: EQUALS. </li><li>category: AUTHENTICATION or MANAGEMENT. Allowed operator: EQUALS. </li><li>entityName: a String up to 100 characters. Allowed operators: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>entityType: a String up to 40 characters (e.g., USERS, GROUPS, QUESTIONS, REPORTS, ROLES). Allowed operators: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>entityAction: a String up to 100 characters (e.g., ADD, EDIT, REMOVE, ASSIGN, RESET). Allowed operators: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>resourceName: a String up to 100 characters. Allowed operators: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>sourceIp: a String up to 39 characters. Allowed operators: EQUALS, STARTS_WITH. </li><li>subjectName: a String up to 100 characters (e.g., jsmith). Allowed operators: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>eventType: a String up to 100 characters (e.g., AuthenticationDeniedEvent). Allowed operators: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>subject: Restrict events to the UUID of a specific subject. Allowed operator: EQUALS. </li><li>authenticator: Filter by authenticator type (e.g., PASSWORD, OTP, TOKEN, FIDO, SMARTCREDENTIALPUSH, TOKENPUSH, IDP, PASSKEY, etc.). Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: eventTime, outcome, category, entityName, entityType, entityAction, resourceName, sourceIp, subjectName.<br />The results will only include audit events with data in the orderByAttribute selected. If ordering by entityName, entityType, or entityAction, then AUTHENTICATION events will not be returned.
- [Authenticate to an Admin API application.](/api/openapi/admin-api/authenticate-admin-api-using-post.md): Authenticate to an Admin API application.
- [Change state of grid](/api/openapi/admin-api/change-grid-state-using-put.md): Change the state of the specified grid. Caller requires the GRIDS:EDIT permission.
- [Change smart credential state](/api/openapi/admin-api/change-smart-credential-state-using-put.md): Change the state of the specified smart credential. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Change token state](/api/openapi/admin-api/change-token-state-using-put.md): Change the state of a token. Caller requires the TOKENS:EDIT permission.
- [Complete token activation](/api/openapi/admin-api/complete-activate-token-using-put.md): Complete activation of the given token. Caller requires the TOKENS:ADD permission.
- [Complete FIDO token registration](/api/openapi/admin-api/complete-create-fido-token-using-post.md): Complete FIDO token registration for the specified user. Caller requires the FIDOTOKENS:ADD permission.
- [Smart credential complete signature](/api/openapi/admin-api/complete-sign-smart-credential-using-put.md): Smart credential complete sign. Caller requires the SMARTCREDENTIALSSIGNATURE:ADD permission.
- [Authenticate Contact Verification Challenge](/api/openapi/admin-api/contact-verification-authenticate-using-post.md): Authenticate the contact verification challenge.  Caller requires the CONTACTVERIFICATION:ADD permission.
- [Get Contact Verification Challenge](/api/openapi/admin-api/contact-verification-challenge-using-post.md): Get a contact verification challenge for the specified contact. Caller requires the CONTACTVERIFICATION:ADD permission.
- [Create an acr](/api/openapi/admin-api/create-acr-using-post.md): Create an acr. Caller requires the CONTEXTRULES:ADD permission.
- [Create Admin API application](/api/openapi/admin-api/create-admin-api-application-using-post.md): Create an Admin API application. Caller requires the APPLICATIONS:ADD permission.
- [Create Auth API application](/api/openapi/admin-api/create-auth-api-application-using-post.md): Create an auth API application. Caller requires the APPLICATIONS:ADD permission.
- [Create an authentication flow](/api/openapi/admin-api/create-authentication-flow-using-post.md): Create an authentication flow. Caller requires the CONTEXTRULES:ADD permission.
- [Create a Face Biometric for a user](/api/openapi/admin-api/create-face-authenticator-using-post.md): Create a Face Biometric authenticator for the specified user. Caller requires the FACE:ADD permission.<br />
- [Create a Face Biometric for a user](/api/openapi/admin-api/create-face-using-post.md): Create a Face for the specified user. Caller requires the FACE:ADD permission.
- [Create a grid](/api/openapi/admin-api/create-grid-using-post.md): Create a grid for the specified user. Caller requires the GRIDS:ADD permission.
- [Create a group](/api/openapi/admin-api/create-group-using-post.md): Create a group with the specified name. Caller requires the GROUPS:ADD permission.
- [Create a Machine Authenticator](/api/openapi/admin-api/create-machine-authenticator-using-post.md): Create a Machine Authenticator for a user. Caller requires the USERMACHINES:ADD permission.
- [Create and get the Magic Link for a user](/api/openapi/admin-api/create-magic-link-using-put.md): Create and get the Magic Link for the specified user UUID. Requires the MAGICLINKS:ADD permission.
- [Create an OIDC identity provider](/api/openapi/admin-api/create-oidc-identity-provider-using-post.md): Create an OIDC identity provider. Caller requires the IDENTITYPROVIDERS:ADD permission.
- [Create an organization](/api/openapi/admin-api/create-organization-using-post.md): Create an organization. Caller requires the ORGANIZATIONS:ADD permission.
- [Creates and returns an OTP](/api/openapi/admin-api/create-otp-using-post.md): Create and return an OTP. Caller requires the OTPS:ADD permission.
- [Create a resource rule](/api/openapi/admin-api/create-resource-rule-using-post.md): Create a resource rule for a specified resource. Caller requires the CONTEXTRULES:ADD permission.
- [Create a SAML identity provider](/api/openapi/admin-api/create-saml-identity-provider-using-post.md): Create a SAML identity provider. Caller requires the IDENTITYPROVIDERS:ADD permission.
- [Create a smart credential](/api/openapi/admin-api/create-smart-credential-using-post.md): Create a smart credential for a user. Caller requires the SMARTCREDENTIALS:ADD permission.
- [Create a temporary access code](/api/openapi/admin-api/create-temp-access-code-using-post.md): Create a temporary access code for the given user. Caller requires the TEMPACCESSCODE:ADD permission.
- [Create a tenant asynchronously](/api/openapi/admin-api/create-tenant-async-using-post.md): <p>Create a new tenant for a service provider. Caller requires the TENANTS:ADD permission from a service provider role.</p><p>Notes on CreateTenantParms attributes: </p><b>adminUser</b> (UserParms):<ul>    <li>The locale attribute is ignored if provided. It defaults to English for the first super administrator.</li>    <li>The status attributes is ignored if provided. It defaults to ACTIVE for the first super administrator.</li>    <li>The userId is required.</li></ul><b>adminApiApplication</b> (AdminApiApplicationParms):<ul>    <li>The spRoleId attribute is not supported. An error is returned if provided.</li></ul><b>entitlements</b> (EntitlementParms):<ul>    <li>The contractMode attribute is required. It must be either TRIAL or PRODUCTION.</li>    <li>The quantity attribute is required.</li>    <li><b>entitlements.issuance</b> (EntitlementParms.IssuanceParms):</li>    <li>The entitlements.issuance attribute is required if you are creating an Issuance tenant.</li>    <li>The serviceBundles attribute is required. One service bundle (of those supported by the service provider contract) must be defined.</li></ul>
- [Create a token](/api/openapi/admin-api/create-token-using-post.md): Create a token of the given type for the given user. Caller requires the TOKENS:ADD permission.
- [Create unassigned grids](/api/openapi/admin-api/create-unassigned-grids-using-post.md): Create the specified number of unassigned grids. Caller requires the GRIDS:ADD permission.
- [Create a user attribute](/api/openapi/admin-api/create-user-attribute-using-post.md): Create a  user attribute. Caller requires the USERATTRIBUTES:ADD permission.
- [Add user to organization](/api/openapi/admin-api/create-user-organization-association-using-post.md): Add user to organization. Caller requires the ORGANIZATIONS:EDIT permission.
- [Create a user](/api/openapi/admin-api/create-user-using-post.md): Create a user. Caller requires the USERS:ADD permission.
- [Create multiple users](/api/openapi/admin-api/create-users-using-post.md): Create multiple users. Caller requires the USERS:ADD permission.
- [Register a webhook](/api/openapi/admin-api/create-webhook-using-post.md): Register a webhook with callback URL, webhook events etc. Caller is required to have WEBHOOKS:ADD permission.
- [Delete a Face Biometric by UUID](/api/openapi/admin-api/delete-face-using-delete.md): Delete a Face Biometric authenticator by the specified UUID. Requires the FACE:REMOVE permission.
- [Delete a FIDO token](/api/openapi/admin-api/delete-fido-token-using-delete.md): Delete the specified FIDO token. Caller requires the FIDOTOKENS:REMOVE permission.
- [Delete a grid](/api/openapi/admin-api/delete-grid-using-delete.md): Delete the specified grid. Caller requires the GRIDS:REMOVE permission.
- [Remove a group](/api/openapi/admin-api/delete-group-using-delete.md): Remove the specified group. Caller requires the GROUPS:REMOVE permission.
- [Delete a Machine Authenticator](/api/openapi/admin-api/delete-machine-authenticator-using-delete.md): Deletes a Machine Authenticator from a user. Caller requires the USERMACHINES:REMOVE permission.
- [Delete the Magic Link for a given user](/api/openapi/admin-api/delete-magic-link-using-delete.md): Delete the Magic Link for the specified user UUID. Requires the MAGICLINKS:REMOVE permission.
- [Delete an OIDC identity provider](/api/openapi/admin-api/delete-oidc-identity-provider-using-delete.md): Delete an OIDC identity provider. Caller requires the IDENTITYPROVIDERS:REMOVE permission.
- [Delete a SAML identity provider](/api/openapi/admin-api/delete-saml-identity-provider-using-delete.md): Delete a SAML identity provider. Caller requires the IDENTITYPROVIDERS:REMOVE permission.
- [Delete a smart credential](/api/openapi/admin-api/delete-smart-credential-using-delete.md): Delete the specified smart credential. Caller requires the SMARTCREDENTIALS:REMOVE permission.
- [Delete a temporary access code](/api/openapi/admin-api/delete-temp-access-code-using-delete.md): Delete the temporary access code for the given user. Caller requires the TEMPACCESSCODE:REMOVE permission.
- [Delete an entitlement](/api/openapi/admin-api/delete-tenant-entitlement-using-delete.md): Delete the entitlement for the specified tenant. Caller requires the SPENTITLEMENTS:REMOVE permission from a service provider role.
- [Delete a token](/api/openapi/admin-api/delete-token-using-delete.md): Delete the specified token. Caller requires the TOKENS:REMOVE permission.
- [Delete a user attribute](/api/openapi/admin-api/delete-user-attribute-using-delete.md): Delete the specified user attribute. Caller requires the USERATTRIBUTES:REMOVE permission.
- [Delete retained knowledge-based authenticator challenges](/api/openapi/admin-api/delete-user-kba-challenges-using-delete.md): Delete all retained knowledge-based authenticator challenges for the specified user. Caller requires the USERQUESTIONS:REMOVE permission.
- [Delete a question from the knowledge-based authenticator](/api/openapi/admin-api/delete-user-kba-question-using-delete.md): Delete a specified question from the knowledge-based authenticator of the specified user. Caller requires the USERQUESTIONS:REMOVE permission.
- [Delete the knowledge-based authenticator](/api/openapi/admin-api/delete-user-kba-using-delete.md): Delete the knowledge-based authenticator for the specified user. Caller requires the USERQUESTIONS:REMOVE permission.
- [Delete user location history](/api/openapi/admin-api/delete-user-locations-using-delete.md): Delete one or more entries from a user's location history. Caller requires the USERRBASETTINGS:REMOVE permission.
- [Delete a user password using the password ID](/api/openapi/admin-api/delete-user-named-password-using-delete.md): Delete the user's password. Caller requires the USERPASSWORDS:REMOVE permission.
- [Remove user from organization](/api/openapi/admin-api/delete-user-organization-association-using-delete.md): Remove user from organization. Caller requires the ORGANIZATIONS:EDIT permission.
- [Delete a user password](/api/openapi/admin-api/delete-user-password-using-delete.md): Delete the user's password. Caller requires the USERPASSWORDS:REMOVE permission.
- [Delete a site role from a user](/api/openapi/admin-api/delete-user-site-role-association-using-delete.md): Delete a user's site role. Caller requires the USERSITEROLES:REMOVE permission.
- [Delete a user](/api/openapi/admin-api/delete-user-using-delete.md): Delete the specified user. Caller requires the USERS:REMOVE permission.
- [Delete multiple users](/api/openapi/admin-api/delete-users-using-delete.md): Delete multiple users. Caller requires the USERS:REMOVE permission.
- [Delete a webhook](/api/openapi/admin-api/delete-webhook-using-delete.md): Delete a registered webhook by ID. Caller is required to have WEBHOOKS:REMOVE permission.
- [Email a grid card to the card owner](/api/openapi/admin-api/deliver-assigned-grid-by-email-using-post.md): Email a grid card to the card owner. Caller requires the GRIDS:VIEW permission.
- [Directories](/api/openapi/admin-api/directories.md): Directories
- [Entitlements](/api/openapi/admin-api/entitlements.md): Entitlements
- [Export a certificate from a smart credential](/api/openapi/admin-api/export-certificate-using-get.md): Export the specified certificate. Caller requires the SMARTCREDENTIALS:VIEW permission.
- [Face](/api/openapi/admin-api/face.md): Face
- [Fetch Android association file for a FIDO relying party](/api/openapi/admin-api/fetch-android-association-file-using-post.md): Fetch Android association file for a FIDO relying party. Caller requires the SETTINGS:VIEW permission.
- [Fetch Apple association file for a FIDO relying party](/api/openapi/admin-api/fetch-apple-association-file-using-post.md): Fetch Apple association file for a FIDO relying party. Caller requires the SETTINGS:VIEW permission.
- [Fetch OIDC Configuration for an OIDC identity provider](/api/openapi/admin-api/fetch-oidc-configuration-using-post.md): Fetch OIDC Configuration for an OIDC identity provider. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [Fetch SAML Configuration for a SAML identity provider](/api/openapi/admin-api/fetch-saml-configuration-using-post.md): Fetch SAML Configuration for a SAML identity provider. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [FIDO Tokens](/api/openapi/admin-api/fido-tokens.md): FIDO Tokens
- [Get account info](/api/openapi/admin-api/get-accout-info-using-get.md): Get account information. Caller requires the SUBSCRIBERS:VIEW permission.
- [Get an acr](/api/openapi/admin-api/get-acr-using-get.md): Get the specified acr. Caller requires the CONTEXTRULES:VIEW permission.
- [Get all acrs](/api/openapi/admin-api/get-acrs-using-get.md): Get all acrs. Caller requires the CONTEXTRULES:VIEW permission.
- [Get Admin API application](/api/openapi/admin-api/get-admin-api-application-using-get.md): Get an Admin API application. Caller requires the APPLICATIONS:VIEW permission.
- [Get Auth API application](/api/openapi/admin-api/get-auth-api-application-using-get.md): Get the specified auth API application. Caller requires the APPLICATIONS:VIEW permission.
- [Get an authentication flow](/api/openapi/admin-api/get-authentication-flow-using-get.md): Get the specified authentication flow. Caller requires the CONTEXTRULES:VIEW permission.
- [Get all authentication flows](/api/openapi/admin-api/get-authentication-flows-using-get.md): Get all authentication flows. Caller requires the CONTEXTRULES:VIEW permission.
- [Get the result of an asynchronous tenant creation operation](/api/openapi/admin-api/get-create-tenant-async-result-using-get.md): Get the result of a tenant creation operation for a service provider. The results for a given operation can only be retrieved once. Caller requires the TENANTS:ADD permission from a service provider role.
- [Get the status of an asynchronous tenant creation operation](/api/openapi/admin-api/get-create-tenant-async-status-using-get.md): Get the status of a tenant creation operation for a service provider. Caller requires the TENANTS:VIEW permission from a service provider role.
- [Get a directory attribute mapping](/api/openapi/admin-api/get-directory-attr-mapping-using-get.md): Get the specified directory attribute mapping. Caller requires the DIRECTORIES:VIEW permission.
- [List directory attribute mappings](/api/openapi/admin-api/get-directory-attr-mappings-using-get.md): List all directory attribute mappings for a given directory. Caller requires the DIRECTORIES:VIEW permission.
- [Get directory synchronization status](/api/openapi/admin-api/get-directory-sync-status-info-using-get.md): Get the specified directory synchronization status details. Caller requires the DIRECTORIES:VIEW permission.
- [Get directory synchronization settings](/api/openapi/admin-api/get-directory-sync-using-get.md): Get the specified directory synchronization settings. Caller requires the DIRECTORIES:VIEW permission.
- [List directory sync settings](/api/openapi/admin-api/get-directory-syncs-using-get.md): List all directory sync settings associated with the given directory sync agent. Caller requires the DIRECTORIES:VIEW permission.
- [Get a directory](/api/openapi/admin-api/get-directory-using-get.md): Get the specified directory. Caller requires the DIRECTORIES:VIEW permission.
- [Lists a page of entitlement usage information](/api/openapi/admin-api/get-entitlement-usage-info-using-post.md): Returns tenant usage information for the provided search parameters. Caller requires the TENANTS:VIEW permission. The following searchByAttributes are supported: <ul><li>startTime: a <b>mandatory</b> String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are: GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL. </li><li>endTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are: GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL. </li><li>tenantId: The UUID of the tenant. Allowed operators are: EQUALS.</li><li>isTrial: true or false. Allowed operator: EQUALS. </li><li>usageType: the type of entitlement: USERS, ISSUANCE. Allowed operator: EQUALS. </li></ul>The orderByAttribute supports these attribute names: startTime.
- [Get Entrust ST Authenticator settings](/api/openapi/admin-api/get-entrust-st-authenticator-settings-using-get.md): Get Entrust ST Authenticator settings. Caller requires the SETTINGS:VIEW permission.
- [Get Onfido account settings used by the Face Biometric authenticator](/api/openapi/admin-api/get-face-account-settings-using-get.md): Get the current Onfido account settings used by the Face Biometric authenticator. Requires the SETTINGS:VIEW permission.
- [Get a list of Face Biometric for a given user](/api/openapi/admin-api/get-faces-using-get.md): Get a list of Face Biometrics authenticators for the specified user UUID. Requires the FACE:VIEW permission.
- [Get FIDO settings](/api/openapi/admin-api/get-fido-settings-using-get.md): Get the FIDO settings. Caller requires the SETTINGS:VIEW permission.
- [Get a FIDO token](/api/openapi/admin-api/get-fido-token-using-get.md): Get the specified FIDO token. Caller requires the FIDOTOKENS:VIEW permission.
- [Get FIDO tokens (paginated)](/api/openapi/admin-api/get-fido-tokens-paged-using-post.md): Get a paginated list of FIDO tokens with search and filter capabilities. Caller requires the FIDOTOKENS:VIEW permission. The following searchByAttributes are supported: <ul><li>userId: a String value (it matches both the User ID or any alias). Allowed operator is EQUALS. </li><li>name: a String with value matching the FIDO token name. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>authenticatorModel: a String value matching the authenticator model name. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>state: FIDO token state Active or Inactive. Allowed operator is: EQUALS </li><li>createDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL</li><li>lastUsedDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS</li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: userId and createDate.
- [Get general settings](/api/openapi/admin-api/get-general-settings-using-get.md): Get general settings. Caller requires the SETTINGS:VIEW permission.
- [Get Google Authenticator settings](/api/openapi/admin-api/get-google-authenticator-settings-using-get.md): Get Google Authenticator settings. Caller requires the SETTINGS:VIEW permission.
- [Get a grid by serial number](/api/openapi/admin-api/get-grid-by-serial-number-using-get.md): Get the grid for the specified serial number. Caller requires the GRIDS:VIEW permission.
- [Get grid properties](/api/openapi/admin-api/get-grid-properties-using-get.md): Get grid properties. Caller requires the GRIDS:VIEW permission.
- [Get a grid](/api/openapi/admin-api/get-grid-using-get.md): Get the specified grid. Caller requires the GRIDS:VIEW permission.
- [Get directory group filter](/api/openapi/admin-api/get-group-filter-using-get.md): Get the specified directory group filter. Caller requires the DIRECTORIES:VIEW permission.
- [List directory group filters](/api/openapi/admin-api/get-group-filters-using-get.md): List all directory group filters for a given directory. Caller requires the DIRECTORIES:VIEW permission.
- [Get a list of Knowledge-based questions that a user can answer](/api/openapi/admin-api/get-kba-questions-using-get.md): Get a list of Knowledge-based questions for the specified locale (language). The locale should be the two letter  Caller requires the USERQUESTIONS:VIEW permission.
- [Get the Magic Link for a user](/api/openapi/admin-api/get-magic-link-using-get.md): Get information about the Magic Link for the specified user UUID if one has been created. Requires the MAGICLINKS:VIEW permission.
- [Get an OIDC identity provider](/api/openapi/admin-api/get-oidc-identity-provider-using-get.md): Get an OIDC identity provider. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [Get an organization](/api/openapi/admin-api/get-organization-using-get.md): Get the specified organization. Caller requires the ORGANIZATIONS:VIEW permission.
- [Get OTP authenticator settings](/api/openapi/admin-api/get-otp-authenticator-settings-using-get.md): Get OTP authenticator settings. Caller requires the SETTINGS:VIEW permission.
- [Get Password Reset settings](/api/openapi/admin-api/get-password-reset-settings-using-get.md): Get the password reset settings. Caller requires the SETTINGS:VIEW permission.
- [Get a resource rule](/api/openapi/admin-api/get-resource-rule-using-get.md): Get the specified resource rule. Caller requires the CONTEXTRULES:VIEW permission.
- [Get all resource rules for a resource](/api/openapi/admin-api/get-resource-rules-for-resource-using-get.md): Get all resource rules for the specified resource. Caller requires the CONTEXTRULES:VIEW permission.
- [Get all resource rules](/api/openapi/admin-api/get-resource-rules-using-get.md): Get all resource rules. Caller requires the CONTEXTRULES:VIEW permission.
- [Download SAML Configuration for a SAML identity provider](/api/openapi/admin-api/get-saml-configuration-using-get.md): Download SAML Configuration for a SAML identity provider. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [Get a SAML identity provider](/api/openapi/admin-api/get-saml-identity-provider-using-get.md): Get a SAML identity provider. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [Get a smart credential definition by name](/api/openapi/admin-api/get-sc-defn-by-name-using-post.md): Get the smart credential definition for the specified name. Caller requires the SCDEFNS:VIEW permission.
- [Get a smart credential definition](/api/openapi/admin-api/get-sc-defn-using-get.md): Get the smart credential definition for the specified UUID. Caller requires the SCDEFNS:VIEW permission.
- [Get a searchbase](/api/openapi/admin-api/get-search-base-using-get.md): Get the specified searchbase. Caller requires the DIRECTORIES:VIEW permission.
- [List directory searchbases](/api/openapi/admin-api/get-search-bases-using-get.md): List all searchbases for a given directory. Caller requires the DIRECTORIES:VIEW permission.
- [Export a grid to PDF format](/api/openapi/admin-api/get-single-grid-export-using-get.md): Export a grid to PDF format. Caller requires the GRIDS:VIEW permission.
- [Get a role](/api/openapi/admin-api/get-site-role-using-get.md): Get a specified role. Caller requires the ROLES:VIEW permission.
- [Get a smart credential by serial number](/api/openapi/admin-api/get-smart-credential-by-serial-number-using-get.md): Get the specified smart credential by serial number. Caller requires the SMARTCREDENTIALS:VIEW permission.
- [Get a smart credential](/api/openapi/admin-api/get-smart-credential-using-get.md): Get the specified smart credential. Caller requires the SMARTCREDENTIALS:VIEW permission.
- [Get Tenant Identity Provider and Service Provider OIDC Application for Tenant Management.](/api/openapi/admin-api/get-sp-identity-provider-using-get.md): Get Tenant Identity Provider and Service Provider OIDC Application for Tenant Management. Caller requires the SPIDENTITYPROVIDERS:VIEW permission.
- [Get entitlement info](/api/openapi/admin-api/get-subscriber-account-active-entitlements-using-get.md): Get entitlement info. Caller requires the ENTITLEMENTS:VIEW permission.
- [Get a temporary access code](/api/openapi/admin-api/get-temp-access-code-using-get.md): Get the temporary access code for the given user. Caller requires the TEMPACCESSCODE:VIEW permission.
- [Get an entitlement](/api/openapi/admin-api/get-tenant-entitlement-using-get.md): Get the specified entitlement for a tenant. Caller requires the SPENTITLEMENTS:VIEW permission from a service provider role.
- [Get entitlements for tenant](/api/openapi/admin-api/get-tenant-entitlements-using-get.md): Get all entitlements for the specified tenant of the current service provider. Caller requires the SPENTITLEMENTS:VIEW permission from a service provider role.
- [Get a tenant](/api/openapi/admin-api/get-tenant-using-get.md): Get the specified tenant for a service provider. Caller requires the TENANTS:VIEW permission from a service provider role.
- [Lists a page of tenants](/api/openapi/admin-api/get-tenants-page-using-post.md): Returns tenants for the provided search parameters. Caller requires the TENANTS:VIEW permission. The following searchByAttributes are supported: <ul><li>hostname: a String up to 100 characters. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH.</li><li>companyName: a String up to 100 characters. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH.</li><li>contractMode: PRODUCTION, TRIAL, UNKNOWN. Allowed operator: EQUALS.</li><li>locked: true or false. Allowed operator: EQUALS. </li><li>serviceProvider: true or false. Allowed operator: EQUALS. </li><li>authenticationAccount: true or false. Allowed operator: EQUALS. </li><li>issuanceAccount: true or false. Allowed operator: EQUALS. </li><li>spIdp: true or false. Allowed operator: EQUALS. </li></ul>The orderByAttribute supports these attribute names: hostname, companyName, contractMode, locked, serviceProvider, authenticationAccount, issuanceAccount, spIdp.
- [Get a token by serial number](/api/openapi/admin-api/get-token-by-serial-number-using-get.md): Get the token for the specified serial number. Caller requires the TOKENS:VIEW permission.
- [Get a token](/api/openapi/admin-api/get-token-using-get.md): Get the token for the specified UUID. Caller requires the TOKENS:VIEW permission.
- [List all transaction rules](/api/openapi/admin-api/get-transaction-rules-using-get.md): Get all transaction rules. Caller requires the CONTEXTRULES:VIEW permission.
- [Get a user attribute](/api/openapi/admin-api/get-user-attribute-using-get.md): Get the specified user attribute. Caller requires the USERATTRIBUTES:VIEW permission.
- [Get a users Face Biometric settings](/api/openapi/admin-api/get-user-face-settings-using-get.md): Get Face Biometric settings information for the specified user UUID. Requires the FACE:VIEW permission.
- [Get the knowledge-based authenticator](/api/openapi/admin-api/get-user-kba-using-get.md): Get the knowledge-based authenticator for the specified user. Caller requires the USERQUESTIONS:VIEW permission.
- [Get user password authenticator settings by named password ID](/api/openapi/admin-api/get-user-named-password-settings-using-get.md): Get password settings information for the specified user. Caller requires the USERPASSWORDS:VIEW permission.
- [Gets a list of user passwords](/api/openapi/admin-api/get-user-named-passwords-using-get.md): Get password information for the specified user. Caller requires the USERPASSWORDS:VIEW permission.
- [Gets a user password settings](/api/openapi/admin-api/get-user-password-settings-using-get.md): Get password settings information for the specified user. Caller requires the USERPASSWORDS:VIEW permission.
- [Gets a user password](/api/openapi/admin-api/get-user-password-using-get.md): Get password information for the specified user. Caller requires the USERPASSWORDS:VIEW permission.
- [Get user risk-based authentication settings](/api/openapi/admin-api/get-user-rba-settings-using-get.md): Get the user risk-based authentication settings for the specified user. Caller requires the USERRBASETTINGS:VIEW permission.
- [List all site roles assigned to user](/api/openapi/admin-api/get-user-roles-using-get.md): List all site roles assigned to the specified user. Caller requires the USERSITEROLES:VIEW permission.
- [Get site role assigned to user](/api/openapi/admin-api/get-user-site-role-association-using-get.md): Get the specified site role assigned to the specified user. Caller requires the USERSITEROLES:VIEW permission.
- [List webhooks](/api/openapi/admin-api/get-webhooks-using-get.md): Return a list of webhooks. Caller is required to have WEBHOOKS:VIEW permission.
- [Grids](/api/openapi/admin-api/grids.md): Grids
- [Get a group by externalId](/api/openapi/admin-api/group-by-external-id-using-post.md): Get the specified group by externalId. Caller requires the GROUPS:VIEW permission.
- [Get a group](/api/openapi/admin-api/group-using-get.md): Get the specified group. Caller requires the GROUPS:VIEW permission.
- [List a page of groups](/api/openapi/admin-api/groups-paged-using-post.md): Returns groups for the provided search parameters. Caller requires the GROUPS:VIEW permission. The following searchByAttributes are supported: <ul><li>name: a string value that indicates the name of the group. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>type: a string with the value that indicates the type of the group. Allowed operator: EQUALS.</li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports this attribute name: name.<br /><br />
- [List groups](/api/openapi/admin-api/groups-using-get.md): List all groups. Caller requires the GROUPS:VIEW permission.
- [Groups](/api/openapi/admin-api/groups.md): Groups
- [Hold a certificate from a smart credential](/api/openapi/admin-api/hold-certificate-using-put.md): Hold the specified certificate. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Identity Providers](/api/openapi/admin-api/identity-providers.md): Identity Providers
- [Create IP location](/api/openapi/admin-api/ip-location-from-ip-address-using-post.md): Gets IP location information for an IP address. The IP location can be used to create an ExpectedLocation. Caller requires the USERRBASETTINGS:ADD permission.
- [KBA](/api/openapi/admin-api/kba.md): KBA
- [List Admin API application](/api/openapi/admin-api/list-admin-api-applications-using-get.md): List Admin API application. Caller requires the APPLICATIONS:VIEW permission.
- [List allowed smart credential definitions](/api/openapi/admin-api/list-allowed-sc-defns-using-get.md): List allowed smart credential definitions. Caller requires the SCDEFNS:VIEW permission.
- [List application information](/api/openapi/admin-api/list-application-info-using-get.md): List application information. Caller requires the APPLICATIONS:VIEW permission.
- [List application templates](/api/openapi/admin-api/list-application-templates-using-get.md): List application templates. Caller requires the TEMPLATES:VIEW permission.
- [List Auth API applications](/api/openapi/admin-api/list-auth-api-applications-using-get.md): List all auth API applications. Caller requires the APPLICATIONS:VIEW permission.
- [List directories](/api/openapi/admin-api/list-directories-using-get.md): List all directories. Caller requires the DIRECTORIES:VIEW permission.<br /><br />The following attributes are not included in the returned Directory object: directoryAttributeMappings, directorySync, groupFilters, searchBases. The get directory API can be used to acquire these attribute for a specific directory.
- [Lists domain-based identity providers](/api/openapi/admin-api/list-domain-based-identity-providers-using-get.md): Lists domain-based identity providers. Caller requires the CONTEXTRULES:VIEW permission.
- [Lists identity providers](/api/openapi/admin-api/list-identity-providers-using-get.md): Lists identity providers. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [List machine authenticators for a user](/api/openapi/admin-api/list-machine-authenticators-using-get.md): List all machine authenticators for the specified user. Caller requires the USERMACHINES:VIEW permission.
- [List oauth roles](/api/openapi/admin-api/list-o-auth-roles-using-get.md): List all oauth roles. Caller requires the OAUTHROLES:VIEW permission.
- [Lists OIDC identity providers](/api/openapi/admin-api/list-oidc-identity-providers-using-get.md): Lists OIDC identity providers. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [Lists SAML identity providers](/api/openapi/admin-api/list-saml-identity-providers-using-get.md): Lists SAML identity providers. Caller requires the IDENTITYPROVIDERS:VIEW permission.
- [List smart credential definitions](/api/openapi/admin-api/list-sc-defns-using-get.md): List all the smart credential definition. Caller requires the SCDEFNS:VIEW permission.
- [List roles](/api/openapi/admin-api/list-site-roles-using-get.md): List all roles. Caller requires the ROLES:VIEW permission.
- [List user attributes](/api/openapi/admin-api/list-user-attributes-using-get.md): List all user attributes defined for the account. Caller requires the USERATTRIBUTES:VIEW permission.
- [List expected locations for a user](/api/openapi/admin-api/list-user-expected-locations-using-get.md): Lists the expected locations for the specified user. Caller requires the USERRBASETTINGS:VIEW permission.
- [Get user location history](/api/openapi/admin-api/list-user-locations-using-get.md): Get the location history of the specified user. Caller requires the USERRBASETTINGS:VIEW permission.
- [Lock a tenant](/api/openapi/admin-api/lock-tenant-using-put.md): Lock the specified tenant for a service provider. Caller requires the TENANTS:EDIT permission from a service provider role.
- [Machine Auth](/api/openapi/admin-api/machine-auth.md): Machine Auth
- [Magic Link](/api/openapi/admin-api/magic-link.md): Magic Link
- [Modify an assigned token](/api/openapi/admin-api/modify-assigned-token-using-put.md): Modify an assigned token. Caller requires the TOKENS:EDIT permission.
- [Modify a token](/api/openapi/admin-api/modify-token-using-put.md): Modify the specified token. Caller requires the TOKENS:EDIT permission.
- [Modify unassigned grid](/api/openapi/admin-api/modify-unassigned-grid-using-put.md): Modify the specified unassigned grid. Caller requires the GRIDS:EDIT permission.
- [Modify user organization membership](/api/openapi/admin-api/modify-user-a-organization-associations-using-put.md): Modify the list of organizations assigned to a specified user. Caller requires the USERS:EDIT permission.
- [Modify a user attribute](/api/openapi/admin-api/modify-user-attribute-using-put.md): Modify the specified user attribute. Caller requires the USERATTRIBUTES:EDIT permission.
- [Modify user group membership](/api/openapi/admin-api/modify-user-authorization-group-associations-using-put.md): Modify the list of groups assigned to a specified user. Caller requires the USERS:EDIT permission.
- [Modify user oauth role membership](/api/openapi/admin-api/modify-user-o-auth-role-associations-using-put.md): Modify the list of oauth roles assigned to a specified user. Caller requires the USERS:EDIT permission.
- [Set user role](/api/openapi/admin-api/modify-user-site-role-association-using-put.md): Set the role of the given user to the given role. Caller requires the USERSITEROLES:EDIT permission.
- [OAuth Roles](/api/openapi/admin-api/o-auth-roles.md): OAuth Roles
- [List a page of organizations](/api/openapi/admin-api/organizations-paged-using-post.md): Returns organizations for the provided search parameters. Caller requires the ORGANIZATIONS:VIEW permission. The following searchByAttributes are supported: <ul><li>displayName: a string value that indicates the display name of the organizations. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>name: a string value that indicates the name of the organizations. Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: displayName, name.<br /><br />
- [Organizations](/api/openapi/admin-api/organizations.md): Organizations
- [OTPs](/api/openapi/admin-api/ot-ps.md): OTPs
- [Passwords](/api/openapi/admin-api/passwords.md): Passwords
- [Get a webhook by id](/api/openapi/admin-api/read-webhook-using-get.md): Get the specified webhook. Caller is required to have WEBHOOKS:VIEW permission.
- [Delete an acr](/api/openapi/admin-api/remove-acr-using-delete.md): Delete the specified acr. Caller requires the CONTEXTRULES:REMOVE permission.
- [Remove Admin API application](/api/openapi/admin-api/remove-admin-api-application-using-delete.md): Remove an Admin API application. Caller requires the APPLICATIONS:REMOVE permission.
- [Remove Auth API application](/api/openapi/admin-api/remove-auth-api-application-using-delete.md): Remove the specified auth API application. Caller requires the APPLICATIONS:REMOVE permission.
- [Delete an authentication flow](/api/openapi/admin-api/remove-authentication-flow-using-delete.md): Delete the specified authentication flow. Caller requires the CONTEXTRULES:REMOVE permission.
- [Delete an organization](/api/openapi/admin-api/remove-organization-using-delete.md): Delete the specified organization. Caller requires the ORGANIZATIONS:REMOVE permission.
- [Delete a resource rule](/api/openapi/admin-api/remove-resource-rule-using-delete.md): Delete the specified resource rule. Caller requires the CONTEXTRULES:REMOVE permission.
- [Delete a tenant](/api/openapi/admin-api/remove-tenant-using-delete.md): Delete the specified tenant for a service provider. Caller requires the TENANTS:REMOVE permission from a service provider role.
- [Reports](/api/openapi/admin-api/reports.md): Reports
- [Reset a token](/api/openapi/admin-api/reset-token-using-put.md): Reset a token. Caller requires the TOKENS:EDIT permission.
- [Resource Rules](/api/openapi/admin-api/resource-rules.md): Resource Rules
- [Revoke a certificate from a smart credential](/api/openapi/admin-api/revoke-certificate-using-put.md): Revoke the specified certificate. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Roles](/api/openapi/admin-api/roles.md): Roles
- [Send an activation email for the Face Biometric](/api/openapi/admin-api/send-face-activation-email-using-put.md): Send an activation email for the Face Biometric authenticator by the specified UUID. Requires the FACE:ADD permission.
- [Update and send a password expiry notification](/api/openapi/admin-api/send-password-expiry-notification-using-put.md): Updates and sends a password expiry notification to the specified user. Caller requires the USERPASSWORDS:EDIT permission.
- [Update and send a password expiry notification using password ID](/api/openapi/admin-api/send-user-named-password-expiry-notification-using-put.md): Updates and sends a password expiry notification to the specified user. Caller requires the USERPASSWORDS:EDIT permission.
- [Update Onfido account settings used by the Face Biometric authenticator](/api/openapi/admin-api/set-face-account-settings-using-put.md): Update the Onfido account settings used by the Face Biometric authenticator. Requires the SETTINGS:EDIT permission.
- [Set Tenant Identity Provider and Service Provider OIDC Application for Tenant Management](/api/openapi/admin-api/set-sp-identity-provider-using-put.md): Set Tenant Identity Provider and Service Provider OIDC Application for Tenant Management. Caller requires the SPIDENTITYPROVIDERS:EDIT permission.
- [Set an entitlement](/api/openapi/admin-api/set-tenant-entitlement-using-put.md): Set the entitlement for the specified tenant. Caller requires the SPENTITLEMENTS:EDIT permission from a service provider role.
- [Set expected locations for a user](/api/openapi/admin-api/set-user-expected-locations-using-put.md): Sets the list of expected locations for the specified user. Caller requires the USERRBASETTINGS:EDIT permission.
- [Set a user password](/api/openapi/admin-api/set-user-password-using-put.md): Set a user password for the specified user. Caller requires the USERPASSWORDS:EDIT permission.
- [Settings](/api/openapi/admin-api/settings.md): Settings
- [Lists a page of audit events (SIEM)](/api/openapi/admin-api/siem-audit-event-page-using-post.md): Returns audit events for the provided search parameters in ascending order always. Caller requires the REPORTS:VIEW permission.The following searchByAttributes are supported: <ul><li>startTime: a <b>mandatory</b> String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are: GREATER_THAN_OR_EQUAL. </li><li>endTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-31T18:15:30). Allowed operators are: LESS_THAN_OR_EQUAL. </li><li>outcome: SUCCESS or FAIL. Allowed operator: EQUALS. </li><li>category: AUTHENTICATION or MANAGEMENT. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute is not used even if provided. Results are returned in ascending order always (oldest to newest event)
- [Smart Credentials](/api/openapi/admin-api/smart-credentials.md): Smart Credentials
- [Start token activation](/api/openapi/admin-api/start-activate-token-using-post.md): Start activation of the given token. Caller requires the TOKENS:ADD permission.
- [Start FIDO token registration](/api/openapi/admin-api/start-create-fido-token-using-get.md): Start FIDO token registration for the specified user. Caller requires the FIDOTOKENS:ADD permission.
- [Smart credential start signature](/api/openapi/admin-api/start-sign-smart-credential-using-put.md): Smart credential start sign. Caller requires the SMARTCREDENTIALSSIGNATURE:ADD permission.
- [Synchronize a new user or an existing user](/api/openapi/admin-api/sync-user-using-post.md): Synchronize a user. Caller requires the USERS:EDIT permission. An Identity as a Service directory must be configured and associated with an Identity as a Service Gateway 5.0 or later. If you unsynchronize a user using the unsync API, the user becomes locally managed. In order to set the user back to an AD Sync user, the user should be synchronized again using this API. Using an AD Sync crawl will only re-synchronize the user if the user is updated in AD (i.e., the user's last update time in AD is updated) or a new custom user attribute mapping is added for the directory (this resets The last update time for all users such that all AD users will be re-synchronlized).<br/><br/>The following response status attribute values are possible: <ul><li>CONVERTED:  the locally managed Identity as a Service user was converted into an AD Sync user.</li><li>CREATED: a new user was created as an AD Sync user.</li><li>DELETED: the user was not found in AD and has been deleted in Identity as a Service.</li><li>LOCALIZED_ENABLED: the user was not found in AD and has been set as locally managed and enabled in Identity as a Service.</li><li>LOCALIZED_DISABLED: the user was not found in AD and has been set as locally managed and disabled in Identity as a Service.</li><li>UPDATED: the user was synchronized.</li></ul>
- [Temp Access Codes](/api/openapi/admin-api/temp-access-codes.md): Temp Access Codes
- [Tenants](/api/openapi/admin-api/tenants.md): Tenants
- [Test a webhook](/api/openapi/admin-api/test-webhook-using-post.md): Sends a dummy payload to the registered webhook callback URL. Use this to ensure your API is ready to start accepting webhook notifications. Caller is required to have WEBHOOKS:EDIT permission.
- [Tokens](/api/openapi/admin-api/tokens.md): Tokens
- [Unassign a grid](/api/openapi/admin-api/unassign-grid-using-put.md): Unassigned the specified grid. Caller requires the GRIDS:EDIT permission.
- [Unassign a smart credential](/api/openapi/admin-api/unassign-smart-credential-using-put.md): Unassign the specified smart credential. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Unassign a token](/api/openapi/admin-api/unassign-token-using-put.md): Unassign a token from a user. Caller requires the TOKENS:EDIT permission.
- [Get the result of an asynchronous list unassigned grids operation](/api/openapi/admin-api/unassigned-grids-page-async-result-using-get.md): Get the result of an asynchronous list unassigned grids operation. Caller requires the GRIDS:VIEW permission.
- [Get the status of an asynchronous list unassigned grids operation](/api/openapi/admin-api/unassigned-grids-page-async-status-using-get.md): Get the status of an asynchronous list unassigned grids operation. Caller requires the GRIDS:VIEW permission.
- [Lists a page of unassigned grids asynchronously](/api/openapi/admin-api/unassigned-grids-page-async-using-post.md): Returns unassigned grids for the provided search parameters. Caller requires the GRIDS:VIEW permission. The following searchByAttributes are supported: <ul><li>serialNumber: a numeric value. Allowed operators are: EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>createDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: serialNumber, createDate.
- [Lists a page of unassigned grids](/api/openapi/admin-api/unassigned-grids-page-using-post.md): Returns unassigned grids for the provided search parameters. Caller requires the GRIDS:VIEW permission. The following searchByAttributes are supported: <ul><li>serialNumber: a numeric value. Allowed operators are: EQUALS, GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>createDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: serialNumber, createDate.
- [Get the result of an asynchronous list unassigned tokens operation](/api/openapi/admin-api/unassigned-token-page-async-result-using-get.md): Get the result of an asynchronous list unassigned tokens operation. Caller requires the TOKENS:VIEW permission.
- [Get the status of an asynchronous list unassigned tokens operation](/api/openapi/admin-api/unassigned-token-page-async-status-using-get.md): Get the status of an asynchronous list unassigned tokens operation. Caller requires the TOKENS:VIEW permission.
- [Lists a page of unassigned hardware tokens asynchronously](/api/openapi/admin-api/unassigned-token-page-async-using-post.md): Returns unassigned hardware tokens for the provided search parameters. Caller requires the TOKENS:VIEW permission.The following searchByAttributes are supported: <ul><li>serialNumber: a String up to 100 characters. Allowed operators are: EQUALS, CONTAINS, STARTS_WITH.</li><li>type: OATH_PHYSICAL_TOKEN or ENTRUST_LEGACY_TOKEN. Allowed operator: EQUALS.</li><li>loadDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li></ul>The orderByAttribute supports these attribute names: serialNumber.
- [Lists a page of unassigned hardware tokens](/api/openapi/admin-api/unassigned-token-page-using-post.md): Returns unassigned hardware tokens for the provided search parameters. Caller requires the TOKENS:VIEW permission.The following searchByAttributes are supported: <ul><li>serialNumber: a String up to 100 characters. Allowed operators are: EQUALS, CONTAINS, STARTS_WITH.</li><li>type: OATH_PHYSICAL_TOKEN or ENTRUST_LEGACY_TOKEN. Allowed operator: EQUALS.</li><li>loadDate: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL.</li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li></ul>The orderByAttribute supports these attribute names: serialNumber.
- [Unblock a smart credential](/api/openapi/admin-api/unblock-smart-credential-using-put.md): Unblock the specified smart credential. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Unhold a certificate from a smart credential](/api/openapi/admin-api/unhold-certificate-using-put.md): Unhold the specified certificate. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Unlock a tenant](/api/openapi/admin-api/unlock-tenant-using-put.md): Unlock the specified tenant for a service provider. Caller requires the TENANTS:EDIT permission from a service provider role.
- [Unlock a token](/api/openapi/admin-api/unlock-token-using-put.md): Unlock a token. Caller requires the TOKENS:EDIT permission.
- [Unlock user](/api/openapi/admin-api/unlock-user-using-put.md): Unlock the specified user. Caller requires the USERS:EDIT permission.
- [Unsynchronize an existing user](/api/openapi/admin-api/unsync-user-using-post.md): Unsynchronize a user. Caller requires the USERS:EDIT permission. An Identity as a Service directory must be configured and associated with an Identity as a Service Gateway 5.0 or later. If you unsynchronize a user using this API, the user becomes locally managed. In order to set the user back to an AD Sync user, the user should be synchronized again using the sync API. Using an AD Sync crawl will only re-synchronize the user if the user is updated in AD (i.e., the user's last update time in AD is updated) or a new custom user attribute mapping is added for the directory (this resets the last update time for all users such that all AD users will be re-synchronlized).
- [Update account info](/api/openapi/admin-api/update-account-info-using-put.md): Update account information. Caller requires the SUBSCRIBERS:EDIT permission.
- [Update Admin API application](/api/openapi/admin-api/update-admin-api-application-using-put.md): Update an Admin API application. Caller requires the APPLICATIONS:EDIT permission.
- [Regenerate Admin API application shared secret](/api/openapi/admin-api/update-admin-api-shared-secret-using-put.md): Regenerate the shared secret for an Admin API application. Caller requires the APPLICATIONS:EDIT permission.
- [Update Auth API application](/api/openapi/admin-api/update-auth-api-application-using-put.md): Update the specified auth API application. Caller requires the APPLICATIONS:EDIT permission.
- [Update an authentication flow](/api/openapi/admin-api/update-authentication-flow-using-put.md): Update the specified authentication flow. Caller requires the CONTEXTRULES:EDIT permission.
- [Update Entrust ST Authenticator settings](/api/openapi/admin-api/update-entrust-st-authenticator-settings-using-put.md): Update Entrust ST Authenticator settings. Caller requires the SETTINGS:EDIT permission.
- [Update the Face Biometric for a given user](/api/openapi/admin-api/update-face-using-put.md): Update the Face Biometric authenticator for the specified user UUID. Requires the FACE:EDIT permission.
- [Update FIDO settings](/api/openapi/admin-api/update-fido-settings-using-put.md): Update the FIDO settings. Caller requires the SETTINGS:EDIT permission.
- [Update a FIDO token](/api/openapi/admin-api/update-fido-token-using-put.md): Update the specified FIDO token. Caller requires the FIDOTOKENS:EDIT permission.
- [Update general settings](/api/openapi/admin-api/update-general-settings-using-put.md): Update general settings. Caller requires the SETTINGS:EDIT permission.
- [Update Google Authenticator settings](/api/openapi/admin-api/update-google-authenticator-settings-using-put.md): Update Google Authenticator settings. Caller requires the SETTINGS:EDIT permission.
- [Update a group](/api/openapi/admin-api/update-group-using-put.md): Update the specified group. Caller requires the GROUPS:EDIT permission.
- [Modify a knowledge-based authenticator](/api/openapi/admin-api/update-knowledge-based-authenticator-using-put.md): Modify a knowledge-based authenticator for the specified user. Caller requires the USERQUESTIONANSWERS:EDIT permission.
- [Update an OIDC identity provider](/api/openapi/admin-api/update-oidc-identity-provider-using-put.md): Update an OIDC identity provider. Caller requires the IDENTITYPROVIDERS:EDIT permission.
- [Update an organization](/api/openapi/admin-api/update-organization-using-put.md): Update the specified organization. Caller requires the ORGANIZATIONS:EDIT permission.
- [Update OTP authenticator settings](/api/openapi/admin-api/update-otp-authenticator-settings-using-put.md): Update OTP authenticator settings. Caller requires the SETTINGS:EDIT permission.
- [Update Password Reset settings](/api/openapi/admin-api/update-password-reset-settings-using-put.md): Update the password reset settings. Caller requires the SETTINGS:EDIT permission.
- [Update a resource rule](/api/openapi/admin-api/update-resource-rule-using-put.md): Update the specified resource rule. Caller requires the CONTEXTRULES:EDIT permission.
- [Update a SAML identity provider](/api/openapi/admin-api/update-saml-identity-provider-using-put.md): Update a SAML identity provider. Caller requires the IDENTITYPROVIDERS:EDIT permission.
- [Update a smart credential](/api/openapi/admin-api/update-smart-credential-using-put.md): Update the specified smart credential. Caller requires the SMARTCREDENTIALS:EDIT permission.
- [Update user risk-based authentication settings](/api/openapi/admin-api/update-user-rba-settings-using-put.md): Update the user risk-based authentication settings for the specified user. Caller requires the USERRBASETTINGS:EDIT permission.
- [Update user state](/api/openapi/admin-api/update-user-state-using-put.md): Update the state of the specified user. Caller requires the USERS:EDIT permission.
- [Update a user](/api/openapi/admin-api/update-user-using-put.md): Update the specified user. Caller requires the USERS:EDIT permission.
- [Update multiple users](/api/openapi/admin-api/update-users-using-put.md): Update multiple users. Caller requires the USERS:EDIT permission.
- [Update a webhook](/api/openapi/admin-api/update-webhook-using-put.md): Update a webhook with callback URL, webhook events etc. Caller is required to have WEBHOOKS:EDIT permission.
- [User Attributes](/api/openapi/admin-api/user-attributes.md): User Attributes
- [Get a user by externalId](/api/openapi/admin-api/user-by-external-id-using-post.md): Get the user with the specified externalId.
- [Get a user by userid or user alias](/api/openapi/admin-api/user-by-userid-using-post.md): Get the specified user by userid or user alias.
- [User RBA Settings](/api/openapi/admin-api/user-rba-settings.md): User RBA Settings
- [Get a user by UUID](/api/openapi/admin-api/user-using-get.md): Get the specified user by UUID.
- [Get the result of an asynchronous list users operation](/api/openapi/admin-api/users-paged-async-result-using-get.md): Get the result of an asynchronous list users operation. Caller requires the USERS:VIEW permission.
- [Get the status of an asynchronous list users operation](/api/openapi/admin-api/users-paged-async-status-using-get.md): Get the status of an asynchronous list users operation. Caller requires the USERS:VIEW permission.
- [Lists a page of users asynchronously](/api/openapi/admin-api/users-paged-async-using-post.md): Returns users for the provided search parameters. Caller requires the USERS:VIEW permission. The following searchByAttributes are supported: <ul><li>userId: a String value (it matches both the User ID or any alias). Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li><li>roleId: a String value should be a UUID of an existing role. Allowed operator: EQUALS. </li><li>authenticator: a String with value ENTRUST_SOFT_TOKEN or FIDO or GOOGLE_AUTHENTICATOR or GRID or HARDWARE_TOKEN or KBA or OTP or PASSWORD or SMARTCREDENTIALPUSH or TEMP_ACCESS_CODE or FACE or MAGICLINK. Allowed operator: EQUALS, NOT_EQUALS. </li><li>state: ACTIVE or INACTIVE. Allowed operator: EQUALS. </li><li>locked: 'true' is the only value allowed. Allowed operator: EQUALS. </li><li>userType: a String with value LOCAL or SYNC or EXTERNAL. Allowed operator: EQUALS. </li><li>registrationRequired: true or false. Allowed operator: EQUALS. </li><li>verificationRequired: true or false. Allowed operator: EQUALS. </li><li>lastAuthTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS.</li><li>passwordExpirationTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS.</li><li>organizationId: a String value should be a UUID of an existing organization. Allowed operator: EQUALS. </li><li>passwordCompromised: true or false. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: userId, state, lastAuthTime.<br /><br />The following attributes can be optionally included in the returned User object: grids, tokens, smartCredentials, tempAccessCode, fidoTokens, userAttributeValues, userAliases, groups, oauthRoles, authenticatorLockoutStatus, organizations
- [Lists a page of users](/api/openapi/admin-api/users-paged-using-post.md): Returns users for the provided search parameters. Caller requires the USERS:VIEW permission. The following searchByAttributes are supported: <ul><li>userId: a String value (it matches both the User ID or any alias). Allowed operators are: EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS, STARTS_WITH, ENDS_WITH. </li><li>groupId: a String value should be a UUID of an existing group. Allowed operator: EQUALS. </li><li>roleId: a String value should be a UUID of an existing role. Allowed operator: EQUALS. </li><li>authenticator: a String with value ENTRUST_SOFT_TOKEN or FIDO or GOOGLE_AUTHENTICATOR or GRID or HARDWARE_TOKEN or KBA or OTP or PASSWORD or SMARTCREDENTIALPUSH or TEMP_ACCESS_CODE or FACE or MAGICLINK. Allowed operator: EQUALS, NOT_EQUALS. </li><li>state: ACTIVE or INACTIVE. Allowed operator: EQUALS. </li><li>locked: 'true' is the only value allowed. Allowed operator: EQUALS. </li><li>userType: a String with value LOCAL or SYNC or EXTERNAL. Allowed operator: EQUALS. </li><li>registrationRequired: true or false. Allowed operator: EQUALS. </li><li>verificationRequired: true or false. Allowed operator: EQUALS. </li><li>lastAuthTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS.</li><li>passwordExpirationTime: a String value representing an ISO-8601 date in UTC time (e.g., 2018-08-04T18:15:30). Allowed operators are:  GREATER_THAN, GREATER_THAN_OR_EQUAL, LESS_THAN, LESS_THAN_OR_EQUAL, EXISTS, NOT_EXISTS.</li><li>organizationId: a String value should be a UUID of an existing organization. Allowed operator: EQUALS. </li><li>passwordCompromised: true or false. Allowed operator: EQUALS. </li></ul>If you provide more than one search attribute, they are joined with an AND condition.<br /><br />The orderByAttribute supports these attribute names: userId, state, lastAuthTime.<br /><br />The following attributes can be optionally included in the returned User object: grids, tokens, smartCredentials, tempAccessCode, fidoTokens, userAttributeValues, userAliases, groups, oauthRoles, authenticatorLockoutStatus, organizations
- [Users](/api/openapi/admin-api/users.md): Users
- [Validate user password](/api/openapi/admin-api/validate-user-password-using-post.md): Validate user password. Caller requires the USERPASSWORDS:EDIT permission.
- [Webhooks](/api/openapi/admin-api/webhooks.md): Webhooks
- [Authentication Self Admin](/api/openapi/auth-api/authentication-self-admin.md): Authentication Self Admin
- [Authentication](/api/openapi/auth-api/authentication.md): Authentication
- [Complete FIDO token registration for the current user.](/api/openapi/auth-api/complete-fido-register-using-post.md): Complete FIDO token registration for the current user.
- [Delete a FIDO token from the current user.](/api/openapi/auth-api/delete-self-fido-token-using-delete.md): Delete a FIDO token from the current user.
- [Get Offline Token Responses](/api/openapi/auth-api/get-offline-token-responses-using-post.md): Get Offline Token Responses
- [Get a FIDO token for the current user.](/api/openapi/auth-api/get-self-fido-token-using-get.md): Get a FIDO token for the current user.
- [Remove User Session](/api/openapi/auth-api/logout-using-post.md): Remove User Session
- [Update to delete User Values](/api/openapi/auth-api/self-delete-user-values-using-put.md): Update to delete User Values
- [Get User Values](/api/openapi/auth-api/self-get-user-values-using-get.md): Get User Values
- [Set or update User Values](/api/openapi/auth-api/self-set-user-values-using-post.md): Set or update User Values
- [Start FIDO token registration for the current user.](/api/openapi/auth-api/start-fido-register-using-get.md): Start FIDO token registration for the current user.
- [Update a FIDO token from the current user.](/api/openapi/auth-api/update-self-fido-token-using-put.md): Update a FIDO token from the current user.
- [Authenticate User Challenge](/api/openapi/auth-api/user-authenticate-using-post.md): Authenticate User Challenge
- [Query User Authenticators](/api/openapi/auth-api/user-authenticator-query-using-post.md): Query User Authenticators
- [Request User Challenge](/api/openapi/auth-api/user-challenge-using-post.md): Request User Challenge

## Release Notes

- [Blog](/blog.md): Blog
- [Release 1.1](/blog/2016/1.1.md): User interface display customization (AAAS-1003)(AAAS-1391)(AAAS-1390)(AAAS-1461)(AAAS-1117)(AAAS-1118)
- [Release 2.0](/blog/2017/2.0.md): ACS password authentication (AAAS-2756) (AAAS-2758) (AAAS-2680) (AAAS-2679)
- [Release 2.1](/blog/2017/2.1.md): New bulk operation actions available (AAAS-3671)
- [Release 3.0](/blog/2017/3.0.md): Service Provider portal (AAAS-2692) (AAAS-4633)
- [Release 3.1](/blog/2017/3.1.md): Users can choose between SMS and email OTP delivery during authentication (AAAS-7568)
- [Release 3.2](/blog/2017/3.2.md): Maximum authenticator setting for resource rules (AAAS-8576)
- [Release 3.3](/blog/2017/3.3.md): CA-signed certificates now supported for gateway instances (AAAS-7811)
- [Release 3.4](/blog/2018/3.4.md): Support for Active Directory Lightweight Directory Services (AAAS-9082) (AAAS-9311)
- [Release 3.5](/blog/2018/3.5.md): Single Logout (SLO) for Salesforce and Office 365 applications (AAAS-345)
- [Release 3.6](/blog/2018/3.6.md): Web proxy support added to Enterprise Service Gateway (AAAS-8783)
- [Release 3.7](/blog/2018/3.7.md): Migrate user authenticators from Entrust IdentityGuard to IntelliTrust (AAAS-8847)
- [Release 3.8](/blog/2018/3.8.md): New Authenticator: Grid Cards (AAAS-9804)
- [Release 3.9](/blog/2018/3.9.md): Grid Card enhancements (AAAS-9804)
- [Release 4.0](/blog/2018/4.0.md): Reset Active Directory password during authentication (AAAS-10960)
- [Release 4.1](/blog/2018/4.1.md): Azure AD Conditional Access Controls (AAAS-11032)
- [Release 4.2](/blog/2018/4.2.md): Back end pagination end points (AAAS-12871)
- [Release 4.3](/blog/2018/4.3.md): Support for user aliases (AAAS-13023)
- [Release 4.4](/blog/2018/4.4.md): IntelliTrust Developer documentation (AAAS-10987)
- [Release 4.5](/blog/2019/4.5.md): Optional system user attributes (AAAS-14202)
- [Release 4.6](/blog/2019/4.6.md): Password blacklist (AAAS-14876)
- [Release 4.7](/blog/2019/4.7.md): TLSv1.0 and TLSv1.1 no longer supported
- [Release 4.8](/blog/2019/4.8.md): Support for sending push notifications to custom mobile applications (AAAS-15065)
- [Release 4.9](/blog/2019/4.9.md): Improved online help navigation (AAAS-17183)
- [Release 5.0](/blog/2019/5.0.md): Manage SAML certificates (AAAS-16382)
- [Release 5.1](/blog/2019/5.1.md): ActiveSync Access for mobile (AAAS-16379)
- [Release 5.2](/blog/2019/5.2.md): IntelliTrust ISAPI Filter integration (AAAS-17586)
- [Release 5.3](/blog/2019/5.3.md): Directory Server failover (AAAS-15941)
- [Release 5.4](/blog/2019/5.4.md): IntelliTrust Desktop for Windows integration and offline token support (AAAS-8656)
- [Release 5.10](/blog/2020/5.10.md): SAML Attribute Editor
- [Release 5.11](/blog/2020/5.11.md): IntelliTrust Rename
- [Release 5.12](/blog/2020/5.12.md): New SAML Integrations
- [Release 5.13](/blog/2020/5.13.md): CORS Policy
- [Release 5.5](/blog/2020/5.5.md): Enterprise Service Gateway Memory Increase
- [Release 5.6](/blog/2020/5.6.md): Smart Credential Provisioning Improvements
- [Release 5.7.1](/blog/2020/5.7.1.md): Grid Card Enhancements
- [Release 5.7.2](/blog/2020/5.7.2.md): Smart Credential Revocation
- [Release 5.7](/blog/2020/5.7.md): Smart Login
- [Release 5.8](/blog/2020/5.8.md): SAML Relay State Support
- [Release 5.9](/blog/2020/5.9.md): SAML Metadata Import
- [Release 5.14](/blog/2021/5.14.md): New SAML integrations
- [Release 5.15](/blog/2021/5.15.md): New SAML Integrations
- [Release 5.16](/blog/2021/5.16.md): Support PKI as a Service (PKIaaS)
- [Release 5.17](/blog/2021/5.17.md): Feature Bundles
- [Release 5.18](/blog/2021/5.18.md): ActiveSync now supported for Microsoft Office 365 with OAuth 2 device code authentication
- [Release 5.19](/blog/2021/5.19.md): New in this release
- [Release 5.20](/blog/2021/5.20.md): New in this release
- [Release 5.21](/blog/2021/5.21.md): New in this release
- [Release 5.22](/blog/2021/5.22.md): New in this release
- [Release 5.23](/blog/2022/5.23.md): New in this release
- [Release 5.24](/blog/2022/5.24.md): New in this release
- [Release 5.25](/blog/2022/5.25.md): New in this release
- [Release 5.26](/blog/2022/5.26.md): New in this release
- [Release 5.27](/blog/2022/5.27.md): New in this release
- [Release 5.28](/blog/2023/5.28.md): New in this release
- [Release 5.29](/blog/2023/5.29.md): New in this release
- [Release 5.30](/blog/2023/5.30.md): New in this release
- [Release 5.31](/blog/2023/5.31.md): New in this release
- [Release 5.32](/blog/2023/5.32.md): New in this release
- [Release 5.33](/blog/2024/5.33.md): New in this release
- [Release 5.34](/blog/2024/5.34.md): New in this release
- [Release 5.35](/blog/2024/5.35.md): New in this release
- [Release 5.36](/blog/2024/5.36.md): New in this release
- [Release 5.37](/blog/2024/5.37.md): New in this release
- [Release 5.38](/blog/2025/5.38.md): New in this release
- [Release 5.39](/blog/2025/5.39.md): New in this release
- [Release 5.40](/blog/2025/5.40.md): New in this release
- [Release 5.41](/blog/2025/5.41.md): New in this release
- [Release 5.42](/blog/2025/5.42.md): New in this release
- [Release 5.43](/blog/2025/5.43.md): Release notes for Entrust Identity as a Service release 5.43
- [Release 5.44.1](/blog/2025/5.44.1.md): Release notes for Entrust Identity as a Service 5.44.1 Patch
- [Release 5.44](/blog/2025/5.44.md): Release notes for Entrust Identity as a Service release 5.44
- [Release 5.45](/blog/2026/idaas-5.45.md): Release notes for Entrust Identity as a Service release 5.45
- [Release 5.46](/blog/2026/idaas-5.46.md): Release notes for Entrust Identity as a Service release 5.46