Admin Console Documentation

This Admin Console Guide helps you learn about and understand the Stormpath IAM Admin Console. If you haven't already, please take a quick look at our Key Concepts and Definitions page so that you can get the most out of this guide.

Quick links:

Managing Directories

Add New
Find
Edit
Enable/Disable
Delete
Stormpath Administrator Directory

Managing Applications

Add New
Find
Edit
Enable/Disable
Delete
Stormpath IAM Application

Managing Accounts

Add New
Find
Edit
Enable/Disable
Delete

Managing Groups

Add New
Find
Edit
Enable/Disable
Delete
Add an Account

Managing Login Sources

Add
Prioritize
Remove

Managing Directories

In Stormpath IAM, a directory is a collection of groups and user accounts that is accessible to an application. We support two types of directories: Cloud Directories and LDAP/AD Directories (coming soon). In our system you can create and manage an unlimited number of directories and an unlimited number of directory to application mappings.

To start, let's discuss how you create a directory.

Add a new Directory

To add a directory you first need to navigate to the Directory browser by clicking on the "Directories" link in the top navigation menu.

That link will bring up the directory browser (more that in a sec). And from here you'll click on the "Create Directory" button.

Ok, now you're on the Create Cloud Directory screen. Here you will enter in information specific to the direction you are about to create.

Name - This field is the name of the directory that will show up in all parts of the Stormpath IAM system. It should something fairly descriptive so that people you collaborate with will understand what the directory is and what types of user accounts are in it.

Description - This field is an area for you to provide any additional information about the directory that you feel will be helpful for you and your team to know as you work with it in our system.

Status - Here you get two options, enabled and disabled. By default, the directory is set to enabled because we assume you want to start using it right away. Alternatively, you can set it to disable so that no one can authenticate against it until you're ready. (More on enabling and disabling directories)

Account Password Strength Policy - If you're setting up a directory that user accounts can authenticate against, then you'll need to be managing their passwords. With Stormpath this is easy and we offer you tools to control the security level of the passwords you accept. Those setting are part of this set of fields.

Min Characters - The minimum number of characters an account can have in their password. The smallest number we support is 1 but we strongly urge you to keep this number at 8 or longer. Shorter passwords are too easily broken.

Max Characters - The maximum number of characters in an account can have in their passwords. The maximum we currently support is 999 characters in a password.

Mandatory Characters - This is where the magic happens. You can set up the types of characters that are required in a password incluing lowercase letters, uppercase letters, numbers, symbols, and special characters. You select the mandatory characters by clicking on them. The ones in blue are activated, the ones in white are not. We strongly urge you to at a minimum include lowercase, uppercase, and numbers.

Once you've populated all the appropriate fields, hit create and you're done! You'll be routed to the new directory's detail page and a small notification that the creation was complete will show in the upper right hand corner of the screen.

Now that we've created a directory, let's go back and find our new directory.

Find a Directory

Finding a directory in Stormpath's console is very easy. First click on the "Directories" link in the primary navigation bar. This will bring up a list of all your existing directories you have access to.

If you would like to refine the list, click on the search bar and enter in your search criteria. Our search tool will search across directory name and description

Once you find the directory you're looking for, you can click on the directory's name and you'll go that directory's detail page where you can edit the directory, manage its group list, and manage its user accounts.

Edit a Directory

To edit a directory you'll first need to get to its detail page by clicking on the directory from any directory list in the application. Typically, you'll get to it through the directory browser by clicking on the "Directory" link on the primary nav bar. From the Directory browser you can click on the directory's name or on the "Edit" button in the "Actions" area on the right side of the entry.

With in the directory's detail page you can edit all the data you originally entered during directory creation.

Max Characters - The maximum number of characters in an account can have in their passwords. The maximum we currently support is 999 characters in a password.

Click the "Update" button when you're done editing to commit the changes to Stormpath.

Next up, enabling and disabling a directory

Enable/Disable a Directory

There may come a time when you just need to turn off a directory. Maybe you're testing or debugging something. In these situations you can quickly and easily disable a directory. By disabling a directory you turn off the ability for any user accounts in that directory to authenticate into any mapped applications. Put another way, by disabling a directory you disabling ALL of its groups and accounts.

To disable a directory you'll first need to find the target directory in the directory browser. Once you've found it, move your mouse over the "Actions" area on the right of the entry. There you'll see an option to "Disable". Alternatively, you can on the text in the status column to toggle between enable and disable. When you attempt to disable a directory, you will receive a prompt asking you to confirm your action.

Enabling a directory that is already disabled is just as straightforward. Just go back to that directory in the directory browser and either click on the "enable" icon or click on the "disable" status to toggle it back to "enabled".

Sometimes, disabling a directory isn't enough. So we also offer you the ability to delete a directory.

Delete a Directory

The Stormpath Console allows you to delete a directory from the system. Deletion removes all of a directories information including it's groups, accounts, and application mappings. Once a directory is deleted, the operation cannot be undone.

To delete a directory go back to the Directory browser and find the directory you want. Under the "Action" column, click on remove. To ensure safe operation, you'll receive a confirmation prompt. Once you confirm, the directory will be permanently deleted.

What is the Stormpath Administrator Directory?

The Stormpath Administrator Directory is a special directory that holds the list of user accounts that can access your Stormpath IAM tenant. As a result, it is the first directory available to you when you first create your Stormpath tenant. Additionally, it is considered special and certain operations cannot be performed on it. Specifically, you cannot delete or disable the Stormpath Administrator Directory. In addition, this directory cannot be unassigned from the Stormpath application.

Other than that, you can use the Stormpath Administrator Directory just like any other Directory. You can add and manage groups and accounts as well as map it to any number of applications in the system.

Because of the Stormpath Administrator Directory's special nature, we highly recommend you create your own directory for your needs.

For more information on the Stormpath Administrator Directory, please see Managing Users in your Stormpath Tenant.

Managing Applications

An application in Stormpath IAM represents a real world application that can communicate with your Stormpath tenant and your account directories. From within the Stormpath console you can register new applications, edit their details, remove them from the system, and manage which directories, groups, and accounts have the right to authenticate against that application.

Let's start our exploration of applications by registering a new application.

Add a new application

To add an application you first need to navigate to the Application browser by clicking on the "Application" link in the primary navigation menu.

That link will bring up the application browser. And from here you'll click on the "Register Application" button.

Navigating to the Application Screen

Ok, now you're on the Register Application screen. Registering an application has 4 steps: Defining detailings, selection its login directories, narrowing those directories to specific groups (optional), and then confirming all your work before the application is created.

Step 1 – Application Details

The first step is defining the application's details.

Name - This field is the name of the application that will show up in all parts of the Stormpath IAM system. It should something fairly descriptive so that people you collaborate with will understand what the application represents.

Description - This field is an area for you to provide any additional information about the application that you feel will be helpful for you and your team to know as you work with it in our system.

Status - Here you get two options, enabled and disabled. By default, the application is set to enabled because we assume you want to start using it right away. Alternatively, you can set it to disabled so that no one can log into this application until you're ready. (More on enabling and disabling applications)

Adding a new application, step 1

When the form on the Details screen is complete, click "Next" to move on.

Step 2 – Login Directories

As noted in "Key Concepts", a login source is a directory a group that a user much be in order to be able to authenticate into the application. For example, if you have a directory named "Employees" and you set it as a Login Source, then only users in the Employees[AS4] directory will be able to login into your application. If you further refine the login source to the "Administrator" group in the Employees directory, then only accounts in that group within that directory can login into your application.

So in this second step of the registration process, we will set-up the applications login-sources, specifically the login directories. On the screen for this registration step you'll see a list of all the directories available to you and your application. Select the directory or directories you want like your application to authenticate accounts against by checking the checkbox next to each. If you do not see the directory you want to use, you can click on "Create new directory." Doing so will cancel the current application registration process.

You must select at least one directory before you can move on to the next step.

Adding a new application, step 2

Once you've selected your directories, move onto the next step by click "Next"

Step 3: Login Groups

You can set your login sources to be either directories or, more narrowly, groups within certain directories. If you would like to narrow your login sources to specific groups you will do it in this screen or you can do it later on the Edit Application screen.

You will first see a list of the directories you selected in last screen, "Login Directories." Each directory is by default set to allow all users to log in. You can change this for each directory by clicking on the drop down menu and selecting "Only specific groups".

You'll immediately see another drop down with the list of groups available to you in this directory. Select each group you want and click "Add Group."

You can add as many groups as you like. Each group you add will be listed below the drop down menu. To remove a group from the list, just click on "Remove" next to that group's name.

Adding a new application, step 4

For more on Login Sources please see [Managing Login Sources].

When you're done selection login groups, click "Next" to move onto the confirmation step.

Step 4 – Confirm

The final step in the applicant registration process is to confirm the information you have entered throughout the workflow. So please review that everything looks right. If it does, click "Finish." If it doesn't click on "Prev" to step back through the workflow and change your inputs.

Adding a new application, step 4

When you're done and you've clicked 'Finish," you'll be sent to the new application's detail page and a small notification that the creation was complete will show in the upper right hand corner of the screen.

Now that we've created a directory, let's go back and find our new application.

Find an application

To find an an application in Stormpath IAM console, first click on the "Applications" link in the primary navigation bar. This will bring up a list of all your existing applications that you have access to.

If you would like to refine the list, click on the search bar and enter in your search criteria. Our search tool will search across application name and description

Once you find the application you're looking for, you can click on the application's name and you'll go its detail page where you can edit the application, manage its login sources, see which accounts have access, and test login.

Edit an application

To edit an application you'll first need to get to its detail page by clicking on the application from any application list in the Console. Typically, you'll get to it through the application browser by clicking on the "Application" link on the primary navigation menu. From the Application browser you can click on the Application's name or on the "Edit" button in the "Actions" area on the right side of the entry.

Within the application detail page you can edit all the data you originally entered during application registration.

Enable/Disable an application

In the event that you need to turn off an application you just need to disable it in the Stormpath IAM Console. By disabling an application you turn off the ability for any user accounts to authenticate into it.

To disable an application you'll first need to find the target application in the application browser. Once you've found it, move your mouse over the "Actions" area on the right of the entry. There you'll see an option to "Disable". Alternatively, you can on the text in the status column to toggle between enable and disable. When you attempt to disable an application, you will receive a prompt asking you to confirm your action.

Enabling an application that is already enabled is just as straightforward. Just go back to that application in the application browser and either click on the "enable" icon or click on the "disable" status to toggle it back to "enabled".

Sometimes, disabling an application isn't enough. So we also offer you the ability to delete an application.

Delete an application

The Stormpath Console allows you to delete an application from your tenant. Deletion removes all the application's information including its login sources and directory mappings. Once an application is deleted, the operation cannot be undone.

To delete an application go to the application browser and find the application you want. Under the "Action" column, click on "remove". To ensure safe operation, you'll receive a confirmation prompt. Once you confirm, the application will be permanently deleted.

What is the Stormpath IAM application listed in my Application Browser?

If you are an administrator for your Stormpath IAM tenant you will always see the Stormpath IAM application listed in your Application Browser. It means you have the ability to manage users and groups assigned to your tenant in Stormpath IAM. And managing your Stompath tenant is the same any other application you have registers with a few exceptions. First, you cannot disable or delete the Stormpath IAM application. Second, you must always have at least one Login Source assigned to the Stormpath IAM application.

Managing Accounts

An Account is a unique user identity within a Directory. From within the Stormpath console you can create and manage an unlimited number of user accounts.

Add a New Account

To add an account you first need to navigate to the Directory browser by clicking on the "Directory" link in the primary navigation menu. Once in the Directory browser, select the Directory where you would like to create the account and click on its name or the "Edit" button under actions.

Within the Directory's screen, click the Accounts tab and then click on "Create Account."

Now you should be in the Account Create screen.

On this screen you will define the account's detail.

Username - a human readable unique identifier for an account

First name - The first name/given name for the user represented by the account you are creating.

Middle name - The middle name for the user represented by the account you are creating.

Last Name - The last name/surname for the user represented by the account you are creating.

Email - The email address for the user represented by the account you are creating. This needs to be an active email address so that the account can receive important notifications regarding their accounts.

Status - Here you get two options, enabled and disabled. By default, the account is set to enabled because we assume you want to start using it right away. Alternatively, you can set it to disabled so that this account cannot log into any applications until you're ready. (More on enabling and disabling accounts)

Password - A secret set of characters that an account must use to authenticate its identity. The password used must a adhere to its parent directory's password policies.

Confirm Password - Retype the password used to ensure that they match.

When you're done just click "Create account" and you should be done.

Find an Account

To find an account in Stormpath IAM console, first click on the "Directory" link in the primary navigation bar. This will bring up a list of all your existing directories that you have access to. Click on the directory where you want to search for an account and then click on the "Accounts" tab on the Directory Screen.

Now you should be seeing a list of all the accounts in your directory. If you would like to refine the list, click on the search bar and enter in your search criteria. Our search tool will search across accounts' fullname (first, middle, last), username, and email address.

Once you find the account you're looking for, you can click on the account's name and you'll go its detail page where you can edit its details.

Edit an Account

To edit an account you'll first need to get to its detail page by clicking on the account from any accounts list in the Console. Typically, you'll get to your accounts by opening up a Directory and clicking on its "Accounts" tab and then clicking on the account you want to edit.

Within the account detail page you can edit all the data you originally entered during account creation.

Username - a human readable unique identifier for an account

First name - The first name/given name for the user represented by the account you are creating.

Middle name - The middle name for the user represented by the account you are creating.

Last Name - The last name/surname for the user represented by the account you are creating.

Password - A secret set of characters that an account must use to authenticate its identity. The password used must adhere to its parent directory's password policies. You should only put a value in this field if you are trying to change an account's password.

Confirm Password - If you entered a new password in, then you'll need to retype the password used to ensure that they match.

When you're done just click "Update" and you're done.

Enable/Disable an Account

In the event that you need to turn off an account you just need to disable it in the Stormpath IAM Console. By disabling an account you turn off its ability to authenticate into any of your applications even if it has explicit access to it.

To disable an account you'll first need to find the target account in a Directory. Once you've found it, move your mouse over the "Actions" area on the right of the entry. There you'll see an option to "Disable". Alternatively, you can click on the text in the status column to toggle between enable and disable. When you attempt to disable an account, you will receive a prompt asking you to confirm your action.

Enabling an account that is already enabled is just as straightforward. Just go back to that account and either click on the "enable" icon or click on the "disable" status to toggle it back to "enabled". By enabling an account, you give it the ability to log into any applications that it has access to.

Sometimes, disabling an account isn't enough. So we also offer you the ability to delete an account.

Delete an Account

The Stormpath Console allows you to delete an account from a directory. Deletion completely removes an account and it means that the user cannot log into any of your applications.

To delete an account go to the account list within its parent Directory. Under the "Action" column, click on "delete". To ensure safe operation, you'll receive a confirmation prompt. Once you confirm, the account will be permanently deleted.

Managing Groups

A Group is a named collection of accounts within a Directory. From within the Stormpath console you can create and manage an unlimited number of user accounts.

Add a New Group

To add a group you first need to navigate to the Directory browser by clicking on the "Directory" link in the primary navigation menu. Once in the Directory browser, select the Directory where you would like to create the group and click on its name or the "Edit" button under actions.

Within the Directory's screen, click the Groups tab and then click on "Create Group."

Now you should be in the Group Creation screen.

On this screen you will define the group's detail.

Name - This field is the name of the group that will show up in all parts of the Stormpath IAM system. It should something fairly descriptive so that people you collaborate with will understand what the group is and what types of user accounts are in it.

Description - This field is an area for you to provide any additional information about the group that you feel will be helpful for you and your team to know as you work with it in our system.

Status - Here you get two options, enabled and disabled. By default, the group is set to enabled because we assume you want to start using it right away. Alternatively, you can set it to disable so that no one can authenticate against it until you're ready. (More on enabling and disabling groups)

When you're done just click "Create Group" and you should be done.

Find a Group

To find a group in Stormpath IAM console, first click on the "Directory" link in the primary navigation bar. This will bring up a list of all your existing directories that you have access to. Click on the directory where you want to search for a group and then click on the "Groups" tab on the Directory Screen.

Now you should be seeing a list of all the groups in your directory. If you would like to refine the list, click on the search bar and enter in your search criteria. Our search tool will search across groups' name and description.

Once you find the group you're looking for, you can click on the group's name and you'll go its detail page where you can edit its details.

Edit a Group

To edit a group you'll first need to get to its detail page by clicking on the group from any groups list in the Console. Typically, you'll get to your groups by opening up a Directory and clicking on its "Groups" tab and then clicking on the group you want to edit.

Within the group detail page you can edit all the data you originally entered during group creation.

Description - This field is an area for you to provide any additional information about the group that you feel will be helpful for you and your team to know as you work with it in our system.

When you're done just click "Update" and you're done.

Enable/Disable a Group

In the event that you need to turn off a group you just need to disable it in the Stormpath IAM Console. By disabling a group you turn off the ability for any user accounts in that group to authenticate into any mapped applications unless they are in another enabled group that also has access to those same applications.

To disable a group you'll first need to find the target group in a Directory. Once you've found it, move your mouse over the "Actions" area on the right of the entry. There you'll see an option to "Disable". Alternatively, you can click on the text in the status column to toggle between enable and disable. When you attempt to disable an group, you will receive a prompt asking you to confirm your action.

Sometimes, disabling an account isn't enough. So we also offer you the ability to delete an account.

Delete a Group

The Stormpath Console allows you to delete a group from a directory. Deletion completely removes a group and it means that the user cannot log into any of your applications.

To delete a group go to the group list within its parent Directory. Under the "Action" column, click on "delete". To ensure safe operation, you'll receive a confirmation prompt. Once you confirm, the group will be permanently deleted

Add an Account to a Group

To assign an account to a group in the Stormpath Console you will need to open up the group. You can do this by going to the Group Browser in the parent Directory and clicking on the target group. Within the Group's screen click on the "Accounts" tab.

Here you will see a list of all the accounts already in the group. To add a new account, click on the "Assign Account" button.

You will get an "Assign Account" screen. On this screen, select the user account you want to add and then click the "Assign Account" button.

Managing Login Sources

In Stormpath IAM, a Login Source represents a collection of accounts that may log in to an application. The account collection source can be an entire directory or an individual group within a directory. One or more Login Sources may be associated with an application.

Add a Login Source

To add a login source to a registered application, you'll first need to open up that application's details screen. You can get here by clicking on the right application from the Application browser. See (Find an Application for more details). Once you're on the application's detail screen, click on "Login Sources" tab.

Next click on the "Add Login Source" button. This should step you into the Add Login Source workflow.

The first step is to select the directory you want to use as your login source.

Second, you'll want to decide if you want all groups that directory to be able to have access to your application or only specific groups.

If you select specific groups then you'll move onto the next step of picking the right groups by checking the checkbox next to their name. When you're done click "Add Login Source."

Prioritize Login Sources

The order in which you list your login sources is important. It tells Stormpath the order in which it should try to authenticate an account in runtime. When an account tries to authenticate we will try the login sources with Rank 1 first and then work our way down until the user correctly authenticates or we reach the end of your list.

Important note - Stormpath IAM only counts an authentication attempt invalid if it fails to authenticate against any of the defined login sources.

To change the login priority, drag your login sources into the order you would like them and then click "Save Priority."

Remove a Login Source

Removing a Login Source removes the ability for it's accounts to authenticate into your application unless those accounts are also members of another Login Source listed for your application. To remove a Login source, go to the "Action" column for that Login Source and click the "Remove" button.