Skip to main content

HelloID

Access Management administration

This topic outlines the tasks that are part of the role of an administrator responsible for the HelloID Access Management.

Monitoring

  • Monitor HelloID using the built-in mechanisms; see HelloID administration.

  • Resolve Incidents:

  • Monitor the use of licenses via the License widget on the Admin dashboard.

  • Monitor all systems and applications connected to the Access Management module.

  • Review and update certificates.

    Tip

    Ensure procedures are in place to replace certificates before they expire, to prevent downtime in the Single Sign-On (SSO) connections.

  • Monitor the organization for changes that may affect the configuration of HelloID Access Management.

    The Access Management configuration helps you discover and regularly check the relevant details of your HelloID Access Management configuration.

Troubleshooting

For user management tasks and issues, see HelloID tenant and user administration.

1.

An application is inaccessible.

Suggested action

On the Admin dashboard, go to

See

Check the application access rules

Check which groups have access to the application

In case of a SAML, OpenIDconnect or WS-Federation application: check whether the certificate is valid

If an infinite loop occurs, add an application shortcut

Security > Policies > Application Access Rules

Applications > Applications > Edit application > Groups

Settings > Certificates > Show certificate usage in applications

Applications > Applications > Open Application Catalog > click Add for Generic Shortcut

Application access rules 

Grant a group access to an application 

View all active certificates 

Application shortcuts 

2.

A certificate is about to expire.

Suggested action

On the Admin dashboard, go to

See

Update the certificate

Applications > Applications > Edit application > Configuration

Update an expired app certificate 

App setup guides 

Important

Replace the certificate before it expires.

SAML and WS-Federation-based Single Sign-On (SSO) applications may continue to function with an expired certificate, although this is not recommended. OpenID Connect, however, requires a valid (i.e., unexpired) certificate.

Depending on the supplier, the certificate might need to be added manually, or it may update automatically using metadata (a "well-known configuration" document), which is refreshed every few minutes or hours. If you only update the certificate in HelloID and not on the supplier's side, it may cause downtime for the SSO connection.

3.

The use of licenses is exceptionally high.

Note: By default, new applications are added to the Users group. This means the application can be assigned to all synced users, even if they do not use HelloID Access Management. This may lead to extra license costs, because each user uses a license as soon as the application is assigned.

Suggested action

On the Admin dashboard, go to

See

Verify that no application is accessible to all users

Applications > Applications > Edit application > Groups

Grant a group access to an application 

Helpdesk tasks/maintenance

1.

An application must be temporarily disabled or hidden.

Suggested action

On the Admin dashboard, go to

See

Hide or disable the application via its settings in HelloID

Note: When disabling SAML, OpenIDconnect or WS-Federation applications, the metadata/well known configuration endpoints are also disabled.

Applications > Applications > Edit application

Edit an application 

Application settings reference 

2.

An application must be added, edited, or removed.

Add, edit, or remove an application.

3.

SSO claims need to be adjusted for an application. For example, instead of an email address, the employee ID must be sent to the application.

Suggested action

On the Admin dashboard, go to

See

Add or customize an application mapping set

Directory > Mapping Sets 

Application mapping sets 

In this section: