Skip to main content

IGA Guide: Setting Up and Using Tide IGA

This guide walks you through setting up and using Tide's Identity Governance & Administration (IGA) system. Focus areas include protecting JWT signing keys, managing user roles, and controlling client settings through a multi-admin approval workflow.

Prerequisites

Before you begin, ensure you have:

  • An admin account in your IGA-enabled realm.
  • A Tide IDP-backed realm with license activated.
  • Familiarity with access tokens, roles, and client scopes.
  • Access to the Tide admin console.
  • The latest TideCloak version installed.

Process Overview

TideCloak IGA Setup Overview

1. Enable IGA

  1. Go to Realm SettingsIdentity Governance and Administration.
  2. Toggle Enable IGA on.
Enable IGA toggle

2. Create the First IGA Admin

2.1 Add a User

  1. In the left menu, select UsersAdd user.
  2. Fill in the username (e.g. iga_admin_1) and click Save.
Add User
  1. Click the new user → Credentials tab → Credential Reset.
  2. Under Reset action, choose Link Tide Account.
  3. Click Copy Link and open it in your browser.
  4. Sign in or sign up for your Tide account.
Link Tide Account

2.3 Assign Realm Admin Role

  1. Select the user → Role Mapping tab → Assign role.
  2. Add the tide-admin-role.
Assign Realm Admin Role

2.4 Approve Role Assignment

  1. Go to Change Request in the left menu.
  2. Under Grant Role to User, click Review Draft.
  3. Confirm the box and then Commit Draft.
Approve Role Assignment

3. Add Additional Admins

Repeat steps 2.1-2.4 for each new admin.

  • After 2 admins, any change requires 2 of 2 approvals.
  • Adding a 3rd admin raises the threshold to 2 of 3 (70% of total admins).

Example threshold formula:

``` RequiredAdmins = ceil(TotalAdmins × 0.7) ```

4. Accessing Change Requests

  1. Log in to the TideCloak Admin Console (https://<your-domain>/admin/<realm>/console/).
  2. From the left menu, select Change Request.
Change Request Tab

4.1 Tabs Overview

  • Users: Role assignment/removal requests.
  • Roles: Role creation/modification requests.
  • Clients: Client scope and setting requests.

5. Managing Change Requests

5.1 Approving Drafts

  1. Under Change Request, select the Draft entry.
  2. Click Approve Draft, then Commit Draft.

5.2 User Role Changes

  • Assign or remove roles via UsersRole MappingAssign/Unassign.
  • A draft appears in Change RequestUsers.
  • Approve and commit to finalize.
User Role Mapping

5.3 Role Management

  • Manage roles under ClientsRoles tab.
  • Create or modify roles; user-impacting changes generate drafts.
  • Approve via Change RequestRoles.
Role Changes

5.4 Client Scope Changes

  • Modify scopes under ClientsClient Scopes.
  • Changes affecting permissions generate drafts in Change RequestClients.
  • Approve and commit to apply.
Client Scope Changes

6. Default Roles Management

Parent roles (e.g., default-roles-myrealm) group child roles and auto-assign them to new users.

  1. Go to Realm Rolesdefault-roles-myrealm.
  2. Add or remove child roles.
  3. Changes require the same IGA approval process.
Default Roles Management

7. Action Types in Change Requests

ActionTypeTrigger
Granting Role to UserUserAssign role in Role Mapping
Unassigning Role from UserUserRemove role in Role Mapping
Granting Role to Composite RoleRoleAdd child role under Roles
Enabling Full ScopeClientToggle Client ScopesFull Scope

Congrats! You've set up Tide IGA and learned how to manage governance over users, roles, and clients with multi-admin approval.