Proxy Application
  • 19 Oct 2023
  • 3 Minutes to read
  • Contributors
  • Dark
  • PDF

Proxy Application

  • Dark
  • PDF

Article Summary

What is a proxy application?

Sometimes you may need to connect to an application that does not have an API that Clarity can connect to. Common examples are in-house developed applications or applications that rely on Active Directory to provision their users' access.

If the application supports provisioning through a 3rd party app, like Active Directory or Okta, you are in luck! This is where Proxy Applications come in. By creating a proxy application, you can still keep track of your users' access by tracking the entitlements in the 3rd party application.

Let's say that we have a custom-built application called "TuneTracker" which we use to catalog rights management for songs, performers, and songwriters. TuneTracker handles user management through direct integration with Active Directory. In Active Directory, you have three groups set up for TuneTracker to use: Admins, Managers, and Users. To give someone access to TuneTracker, they must exist in Active Directory and be a member of one or more of these groups. We can set up a proxy application for TuneTracker within Clarity that will track the Active Directory groups, and allow you to provision into those groups as if you were provisioning into TuneTracker directly.

App Setup

First, we want to start by selecting "Proxy Application" from the Application Marketplace.

On the application onboarding screen, pick a unique name and identifier. For our example, we'll use "TuneTracker" and "tunetracker" respectively. You can leave appIcon blank to use Clarity's default, or you can input a url to the app icon of your choice. You would see something like this:


Once you hit the "validate" button, on the next page,select "Manual" for the sync option, select the appropriate application owner from your organization, and then for trust relationship and trust permissions, select "Recipient only" and "Read + Provision/DeProvision". You do not need to select a default entitlement at this time.


On the last page of the application configuration select your desired preference for "Allow automatic account creation". The rest of the values should be left as "No".

Proxy Service - Configure App Step 3

Once you are done, click Save.

Configuring your proxy entitlements

Now that the application configuration is done, we can start to set up our proxy entitlements. When you view any proxy application, you'll notice a button in the header marked "Create Entitlement".


Clicking this button will take you to the workflow for create an entitlement/entitlement group. In our example, we'll want to create one entitlement for every entitlement in TuneTracker that we want to provision using our corresponding Active Directory groups.

First off, we need to give our proxy entitlement a name; in this case "Users". I'll then select "TuneTracker" under "Application to add entitlement/group to". Then using the table below, I can filter the list of entitlements to find the specific entitlement in Active Directory that I want to provision into. We'll select that entitlement by clicking the checkbox next to it, then "review entitlements" to finalize our selection.


Once you are satisfied, click "Create Entitlement/Group". We'll repeat this process for our other two entitlement for Admins and Managers.

So what?

Now that we've gone through all that effort, what can we do? Well, we can now treat the proxy application as if it were any other application within Clarity. We can see all of its users, we can provision the entitlements, remove entitlements, and run reports. The only difference is that when we provision or deprovision entitlements, we aren't actually touching TuneTracker directly, we're really touching the Active Directory groups.

But why don't we just provision the Active Directory groups directly instead? Well, that is certainly an option, but Proxy Apps allow you to create easy-to-use, easy-to-remember placeholders for your Active Directory entitlements. For instance, instead of "TuneTracker_Admin" it could have been called "TnTkADM" which only an internal user familiar with the product would be familiar with. By creating Proxy Applications and Proxy Entitlements, you can have the best of both worlds. The functionality as well as ease of use for access management and certification.

Need help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.