---
title: Cloud Broker
description: Cloud Broker is an OpenLM Platform service that connects to SaaS platforms to monitor and manage their licensing data.
product: OpenLM Platform
---

Cloud Broker is an OpenLM Platform service that connects to SaaS platforms to monitor and manage their licensing data. It establishes secure API communication with cloud applications, and retrieves information such as usage, provisioning, and user activity.

You can access Cloud Broker directly from the OpenLM Platform.

## Configuration steps

  <summary>Interactive guide - expand to see</summary>

Follow these steps to configure Cloud Broker:

1. From the Navigation panel, select Cloud Broker.
2. Select the SaaS service you want to configure.
3. Edit the configuration parameters as needed.
4. Select Save.

For platform‑specific configuration guides, see the [SaaS platform docs](https://openlm.com/documentation/cloud/data-collection/connect-license-managers/saas-platforms/intro).

## Identity discovery

  <summary>Interactive guide - expand to see</summary>

Use the Identity Discovery service to track login activity from your identity providers (IdPs). Identity Discovery collects user login events and brings them into OpenLM so you can see who logged in, when they logged in, and what service they used. IUDS supports multiple identity accounts, including several accounts of the same type.

:::note
Identity Discovery collects only login metadata. It does not collect passwords or authentication secrets.
:::

### Workstation Agent requirement

Deploy the Workstation Agent on all end-user workstations. Identity Discovery relies on it to collect and map login activity to users.

### What identity discovery does

Identity Discovery connects to your IdPs using the credentials you provide. The service checks for new login activity every ten minutes and sends the events to OpenLM.

It collects the following information:

- Username  
- Login source (Okta, Auth0, Azure AD, or Ping Identity)  
- Application or page title, when available  
- Timestamp  
- Workstation or IP address, if provided by the IdP  
- Accessed URL, for Okta only

### How often data is collected

Identity Discovery runs every ten minutes.  
It imports only events that occurred after the last successful update.

:::tip
If you update IdP credentials (API keys or secrets), save the changes immediately to avoid gaps in event collection.
:::

### Supported identity providers

Identity Discovery works with the following IdPs:

- Okta  
- Auth0  
- Azure Active Directory  
- Ping Identity

You can add multiple instances of the same provider.

### Configure identity discovery

Configure Identity Discovery in the Cloud Broker UI.

**Location:**  
Cloud Broker → **Identity  Discovery services**

From this page, you can:

- Add identity accounts  
- Edit account settings  
- Deactivate or delete accounts  

There is no limit to how many identity accounts you can create.

:::warning
Deleting an identity account stops data collection immediately.  
This may affect your usage and audit reports.
:::

### Required settings

Each provider requires specific settings. Retrieve these values from your IdP's admin console.

### Okta

| Setting | Description |
|--------|-------------|
| Domain | Your Okta domain (example: `dev-12345.okta.com`) |
| API key | API token with log-reading permissions |

### Auth0

| Setting | Description |
|--------|-------------|
| Domain | Your Auth0 tenant domain |
| Client ID | Application Client ID |
| Client secret | Application Client Secret |

### Azure Active Directory

| Setting | Description |
|--------|-------------|
| Tenant ID | Directory (tenant) ID |
| Client ID | App registration Client ID |
| Client secret | App registration Client Secret |

### Ping Identity

| Setting | Description |
|--------|-------------|
| Domain | PingOne domain (example: `pingone.eu`) |
| Environment ID | PingOne environment identifier |
| Client ID | OAuth Client ID |
| Client secret | OAuth Client Secret |

### How data appears in OpenLM

After configuration:

1. Identity Discovery collects login events from your IdP.  
2. OpenLM matches each event to a known user.  
3. Events appear in usage analytics, touch-point reports, and user activity views.

:::note
If an identity event does not match any existing user, the user may appear as "unresolved."  
Check your user directory sync settings if you see this.
:::

### Licensing

OpenLM counts users whose login activity is collected and mapped to user records.  
These users appear in usage reports according to your licensing model.

:::warning
If you activate Identity Discovery for many IdP tenants, the number of tracked users may increase.  
Review your license limits if you monitor large identity estates.
:::