Application Types

Summary: Developers need to be aware of the types of applications that can meet their need for integration with ADP.

By understanding the ADP Marketplace application types, developers can make an informed decision about which application type to use for their integration need. Developers may use both types together to address a broader integration need.

  Data Connector End User Application

Purpose / Use

  1. Application connects and consumes data without end-user involvement in the flow
  2. End-user identity is not needed to provide the service
  3. Data exchange between an external system and ADP can occur without the context of end-user authorizations and while end-user is not in session with ADP
  1. Application connects and consumes data with end-user involvement in the flow
  2. End-user identity is needed to provide the service
  3. Data exchange between an external system and ADP occurs in the context of end-user authorizations and while end-user is in session with ADP
Use Cases
  1. Data synchronization at an organization level between internal systems and ADP system of record
  2. Send organization-level data to ADP systems on a periodic basis via a scheduler
  1. Retrieve or post data to ADP on behalf of end-user
  2. Gain access to ADP systems at runtime with consent of end-user
Application Registration Required
Application Scope Established during application registration and approved by ADP; may not change while the application is active
Application Distribution Application can be distributed using ADP Marketplace
Application Subscription An ADP client (subscribing organization) may purchase and subscribe to the application.  Client may cancel subscription at any time. ADP may suspend subscription at any time.  Subscription must be active for consumer application to retrieve/post data from/to ADP.
Application Authentication ADP issues a unique set of credentials (client_id and client_secret) for each subscribing organization ADP issues one set of credentials (client_id and client_secret) for application
API Actor API actor is the client agent, a pre-assigned system (non-human) user API actor is the end-user
API Actor Authentication Client agent is not authenticated; ADP sets the user context (client agent) once application authenticates successfully ADP authenticates end-user and sets the user context (end-user) once application authenticates successfully
API Actor Role API actor is set to practitioner role Application may choose to provide end-user role during interaction; this role may further restrict end-user authorizations
User Assignment Usually not assigned to other users in the organization. Visible only to the purchaser under My Apps. Purchaser may asign to other users in the organization. Once assigned, it appears under My Apps for assigned users. User assignment is done via Assign Apps feature.
Consent Collection Consent is collected from the purchaser (one per organization) of the application after the purchase.  Consent does not expire but the purchaser can revoke consent at any time. Consent is collected from end-user at runtime once authentication is successful and re-collected every 90 days. End-user may revoke consent at any time.
API Authorization Client agent authorizations drive functional authorizations and data entitlements End-user authorizations drive functional authorizations and data entitlements
OAuth2 Grant Type client_credentials authorization_code
Access Token Access token is issued once application authenticates successfully at the token endpoint Application must first send-user to ADP for authorization.  ADP issues authorization code once end-user is successfully identified.  Application then retrieves access token from ADP by authenticating itself and presenting the access token.
Access Token Expiration 60 minutes from the issuance time
Refresh Token Not supported
Transport Security Transport-level security (HTTPS) is required at all endpoints (authorization, token and API). Strong authentication with client certificate is required at token endpoint.