Chat now with support
Chat with Support

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Extensibility features

Extensibility features allow you to customize and extend the Password Manager functionality. The features include the following:

  • Custom activities

  • Built-in web service

  • Custom web services

  • Importing and exporting activities and workflows

  • Troubleshooting mode

All these features are available only after you turn the extensibility on.

To turn extensibility features on

  1. Open the Administration Site and click the General Settings tab.

  2. On the General Settings page, select the Extensibility tab.

  3. On the Extensibility settings page, click the upper Turn on button.

After you turn the extensibility features on, you can also turn on the troubleshooting mode. When the troubleshooting mode is on, the following additional information is displayed:

  • Identifiers of activities and workflows (on the Administration Site)

  • PowerShell output (on the Self-Service Site)

To turn the troubleshooting mode on

  1. Open the Administration Site and click the General Settings tab.

  2. On the General Settings page, select the Extensibility tab.

  3. On the Extensibility settings page, click the upper Turn on button.

  4. Click the Turn on button under the troubleshooting mode.

Extensibility features overview

Custom activities are activities whose behavior is defined by a PowerShell script. You can create a custom activity from scratch or convert a built-in activity to a custom one. For more information, see Custom activities and the Password Manager SDK.

The built-in web service allows a third-party system to access a whole workflow or a specific activity using HTTP and data exchange in XML and JSON formats. You can use the built-in web service to run a workflow and to interfere in a workflow running process. For more information, see the Password Manager SDK. For experimenting with the built-in web service, a Swagger UI is provided. For more information on how to use Swagger UI, see https://swagger.io/tools/swagger-ui/.

NOTE: The extensibility features are only supported by One Identity Professional Services, and are not covered by One Identity Technical Support.

Custom web services allow you to further extend the Password Manager functionality and enable scenarios that cannot be implemented with custom activities and the built-in web service. For example, you can create a custom web service that assigns passcodes to users employing the assign passcode functionality in Password Manager. For more information, see the Password Manager SDK.

Import/export of activities and workflows allows you to copy and share custom activities and workflows. For more information, see Importing and exporting workflows and Importing and exporting custom activities.

The troubleshooting mode provides you additional information about workflows and activities and their execution. When this mode is enabled, on the Administration Site you can view identifiers of workflow and activities; you can use these identifiers in PowerShell scripts. On the Self-Service Site, you can view the PowerShell output that allows you to troubleshoot the scripts.

RADIUS Two-Factor Authentication

RADIUS Two-Factor Authentication enables two-factor authentication on Password Manager. RADIUS Two-Factor Authentication uses one-time passwords to authenticate users on the Self-Service Site and Helpdesk Site.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager.

To configure RADIUS Two-Factor Authentication

  1. On the home page of the Administration Site, click General Settings > RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed.

  2. Click Add RADIUS server to add a new RADIUS server for authentication.

    RADIUS Two-Factor Authentication page is displayed.

    NOTE: You can add only two servers, one is used as a primary server and the other as a secondary server. The server that is created first is considered as the primary server and used for RADIUS authentication.

  3. In the RADIUS Server (IP address or hostname) field, enter the RADIUS server IP address.

  4. In the Port number field, enter the port number assigned during configuration of RADIUS.

  5. In the RADIUS Shared Secret field, enter the password set during RADIUS configuration.

  6. Specify the Active Directory attribute to authenticate the user from the drop-down menu.

  7. From the Additional RADIUS Attribute section, select the required RADIUS attribute from the drop-down menu. Specify the value for the selected attribute and click +.

    The RADIUS attributes and the corresponding values that you add is displayed.

    NOTE: The RADIUS attributes supported are NAS-IP-Address, NAS-Port, NAS-Port-Type, and NAS-Identifier.

  8. Click Save.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Working with RADIUS servers

You can create two RADIUS servers to authenticate users on the Self-Service Site and Helpdesk Site through RADIUS Two-Factor authentication.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager. For more information on creating and configuring a RADIUS server, see RADIUS Two-Factor Authentication.

To swap RADIUS servers

  1. On the home page of the Administration Site, click General Settings > RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Interchange RADIUS servers to swap the priority of the RADIUS servers between primary and secondary priority.

To modify RADIUS servers

  1. On the home page of the Administration Site, click General Settings > RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click the modify icon to modify the properties and attributes of RADIUS servers.

    NOTE: The status of the RADIUS server is periodically scanned every 5 minutes.

To disable RADIUS servers

  1. On the home page of the Administration Site, click General Settings > RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Disable to disable a RADIUS server.

  3. A message is displayed to confirm, click Disable.

    The server is disabled.

    NOTE:

    • On disabling a RADIUS server, the other RADIUS server by default becomes the primary server.

    • You can enable a server that was disabled earlier.

To delete RADIUS servers

  1. On the home page of the Administration Site, click General Settings > RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Delete permanently delete the RADIUS server.

  3. A message is displayed to confirm, click Delete.

    The server is Deleted.

During a workflow execution, the ping to the RADUIS server to check the status of the RADIUS server is temporarily interrupted. The status check continues after the authentication process in the workflow is completed successfully.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating