Identity Manager 8.1.5 - Web Application Configuration Guide

Displaying user-specific processes in the Web Portal Configuring self-registration of new users Configuring the four eyes principle for issuing a passcode. Configuring password questions

WebAuthn security keys

WebAuthn configuration

Step 1: Configuring an OAuth certificate Step 2: Configuring the RSTS Step 3: Configuring the application server Step 4: Configuring the web application

Starling Two-Factor Authentication

Setting up Starling Two-Factor Authentication Starling Two-Factor Authentication for specific people Logging in without Starling 2FA tokens Activating Starling Two-Factor Authentication for the Operations Support Web Portal

Password Reset Portal

Setting up a Password Reset Portal

Installing the Password Reset Portal Authentication Settable passwords Excluding passwords from being reset

Central password

Defining password dependencies Setting a central password Configuring checks for all passwords

Setting up a new application token Configuring Password Reset Portal login using target system user accounts

Recommendations for secure operation of web applications

Using HTTPS Disable automatic password storage Disabling the HTTP request method TRACE Using HTTP Strict Transport Security (HSTS) Disabling insecure encryption mechanisms Setting the "HttpOnly" attribute for ASP.NET session cookies Setting the "same-site" attribute for ASP.NET session cookies Setting the "secure" attribute for ASP.NET session cookies Disabling Windows IIS 8.3 short names Removing the HTTP response header in Windows IIS Creating X-Frame-Options HTTP response header Running web applications in release mode

Settable passwords

Users can set the following default passwords.

Table 15: Password overview
User	Password	Table / Column
Everyone	Own password	Person.DialogUserPassword
Everyone	User account password, which is Directly assigned to the current employee. - OR - Assigned to the current employee's sub identity. - OR - Assigned to the current employee's sponsored identity, service identity or group identity. - OR - Assigned to one of the current user's shared user accounts.	AADUser.Password ADSAccount.UserPassword CSMUser.Password EBSUser.Password GAPUser.Password LDAPAccount.UserPassword NDOUser.Password SAPUser.Password UNSAccountB.Password UNXAccount.UserPassword
Members of the application role Base roles \| Administrators	Password for individual system users	DialogUser.Password

NOTE: The system user is not suggested for resetting the password in the following cases:

If external password management is enabled for the system user.
If the system user is enabled as service account.

If the system user is used for automatic software updating of One Identity Manager web applications.

These cases are implemented in the QER_PasswordWeb_IsAllowSet script, which can be overwritten.

If the system user is used for role-based login.

In this case, the system user is not accepted by the Password Reset Portal.

Excluding passwords from being reset

Table 16: Script for resetting passwords
Script	Description
QER_PasswordReset_IsAllowSet	Specifies whether resetting a password in the Password Reset Portal is allowed.

To prevent users from setting passwords by mistake, you can exclude certain password from being reset.

User cases for this may be passwords that are calculated from other values or passwords for target systems that are only connected as read-only.

NOTE: In "QER_PasswordWeb_IsAllowSet", the system user is prevented, by default, from resetting the password in the following cases.

If external password management is enabled.
If the system user is enabled as service account.
If the system user is used for automatic software updating of One Identity Manager web applications.

To exclude passwords from being reset

Open the Designer.
Find "QER_PasswordReset_IsAllowSet".
Use "QER_PasswordReset_IsAllowSet" as the basis for an overrideable script with the following parameters.
1. Current user's UID_Person.
2. Object's key (ObjectKey) offered for password reset.
3. Password column name.
Save the setting in the Designer.
Compile the Password Reset Portal.

Central password

Apart from setting individual passwords in the Password Reset Portal, you can also set the central password. Each user has a central password, with which other passwords can be managed depending on the configuration of the target system.

Defining password dependencies

By defining password dependencies, you specify which passwords are managed through the central password.

Table 17: Script for declaring passwords
Script	Description
QER_PasswordWeb_IsByCentralPwd	By default, the script checks whether "QER \| Person \| UseCentralPassword" is set. If the configuration parameter is set, the employee's central password is mapped to the password column of the employee's user account. A user account must be linked to the current user, it cannot be a privileged account. The script can be overwritten.

To define password dependencies

Open the Designer.
Search QER_PasswordWeb_IsByCentralPwd.
Use "QER_PasswordWeb_IsByCentralPwd" as the basis for an overrideable script with the following parameters.
1. Current user's UID_Person.
2. Object's key (ObjectKey) offered for password reset.
3. Password's column name.
Using this input parameter, the script must return the information regarding whether or not a password is managed by the central password.
Save the setting in the Designer.
Compile the Password Reset Portal.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Identity Manager 8.1.5 - Web Application Configuration Guide

Settable passwords

Excluding passwords from being reset

Central password

Defining password dependencies

Bitte wählen Sie Ihr Produkt aus: