Configuring each application
Configuring step-up authentication for an application is a two stage procedure. The:
- Front-end authenticator must be configured to support two factor authentication
- Application must be configured for step-up authentication.
|
|
NOTE: If multiple front-end authenticators are configured, step-up authentication is only available for users who authenticate with front-end authenticators that have two-factor authentication configured. |
To configure the front-end authenticator for step-up authentication
- Navigate to the Front-end Authentication page and click the name of the authenticator that you want to configure.
- Click the Two Factor Authentication tab.
- Select Use two factor authentication for specific applications.
- Configure the RADIUS connection settings if not already configured, please refer to Configuring a front-end authentication method for further information.
To configure the application for step-up authentication
- Navigate to the Applications page and click the name of the application that you want to configure.
- Click the Two Factor Authentication tab.
-
From the list, select the users who will require two factor authentication to access the application. This will be either:
- All users of this application require two factor authentication, or
- Roles determine which users require two factor authentication.
-
If you are configuring role based access, select the required roles from the Standard authentication roles list and click Add Role to add the role to the list of Two factor authentication roles.
Configuring for external users
Two factor authentication may also be applied only for external users. In this context, external users are defined as users whose IP addresses do not fall in the following ranges:
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
Two factor authentication for external users may be configured either to apply to all applications, or it can be configured on a per application basis.
To configure two factor authentication for external users for all applications
- Navigate to the Front-end Authentication page and click on the name of the authenticator that you want to configure.
- Click the Two Factor Authentication tab.
- Select Use two factor authentication for all applications for external users only.
- Configure the RADIUS Connection Settings if not already configured, please refer to Configuring a front-end authentication method for further information.
To configure two factor authentication for external users for specific applications
- To configure the front-end authenticator follow the steps in To configure the front-end authenticator for step-up authentication.
- To configure the application follow the steps in To configure the application for step-up authentication.
- Select the Only use two factor authentication for external users check box on the application's Two Factor Authentication tab.
Joining Cloud Access Manager to One Identity Starling
Integrating Cloud Access Manager with One Identity Starling allows you to take advantage of companion features from Starling services, such as Starling Two-Factor Authentication and Starling Identity Analytics & Risk Intelligence.
In order to use Starling 2FA with Cloud Access Manager, you first need to join Cloud Access Manager to Starling. This is done using the One Identity Starling section of the Features page. This section also includes the following links, which provide assistance with Starling:
- Visit us online to learn more displays the Starling login page where you can create a new Starling account.
- Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
Prerequisites
In order to join Cloud Access Manager with Starling, first configure the following:
- A valid license for Cloud Access Manager with One Identity Hybrid included.
- A Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. For more information on Starling, see the One Identity Starling User Guide.
To join Cloud Access Manager to One Identity Starling
- Navigate to the Settings section in the Cloud Access Manager Administration Console.
- Click Turn Features On/Off to open the Features page.
-
In the One Identity Starling section, click Join to Starling.
NOTE: The following additional information may be required:
- If you do not have an existing session with Starling you will be prompted to authenticate.
- If your Starling account belongs to multiple organizations you will be prompted to select which organization Cloud Access Manager will be joined with.
- Copy the Credential String and Token Endpoint values from the Starling Join dialog.
- Enter these values in the fields provided in Cloud Access Manager.
-
Click Save.
To unjoin Cloud Access Manager from Starling 2FA
- Navigate to the Settings section in the Cloud Access Manager Administration Console.
- Click Turn Features On/Off to open the Features page.
-
In the One Identity Starling section, click Unjoin Starling.
Cloud Access Manager will no longer be joined to Starling. A Starling Organization Admin account or Collaborator account associated with the One Identity Hybrid subscription can rejoin Cloud Access Manager to Starling at any time.
Managing your SSL certificate
Topics:
Obtaining a signed certificate
Replacing an expiring certificate
Installing a fully signed certificate from a certificate archive file
When you install Cloud Access Manager, a temporary self-signed certificate is created for the proxy and stored in the database. This section describes how to replace the temporary certificate with a fully signed, trusted certificate.