Configuring primary authentication with single sign-on
You can configure single sign-on authentication for API projects with the Administration Portal. In this case, a separate request to the imx/login method is not required.
Required configuration key:
TO configure primary authentication with single sign-on
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API project that you want configure with single sign-on authentication.
-
Expand the Single sign-on authentication modules configuration key.
-
Click New.
-
In the menu, select the authentication module you want to use.
TIP: You can specify additional authentication modules. To do this, click New.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
Configuring multi-factor authentication
You can specify if and how users must authenticate themselves when accepting terms of use, or certifying and approving requests.
For more information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide. For more information about setting up initial synchronization with a OneLogin domain, see the One Identity Manager Administration Guide for Integration with OneLogin Cloud Directory.
TIP: If you want to use multi-factor authentication with OneLogin, the OneLogin Module must be available and synchronization must be set up.
Required configuration keys:
To configure multi-factor authentication
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the Web Portal API project.
-
Expand the Step-up authentication provider for terms of use agreement and workflow approval configuration key.
-
In the Value menu, select the authentication provider you want to use.
TIP: If you do not want to use authentication, select No step-up authentication.
-
(Optional) If you use multifactor authentication with OneLogin (value OneLoginMFA), make sure that the authentication data for logging in to the OneLogin domain is available. You can set up the authentication data when the API Server is installed using with the Web Installer or adjust it later. For more information, see the One Identity Manager Installation Guide.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
Configuring authentication tokens
Users receive an authentication token after they have been successfully authenticated on a web application. User do not have to repeat the authentication as long as this token is valid.
Required configuration key:
-
Persistent authentication tokens (AuthTokensEnabled): Specifies whether to use persistent authentication tokens that are stored between sessions.
-
Persistent authentication token lifetime (in minutes) (AuthTokensLifetimeMinutes): Specifies how long persistent authentication tokens are valid.
To configure the use of authentication tokens.
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API Server API project.
-
Configure the following configuration keys:
-
Persistent authentication tokens: Specify whether to use persistent authentication tokens. To do this, activate or deactivate the corresponding check box.
-
Persistent authentication token lifetime (in minutes): Specify how long persistent authentication tokens are valid. Once the token lifetime has expired, the user must authenticate again.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
Excluding authentication modules
You can exclude certain authentication modules so that users cannot select them for authentication.
Required configuration keys:
To exclude an authentication module
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the Web Portal API project.
-
Expand the Excluded authentication modules configuration key.
-
You can perform the following actions:
-
To exclude an authentication module, click Add new and select the relevant authentication module from the selection list.
-
To include an authentication module again, click (delete) next to the corresponding authentication module.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.