Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 8.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Authenticating other applications using OAuth 2.0/OpenID Connect Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications

To display the configuration of an identity provider

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In List Editor, select the identity provider. The configuration data is displayed on the following tabs in the edit view.

    • General: Displays the general configuration data of the identity provider.

    • Certificate: Shows the information about the identity provider certificate.

    • Applications: Displays the configuration of the OAuth 2.0/OpenID Connect applications.

    • Columns for enabling: Displays the table and the columns that identify a user account as activated.

    • Columns for disabling: Displays the table and the columns that identify a user account as deactivated.

To display the configuration of an OAuth 2.0/OpenID Connect application

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In List Editor, select the identity provider.

  3. In the edit view, select the Applications tab.

  4. To display the configuration of an application, select the OAuth 2.0/OpenID Connect application in the Application view.

NOTE:

Click on Add to add a new OAuth 2.0/OpenID Connect application to the configuration of the identity provider.

Click on Remove to remove an OAuth 2.0/OpenID Connect application that is no longer required from the configuration of the identity provider.

Related topics

Specifying enabled and disabled columns for logging in

In the determination of the user account for the OAuth 2.0/OpenID Connect authentication, the system checks whether the user account is enabled or disabled. You define which columns can mark a user account as enabled or disabled.

Note:

  • Only the columns of the table that you selected in the OAuth 2.0/OpenID Connect configuration of the identity provider in the Column to search are displayed.

  • A column can either be used as an enabled or a disabled column.

  • You can specify just enabled columns or just disabled columns, or a combination of enabled and disabled columns.

Example:

A search column references the ADSAccount table.

Case a) Only enabled Active Directory user accounts are allowed to login.

  • Select ADSAccount.AccountDisabled as the disabled column.

    If the ADSAccount.AccountDisabled column of the user account is set, login is not permitted.

Case b) Only privileged Active Directory user accounts are allowed to login.

  • Select ADSAccount.IsPrivilegedAccount as the enabled column.

    If the ADSAccount.IsPrivilegedAccount column of the user account is set, login is permitted.

Case c) Only enabled, privileged Active Directory user accounts are allowed to login.

  • Select ADSAccount.IsPrivilegedAccount as the enabled column and ADSAccount.AccountDisabled as the disabled column.

    If the ADSAccount.IsPrivilegedAccount column of the user account is set and the ADSAccount.AccountDisabled column of the user account is not set, login is permitted.

To define which columns can enable a user account for login

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the List Editor, select the configuration.

  3. In the edit view, select the Columns for enabling tab.

  4. In the Add assignment view, assign the columns that enable the user account for logon.

  5. Select the Database > Save to database and click Save.

To define which columns can disable a user account for login

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the List Editor, select the configuration.

  3. Select the Columns for disabling tab in the edit view.

  4. In the Add assignment view, assign the columns that disable the user account for logon.

  5. Select the Database > Save to database and click Save.

Logging information about OAuth 2.0/OpenID Connect authentication

To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

To log authentication data

  • In the Designer, set the QBM | DebugMode | OAuth2 | LogPersonalInfoOnException configuration parameter.

Multi-factor authentication in One Identity Manager

Table 40: Multi-factor authentication configuration parameters

Configuration parameter

Meaning

QER | Person | Defender

Specifies whether classic Starling Two-Factor Authentication integration is supported.

QER | Person | Defender | ApiEndpoint

URL of the Starling 2FA API endpoint used to register new users.

QER | Person | Defender | ApiKey

Your company's subscription key for accessing the Starling Two-Factor Authentication interface.

QER | Person | Starling

Specifies whether One Identity Starling Cloud is supported.

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling Cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.

QER | Person | Starling | ApiEndpoint

Token endpoint for logging in on the One Identity Starling platform. The value is determined by the Starling configuration wizard.

QER | Person | Starling | ApiKey

Credential string for logging in on the One Identity Starling platform. The value is determined by the Starling configuration wizard.

You can set up multi-factor authentication for specific security-critical actions in One Identity Manager. You can use these, for example, for attestation or when approving requests in the Web Portal.

Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. This service is normally provided over a One Identity Starling Cloud platform. If your company does not use a Starling Cloud, select the conventional Starling Two-Factor Authentication integration. Use configuration parameters to specify which of the two solutions are applied in your company.

To be able to use multi-factor authentication

  1. Register your company in Starling Two-Factor Authentication.

    For more information, see the Starling Two-Factor Authentication documentation.

  2. Specify which authentication solution is used.

    • To use Starling Cloud

      1. Start the Launchpad.

      2. Select Connection to Starling Cloud and click Run.

        This starts the Starling Cloud configuration wizard.

      3. Follow the Starling Cloud configuration wizard’s instruction.

      The configuration parameters under QER | Person | Starling are enabled and the authentication information is entered.

    • To use conventional Starling Two-Factor Authentication integration

      1. In the Designer, enable the QER | Person | Defender configuration parameter.

        • Enable the QER | Person | Defender | ApiKey configuration parameter and enter your company’s subscription key as the value for accessing the Starling Two-Factor Authentication interface.

        The default URL of the Starling 2FA API end point is already entered in the QER | Person | Defender | ApiEndpoint configuration parameter.

  3. Enable assigning by event for the PersonHasQERResource table. For more information, see Editing table properties.

  4. (Optional) Specify whether the security code must be requested from the Starling 2FA app. For more information, see Requesting a security code.

  5. In the Manager, enable the New Starling 2FA token service item. For more information, see Preparing the Starling 2FA token request.

If the user's telephone number has changed, cancel the current Starling 2FA token and request a new one. If the Starling 2FA token is no longer required, cancel it anyway.

For detailed information, see the following guides:

Theme

Guide

Preparing the IT Shop for multi-factor authentication

One Identity Manager IT Shop Administration Guide

Setting up multi-factor authentication for attestation

One Identity Manager Attestation Administration Guide

Setting up Starling Two-Factor Authentication in the web project

One Identity Manager Web Application Configuration Guide

Requesting the Starling 2FA Token

Requesting products requiring multi-factor authentication

Approving requests with multi-factor authentication

Attestation with multi-factor authentication

One Identity Manager Web Designer Web Portal User Guide

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation