Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 8.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Authenticating other applications using OAuth 2.0/OpenID Connect Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Configuring RSTS for multi-factor authentication

To configure multi-factor authentication using a RADIUS server on the RSTS

  1. Start a web browser and open the URL of the RSTS administration interface.

    https://<webapplication>/RSTS/admin

    Use the configuration password assigned during installation to log in.

  2. On the home page, click Authentication providers.

  3. On the Authentication Providers page, select the Default Active Directory default provider and click Edit.

  4. On the Edit page, select the Authentication provider tab and edit the following settings.

    • Directory Type > Active Directory: enabled

    • Connection Information > Use Current Domain: enabled

  5. Select the Two Factor Authentication tab and edit the settings for your Defender Security Server.

    • Two Factor Authentication Settings > RADIUS: enabled

    • Server, Port, Shared Secret and Username Attributes: Connection data for the RADIUS server.

    • (Optional) Connection Information > Pre-authenticate For ChallengeResponse: Uses the response text of the defender, instead of the default RADIUS response text.

  6. Switch to the home page and select Applications.

  7. On the Applications page, click Add Application.

  8. On the Edit page, select the General Settings tab and edit the following settings.

    • Application Name, Authentication Provider, Realm/Client_ID/Issuer, Redirect Url

    The redirect URL for the Web Portal (Redirect Url) is formed as follows: https://<Server>/<Application Name>/

  9. Select the Certificates tab and under Signing Certificate (Required) activate the signing certificate that you specified when installing the RSTS.

    For more information, see Multi-factor authentication with One Identity Defender.

  10. Click Finish.

Related topics

Configuring authentication with OAuth 2.0/OpenID Connect in the Web Portal

To configure authentication with OAuth 2.0/OpenID Connect

  1. Start the Web Designer.

  2. Click the View > Home page menu item.

  3. On the home page, click Select web application and select the web application.

  4. Click Edit web application settings.

  5. In the Edit web application settings dialog, edit the web application settings.

    • Authentication module: Select OAuth 2.0/OpenID Connect (role-based).

    • OAuth 2.0/OpenID Connect configuration: Select the newly created identity provider.

    • Client ID for OAuth 2.0 authentication: Select the client ID that you specified when you configured RSTS.

    • Fingerprint of the OAuth 2.0 certificate: Specify the fingerprint of the signing certificate you selected when configuring the RSTS.

  6. Save the changes.
Related topics

Configuring authentication with OAuth 2.0/OpenID Connect

To configure authentication with OAuth 2.0/OpenID Connect

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the list editor, select the newly created identity provider.

  3. Select the General tab and check the general configuration data of the identity provider.

    • Column to search: Select ADSAccount - ObjectGUID.

  4. Select the Applications tab and check the configuration of the OAuth 2.0/OpenID Connect application.

    • Default: enabled

    • Redirect URI: If you want to use multifactor authentication with the administration tools of the One Identity Manager, enter urn:InstalledApplication.

  5. Select the Database > Save to database and click Save.

Related topics

Authenticating other applications using OAuth 2.0/OpenID Connect

For more information about the REST API, see the One Identity Manager REST API Reference Guide.

To access the REST API in the application server, authentication is supported by the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules.

Authentication is done using the access token provided. The first time a request is made with a new access token, a session is established with that token and the authentication module. Further accesses with the same token use the same session. The validity period of the token is checked in the process.

To set up external application authentication using OAuth 2.0/OpenID Connect in One Identity Manager

  • In the Designer, set the QBM | AppServer | AccessTokenAuth configuration parameter.

  • In the Designer, set the respective authentication module either OAuth 2.0/OpenID Connect or OAuth 2.0/OpenID Connect (role-based).

  • In the Designer, set up the OAuth 2.0/OpenID Connect configuration.

  • If the OAuth 2.0/OpenID Connect (role-based) authentication module is used, set the QBM | AppServer | AccessTokenAuth | RoleBased confguration parameter as well.

  • The URL for the application server must be declared.

    When the application server is installed, an entry for the web application is created with the URL in the QBMWebApplication table. Check whether the URL (BaseURL column) is entered.

To authenticate an external application using Oauth 2.0/Openid Connect in One Identity Manager

  1. Log in to the external identity provider, for example with Redistributable STS (RSTS), and get the access token.

  2. Ensure that the token is passed as the bearer token in the authentication header of all queries.

NOTE: The session must be handled by a bearer token when logging in using a session cookie. Clients accessing the REST API using the bearer token must therefore keep the cookie assigned during the first access and send it with subsequent accesses. Otherwise, a new session is established for each access, which costs a lot of resources.

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation