Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.3 - Web Application Configuration Guide

About this guide Managing the API Server Configuring API projects and web applications
General configuration Configuring the Administration Portal Configuring the Application Governance Module Configuring the Password Reset Portal Configuring the Web Portal
Configuring departments Configuring address books Ansichten konfigurieren Configuring application roles Configuring the Application Governance Module Configuring attestation Configuring authentication by accepting the terms of use Configuring request functions Configuring delegation Configuring your own API filter Configuring your own filters Configuring recommendations for adding entitlements to objects Configuring devices Configuring business roles Configuring the help desk module/tickets Configuring hyperviews Configuring identities Configuring password questions Configuring cost centers Configuring service items Program functions for the Web Portal Configuring software Configuring locations Configuring statistics Configuring system roles Skip table sorting Configuring team roles Configuring the four eyes principle for issuing a passcode. Configuring WebAuthn security keys
Configuring the Operations Support Web Portal
Recommendations for secure operation of web applications

Configuring the four eyes principle for issuing a passcode.

You can control whether passcodes generated by the help desk are divided into two parts. One half of the passcode is issued to the help desk staff and the other half is sent to the identity's manager. The identity must ask the manager for the second half of the passcode. This procedure increases the security for issuing passcodes.

To configure the four eye principle for issuing passcodes

  1. Start the Designer program.

  2. Connect to the relevant database.

  3. Set the QER | Person | PasswordResetAuthenticator | PasscodeSplit configuration parameter.

    TIP: To find out how to edit configuration parameters in Designer, see the One Identity Manager Configuration Guide.

  4. Set the QER | WebPortal | MailTemplateIdents | InformManagerAboutSecondHalfOfPasscode configuration parameter.

    By default, the second half of the passcode is sent with the Identity - part of passcode for password reset (manager) mail template.

    To use another template for this notification, change the value in the configuration parameter.

    TIP: In the Designer, you can configure the current mail template in the Mail templates > Person category. For more information about mail templates, see the One Identity Manager Operational Guide.

Configuring WebAuthn security keys

One Identity offers users the option to log in, simply and securely, to One Identity Manager web applications with help of (physical) security keys. These security keys support the W3C standard WebAuthn.

Use of security keys guarantees increased security when logging in.

Advice

  • In the Manager, identity administrators have the option to view all of an identity's security keys and to delete them. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  • The WebAuthn standard is NOT support in Internet Explorer. Users must use another browser.

To configure WebAuthn for a web application, carry out these four steps:

  1. Configure the OAuth certificate to enable secure communication between RSTS and One Identity Manager.

  2. Configure the RSTS.

  3. Configure the application server.

  4. Configure the web application.

Related topics
Detailed information about this topic

Step 1: Configuring an OAuth certificate

Communication between the RSTS (redistributable security token service) and One Identity Manager uses tokens that are signed with the private key of a certificate. This certificate must be valid and trusted because the RSTS also uses this certificate for client certificate registration on the application server. One Identity recommends that either you use a public key infrastructure (PKI) that already exists or a new certificate chain from the root certificate and the associated OAuth signing certificate.

To configure the OAuth signing certificate

  1. Create a new, valid, and trusted, OAuth signing certificate.

  2. Ensure the following:

    • The RSTS must have access to the OAuth signing certificate with a private key.

    • The application server from which, the RSTS requests the WebAuthn security keys, must trust the certificate chain of the OAuth signing certificate.

    • The web application that allows login by RSTS, must have access to the OAuth signing certificate with a private key.

    • The web application used to manage the WebAuthn security keys, must have access to the OAuth signing certificate with a private key.

Related topics

Step 2: Configuring the RSTS

NOTE: Before you can configure the RSTS, you must configure the OAuth signing certificate. For more information, see Step 1: Configuring an OAuth certificate.

To configure WebAuthn on the RSTS

  1. Perform one of the following tasks:

    • If you are installing the RSTS: When you install the RSTS, select the previously created OAuth signing certificate so that the corresponding entry in the identity provider in One Identity Manager is set.

    • If the RSTS is already installed: Stop the relevant service, uninstall it and install the new version.

  2. In your web browser, call the URL of the RSTS administration interface: https://<Webanwendung>/RSTS/admin.

  3. On the start page, click Applications.

  4. On the Applications page, click Add Application.

  5. On the Edit page, complete the data on the various tabs.

    NOTE: The forwarding URLs (Redirect Url) on the General tab us the following formats:

    • For the API Server:

      https://<server name>/<application server path>/html/<web application>/?Module=OAuthRoleBased

    • For the Web Portal:

      https://<server name>/<web application>/

  6. Switch to the Two Factor Authentication tab.

  7. On the Two Factor Authentication tab, in the list in Required by pane, click:

    • All Users: All users must log in with two-factor authentication.

    • Specific Users/Groups: Specific users must log in using two-factor authentication. You can add these by clicking Add.

    • Note Required: The application server decided which users must log in using two-factor authentication.

  8. In the navigation, click Home.

  9. On the home page, click Authentication providers.

  10. On the Authentication Providers page, edit the entry in the list.

  11. On the Edit page, switch to the Two Factor Authentication tab.

  12. In the Two Factor Authentication Settings pane, click FIDO2/WebAuthn.

  13. Edit the following input fields:

    • Relying Party Name: Enter any name.

    • Domain Suffix: Enter the suffix of your Active Directory domain that hosts the RSTS.

    • API URL Format: Enter the application server's URL. The given URL must contain a place-holder in {0} format that supplies a unique identifier for the user.

      The API URL Format is used by RSTS to call the list of WebAuthn security keys of a specified user. Enter the URL in the following format:

      https://<server name>/<application server path>/appServer/WebAuthn/<identity provider>/Users/{0}

      • Server name – fully qualified host name of the web server hosting the application server

      • <Application server path> – path to the web application of the application server (default: AppServer)

      • <Identity provider> – name of the identity provider

        TIP: You can find the name of the identity provider in the Designer:

        Basic data > Security settings > OAuth 2.0/OpenId Connect configuration


      Example:
      https://www.example.com/AppServer/appServer/webauthn/OneIdentity/Users/{0}

  14. Click Finish.

Related topics
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione