Identity Manager 9.2.1 - Authorization and Authentication Guide

NOTE: This authentication module is available if the Active Directory Module is installed.

Credentials	Login name and password for registering with Active Directory. You do not have to enter the domain.
Prerequisites	The identity exists in the One Identity Manager database. The identity is assigned at least one application role. The Active Directory user account exists in the One Identity Manager database and the identity is entered in the user account's main data. Domains permitted for login are entered in the TargetSystem \| ADS \| AuthenticationDomains configuration parameter.
Set as default	Yes
Single sign-on	No
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and identity are determined in the One Identity Manager database, which the user account is assigned to. If an identity has a main identity or several subidentities, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which identity is used for authentication. If this configuration parameter is set, the identity’s main identity is used for authentication. If this configuration parameter is not set, the identity’s subidentity is used for authentication. NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER \| Person \| AllowLoginWithSecurityIncident configuration parameter. A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user. Data modifications are attributed to the current user account.

Active Directory user account (dynamic)

NOTE: This authentication module is available if the Active Directory Module is installed.

Credentials	The authentication module uses the Active Directory login data of the user currently logged in on the workstation.
Prerequisites	The identity exists in the One Identity Manager database. The Active Directory user account exists in the One Identity Manager database and the identity is entered in the user account's main data. The configuration data for dynamically determining the system user is defined in the application. Thus, an identity can, for example, be assigned a system user dynamically depending on their department membership.
Set as default	No
Single sign-on	Yes
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager finds the identity assigned to the user account. If an identity has a main identity or several subidentities, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which identity is used for authentication. If this configuration parameter is set, the identity’s main identity is used for authentication. If this configuration parameter is not set, the identity’s subidentity is used for authentication. NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER \| Person \| AllowLoginWithSecurityIncident configuration parameter. The application configuration data is used to find a system user, which is automatically assigned to the identity. The user interface and permissions are loaded through the system user that is dynamically assigned to the logged in identity. Data modifications are attributed to the current user account.

NOTE: If the Connect automatically option is set, authentication is no longer necessary for subsequent logins.

Related topics

Configuration data for system user dynamic authentication

LDAP user account (role-based)

NOTE: This authentication module is available if the LDAP Module is installed.

Credentials	Login name, identifier, distinguished name or user ID of an LDAP user account. LDAP user account's password.
Prerequisites	The identity exists in the One Identity Manager database. The identity is assigned at least one application role. The LDAP user account exists in the One Identity Manager database and the identity is entered in the user account's main data. The configuration data for dynamically determining the system user is defined in the application. Thus, an identity can, for example, be assigned a system user dynamically depending on their department membership.
Set as default	No
Single sign-on	No
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	If you log in using a login name, identifier, or user ID, the corresponding user account is determined in the One Identity Manager database through the domain. The domains permitted for logging in are entered in the TargetSystem \| LDAP \| Authentication \| RootDN configuration parameter and the TargetSystem \| LDAP \| AuthenticationV2 \| RootDN configuration parameter. If log in uses a distinguished name, the LDAP user account is determined that uses this distinguished name. One Identity Manager finds the identity assigned to the LDAP user account. If an identity has a main identity or several subidentities, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which identity is used for authentication. If this configuration parameter is set, the identity’s main identity is used for authentication. If this configuration parameter is not set, the identity’s subidentity is used for authentication. NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER \| Person \| AllowLoginWithSecurityIncident configuration parameter. A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user. Data modifications are attributed to the current user account.

In the Designer, modify the following configuration parameters to implement the authentication module.

Table 29: Configuration parameters for the authentication module
Configuration parameter	Meaning
TargetSystem \| LDAP \| Authentication	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| Authentication \| Authentication	Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library. Default: ServerBind
TargetSystem \| LDAP \| Authentication \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| Authentication \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| Authentication \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| AuthenticationV2 \| AcceptSelfSigned	Specifies whether self-signed certificates are accepted.
TargetSystem \| LDAP \| AuthenticationV2 \| Authentication	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic For more information about authentication types, see the MSDN Library.
TargetSystem \| LDAP \| AuthenticationV2 \| ClientTimeout	Client timeout in seconds.
TargetSystem \| LDAP \| AuthenticationV2 \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| AuthenticationV2 \| ProtocolVersion	Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3
TargetSystem \| LDAP \| AuthenticationV2 \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| AuthenticationV2 \| Security	Connection security. Permitted values are None, SSL and STARTTLS.
TargetSystem \| LDAP \| AuthenticationV2 \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSealing	Specifies whether sealing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSigning	Specifies whether signing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| VerifyServerCertificate	Specifies whether to check the server certificate when encrypting with SSL.

LDAP user account (dynamic)

NOTE: This authentication module is available if the LDAP Module is installed.

Credentials	Login name, identifier, distinguished name or user ID of an LDAP user account. LDAP user account's password.
Prerequisites	The identity exists in the One Identity Manager database. The LDAP user account exists in the One Identity Manager database and the identity is entered in the user account's main data. The configuration data for dynamically determining the system user is defined in the application. Thus, an identity can, for example, be assigned a system user dynamically depending on their department membership.
Set as default	No
Single sign-on	No
Front-end login allowed	Yes
Web Portal login allowed	Yes
Remarks	If you log in using a login name, identifier, or user ID, the corresponding user account is determined in the One Identity Manager database through the domain. The domains permitted for logging in are entered in the TargetSystem \| LDAP \| Authentication \| RootDN configuration parameter and the TargetSystem \| LDAP \| AuthenticationV2 \| RootDN configuration parameter. If log in uses a distinguished name, the LDAP user account is determined that uses this distinguished name. One Identity Manager finds the identity assigned to the LDAP user account. If an identity has a main identity or several subidentities, the QER \| Person \| MasterIdentity \| UseMasterForAuthentication configuration parameter controls which identity is used for authentication. If this configuration parameter is set, the identity’s main identity is used for authentication. If this configuration parameter is not set, the identity’s subidentity is used for authentication. NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER \| Person \| AllowLoginWithSecurityIncident configuration parameter. The application configuration data is used to find a system user, which is automatically assigned to the identity. The user interface and permissions are loaded through the system user that is dynamically assigned to the logged in identity. Data modifications are attributed to the current user account.

In the Designer, modify the following configuration parameters to implement the authentication module.

Table 30: Configuration parameters for the authentication module
Configuration parameter	Meaning
TargetSystem \| LDAP \| Authentication	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| Authentication \| Authentication	Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library. Default: ServerBind
TargetSystem \| LDAP \| Authentication \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| Authentication \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| Authentication \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| AuthenticationV2 \| AcceptSelfSigned	Specifies whether self-signed certificates are accepted.
TargetSystem \| LDAP \| AuthenticationV2 \| Authentication	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic For more information about authentication types, see the MSDN Library.
TargetSystem \| LDAP \| AuthenticationV2 \| ClientTimeout	Client timeout in seconds.
TargetSystem \| LDAP \| AuthenticationV2 \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| AuthenticationV2 \| ProtocolVersion	Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3
TargetSystem \| LDAP \| AuthenticationV2 \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| AuthenticationV2 \| Security	Connection security. Permitted values are None, SSL and STARTTLS.
TargetSystem \| LDAP \| AuthenticationV2 \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSealing	Specifies whether sealing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSigning	Specifies whether signing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| VerifyServerCertificate	Specifies whether to check the server certificate when encrypting with SSL.

Configuration parameter	Meaning
TargetSystem \| LDAP \| Authentication	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| Authentication \| Authentication	Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library. Default: ServerBind
TargetSystem \| LDAP \| Authentication \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| Authentication \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| Authentication \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| AuthenticationV2 \| AcceptSelfSigned	Specifies whether self-signed certificates are accepted.
TargetSystem \| LDAP \| AuthenticationV2 \| Authentication	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic For more information about authentication types, see the MSDN Library.
TargetSystem \| LDAP \| AuthenticationV2 \| ClientTimeout	Client timeout in seconds.
TargetSystem \| LDAP \| AuthenticationV2 \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| AuthenticationV2 \| ProtocolVersion	Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3
TargetSystem \| LDAP \| AuthenticationV2 \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| AuthenticationV2 \| Security	Connection security. Permitted values are None, SSL and STARTTLS.
TargetSystem \| LDAP \| AuthenticationV2 \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSealing	Specifies whether sealing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSigning	Specifies whether signing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| VerifyServerCertificate	Specifies whether to check the server certificate when encrypting with SSL.

Configuration parameter	Meaning
TargetSystem \| LDAP \| Authentication	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| Authentication \| Authentication	Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library. Default: ServerBind
TargetSystem \| LDAP \| Authentication \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| Authentication \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| Authentication \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2	Allows configuration of the LDAP authentication module.
TargetSystem \| LDAP \| AuthenticationV2 \| AcceptSelfSigned	Specifies whether self-signed certificates are accepted.
TargetSystem \| LDAP \| AuthenticationV2 \| Authentication	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic For more information about authentication types, see the MSDN Library.
TargetSystem \| LDAP \| AuthenticationV2 \| ClientTimeout	Client timeout in seconds.
TargetSystem \| LDAP \| AuthenticationV2 \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| AuthenticationV2 \| ProtocolVersion	Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3
TargetSystem \| LDAP \| AuthenticationV2 \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| AuthenticationV2 \| Security	Connection security. Permitted values are None, SSL and STARTTLS.
TargetSystem \| LDAP \| AuthenticationV2 \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSealing	Specifies whether sealing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSigning	Specifies whether signing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| VerifyServerCertificate	Specifies whether to check the server certificate when encrypting with SSL.

製品を選択してください:

サービス向上のために、「Purpose of your Chat（チャットの目的）」を記入してください。

お客様の不具合に推奨されるソリューション

Identity Manager 9.2.1 - Authorization and Authentication Guide

Active Directory user account (manual input/role-based)

Active Directory user account (dynamic)

Related topics

LDAP user account (role-based)

LDAP user account (dynamic)

Related topics