지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Authenticating other applications using OAuth 2.0/OpenID Connect Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Editing table properties

NOTE: If the Assign by event option is enabled, the HandleObjectComponent process is placed in the job queue as soon as a resource assignment is added to or removed from an employee.

To enable assigning by event for a table

  1. In the Designer, select One Identity Manager Schema.

  2. Select the PersonHasQERResource table and start Schema Editor using the Show table definition task.

  3. In the Table properties view, select the Table tab and enable the Assign by event option.

  4. Select the Database > Save to database and click Save.

For more information about editing table definitions, see the One Identity Manager Configuration Guide.

Preparing the Starling 2FA token request

One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Web Portal Token in the Starling 2FA. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee main data.

NOTE: The user's default email address, mobile phone and country must be stored in their main data. This data is required for registering.

To facilitate requesting a Starling 2FA token

  1. In the Manager, select the IT Shop > Service catalog > Predefined category.

  2. Select New Starling 2FA token in the results list.

  3. Select the Change main data task.

  4. Disable Not available.

  5. Save the changes.

The Starling 2FA token request must be granted approval by the request recipient's manager.

Requesting a security code

Table 41: Configuration parameter for requesting Starling 2FA security codes

Configuration parameter

Meaning

QER | Person | Defender | DisableForceParameter

QER | Person | Starling | DisableForceParameter

The configuration parameters specify whether Starling 2FA is forced to send the security code by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameters are enabled, Starling 2FA can refuse this request; the user must then request the security code by the Starling 2FA app.

If the security code is requested for an attestation, request, or request approval, the user decides how the security code is sent. The following options are available:

  • By Starling 2FA app

  • By SMS

  • By phone call

By default, Starling 2FA is forced to send the security code by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the security code. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the security code using the app.

To use this method

  • If you use Starling Cloud, in the Designer, set the QER | Person | Starling | DisableForceParameter configuration parameter.

    - OR -

  • If you use classic Starling Two-Factor Authentication integration, in the Designer, set the QER | Person | Defender | DisableForceParameter configuration parameter.

    Starling 2FA can refuse to transmit the security code by SMS or phone call if the Starling 2FA app is installed on the phone. Then the security code must be generated by the app.

If the configuration parameter is not set (default), Starling 2FA is forced to send the security code by SMS or phone call.

Multi-factor authentication with One Identity Defender

One Identity Defender can be used for multi-factor authentication on One Identity Manager tools and the Web Portal . A Redistributable STS (RSTS) is set up to provide Active Directory authentication over a RADIUS server.

Prerequisite
  • One Identity Defender is installed and set up.

To set up multi-factor authentication using Defender

  1. Install the RSTS.

    In the Installation Wizard on the Installation Settings page, enter the signing certificate, URL, and configuration password for the RSTS administration interface. For test or demonstration environments, you can use the Redistributable STS Demo signing certificate.

  2. Configure the RSTS.

  3. Set up the OAuth 2.0/OpenID Connect configuration.

    In doing so, you create a new identity provider. You will need this identity provider for configuring authentication with Oauth 2.0/Openid Connect.

  4. Configure authentication with Oauth 2.0/Openid Connect for the Web Portal.

  5. Configure authentication with OAuth 2.0/OpenID Connect for the One Identity Manager administration tools.

  6. Test the access to the Web Portal.

    • After entering the URL of the Web Portals in your web browser, you should be redirected to the RSTS login page.

    • After logging in with user name and password, you are prompted to enter your Defender Token.

    If both authentications were successful, you can work with the Web Portal.

  7. Test access to the One Identity Manager administration tools.

    • Start an administration tool, for example, the Launchpad, and select the OAuth 2.0/OpenID Connect authentication method.

    • After logging in with user name and password, you are prompted to enter your Defender Token.

    If both authentications were successful, you can work with the administration tool.

Detailed information about this topic
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택