Step 3: Configuring the application server
The RSTS call the WebAuthn security key for Active Directory users over an interface. This information is sensitive and must not be called by unauthorized persons, therefore, access must secured through by client certificate login.
In order for this to work, certificates must be valid and client certificate login on IIS must be enabled.
The application server checks the certifcate's thumbprint the client used to login. Only if the thumbprint matches the stored thumbprint, is the information returned.
If the application server is also used as the backend for web applications, grant access rights to the application pool users for the OAuth signing certificate's private key.
To enable client certificate login on IIS
-
Start the Internet Information Services Manager.
-
Open the SSL Setting menu for the relevant application server.
-
In the Client certificates option, change the value to Accept.
Related topics
Step 4: Configuring the web application
NOTE: The web application to be used by WebAuthn, must apply the HTTPS secure communications protocol (see Using HTTPS).
To configure WebAuthn in web applications
-
Start the Web Designer program.
-
Connect to the relevant database.
-
In the menu bar, click View > Start page.
-
In the toolbar, click Select web application and select the web application you want to use.
-
Click Edit web application settings.
- In the Edit web application settings dialog, in the Authentication module menu, click OAuth 2.0/OpenID Connect.
- In the OAuth pane, in the OAuth 2.0/OpenID Connect configuration menu, click the appropriate identity provider.
- Click OK.
-
In the menu bar, click Edit > Configure project > Web project.
-
In the Configure project view, configure the following configuration keys:
-
VI_Common_RequiresAccessControl: Set this parameter to enable two-factor authentication.
-
VI_Common_AccessControl_WebAuthn_2FA: Specify whether you want to enable WebAuthn two-factor authentication for the web application.
You can configure WebAuthn two-factor authentication and security key management separately. If, for example, you want to only enable management of security keys but not of two-factor authentication with the help of security keys in the web application, do not set this configuration key and set the VI_Common_AccessControl_WebAuthn_2FA_VisibleControls configuration key described below.
-
VI_Common_AccessControl_WebAuthn_2FA_VisibleControls: Specify whether users can manage security keys in the web application.
-
VI_Employee_QERWebAuthnKey_Filter: Specify which identities can manage security keys in the web application. If you do not enter anything here, all web application users manage the security keys (assuming the VI_Common_AccessControl_WebAuthn_2FA_VisibleControls configuration key is set).
-
VI_Common_AccessControl_WebAuthn_2FAID: Enter a unique identifier for the secondary authentication provider for WebAuthn two-factor authentication. You will find this identifier in your RSTS configuration.
-
In your Internet browser, call the URL of the RSTS administration interface: https://<Webanwendung>/RSTS/admin.
-
On the main page, click Authentication Providers.
-
On the Authentication Providers page, click the appropriate entry.
-
On the Edit page, switch to the Two Factor Authentication tab.
-
Take the ID from the Provider ID field.
Related topics
Configuring the Application Governance Module
The Application Governance Module allows you to quickly and simply run the onboarding process for new applications from one place using one tool. An application created with the Application Governance Module combines all the permissions application users require for their regular work. You can assign entitlements and roles to your application and plan when they become available as service items (for example, in the Web Portal).
Related topics
Configuring entitlements
To enable identities to view, create, and manage applications in the Web Portal, and also approve requests for application products, assign the following application roles to the appropriate identities:
-
Application Governance | Administrators
-
Application Governance | Owners
-
Application Governance | Approvers
For more information about application roles and how to assign identities to them, see the One Identity Manager Authorization and Authentication Guide.
NOTE: Managing an application involves the following:
-
Editing the application's main data and the assigned entitlements and roles
-
Assigning entitlements and roles to the application
-
Unassigning entitlements and roles from the application
-
Deploying the application and associated entitlements and roles
-
Undeploying the application and its associated permissions and roles