Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications
To display the configuration of an identity provider
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
In List Editor, select the identity provider. The configuration data is displayed on the following tabs in the edit view.
-
General: Displays the general configuration data of the identity provider.
-
Certificate: Shows the information about the identity provider certificate.
-
Applications: Displays the configuration of the OAuth 2.0/OpenID Connect applications.
-
Columns for enabling: Displays the table and the columns that identify a user account as activated.
-
Columns for disabling: Displays the table and the columns that identify a user account as deactivated.
To display the configuration of an OAuth 2.0/OpenID Connect application
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
In List Editor, select the identity provider.
-
In the edit view, select the Applications tab.
-
To display the configuration of an application, select the OAuth 2.0/OpenID Connect application in the Application view.
NOTE:
Click on Add to add a new OAuth 2.0/OpenID Connect application to the configuration of the identity provider.
Click on Remove to remove an OAuth 2.0/OpenID Connect application that is no longer required from the configuration of the identity provider.
Related topics
Specifying enabled and disabled columns for logging in
In the determination of the user account for the OAuth 2.0/OpenID Connect authentication, the system checks whether the user account is enabled or disabled. You define which columns can mark a user account as enabled or disabled.
Note:
-
Only the columns of the table that you selected in the OAuth 2.0/OpenID Connect configuration of the identity provider in the Column to search are displayed.
-
A column can either be used as an enabled or a disabled column.
-
You can specify just enabled columns or just disabled columns, or a combination of enabled and disabled columns.
Example:
A search column references the ADSAccount table.
Case a) Only enabled Active Directory user accounts are allowed to login.
-
Select ADSAccount.AccountDisabled as the disabled column.
If the ADSAccount.AccountDisabled column of the user account is set, login is not permitted.
Case b) Only privileged Active Directory user accounts are allowed to login.
-
Select ADSAccount.IsPrivilegedAccount as the enabled column.
If the ADSAccount.IsPrivilegedAccount column of the user account is set, login is permitted.
Case c) Only enabled, privileged Active Directory user accounts are allowed to login.
-
Select ADSAccount.IsPrivilegedAccount as the enabled column and ADSAccount.AccountDisabled as the disabled column.
If the ADSAccount.IsPrivilegedAccount column of the user account is set and the ADSAccount.AccountDisabled column of the user account is not set, login is permitted.
To define which columns can enable a user account for login
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
In the List Editor, select the configuration.
-
In the edit view, select the Columns for enabling tab.
-
In the Add assignment view, assign the columns that enable the user account for logon.
-
Select the Database > Save to database and click Save.
To define which columns can disable a user account for login
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
In the List Editor, select the configuration.
-
Select the Columns for disabling tab in the edit view.
-
In the Add assignment view, assign the columns that disable the user account for logon.
-
Select the Database > Save to database and click Save.
Logging information about OAuth 2.0/OpenID Connect authentication
To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.
To log authentication data
Multi-factor authentication in One Identity Manager
Table 40: Multi-factor authentication configuration parameters
|
QER | Person | Defender |
Specifies whether classic Starling Two-Factor Authentication integration is supported. |
|
QER | Person | Defender | ApiEndpoint |
URL of the Starling 2FA API endpoint used to register new users. |
|
QER | Person | Defender | ApiKey |
Your company's subscription key for accessing the Starling Two-Factor Authentication interface. |
|
QER | Person | Starling |
Specifies whether One Identity Starling Cloud is supported.
Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling Cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com. |
|
QER | Person | Starling | ApiEndpoint |
Token endpoint for logging in on the One Identity Starling platform. The value is determined by the Starling configuration wizard. |
|
QER | Person | Starling | ApiKey |
Credential string for logging in on the One Identity Starling platform. The value is determined by the Starling configuration wizard. |
You can set up multi-factor authentication for specific security-critical actions in One Identity Manager. You can use these, for example, for attestation or when approving requests in the Web Portal.
Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. This service is normally provided over a One Identity Starling Cloud platform. If your company does not use a Starling Cloud, select the conventional Starling Two-Factor Authentication integration. Use configuration parameters to specify which of the two solutions are applied in your company.
To be able to use multi-factor authentication
-
Register your company in Starling Two-Factor Authentication.
For more information, see the Starling Two-Factor Authentication documentation.
-
Specify which authentication solution is used.
-
Enable assigning by event for the PersonHasQERResource table. For more information, see Editing table properties.
-
(Optional) Specify whether the security code must be requested from the Starling 2FA app. For more information, see Requesting a security code.
-
In the Manager, enable the New Starling 2FA token service item. For more information, see Preparing the Starling 2FA token request.
If the user's telephone number has changed, cancel the current Starling 2FA token and request a new one. If the Starling 2FA token is no longer required, cancel it anyway.
For detailed information, see the following guides:
|
Preparing the IT Shop for multi-factor authentication |
One Identity Manager IT Shop Administration Guide |
|
Setting up multi-factor authentication for attestation |
One Identity Manager Attestation Administration Guide |
|
Setting up Starling Two-Factor Authentication in the web project |
One Identity Manager Web Application Configuration Guide |
|
Requesting the Starling 2FA Token
Requesting products requiring multi-factor authentication
Approving requests with multi-factor authentication
Attestation with multi-factor authentication |
One Identity Manager Web Designer Web Portal User Guide |
