지금 지원 담당자와 채팅

라이브 도움말 보기
등록 완료

로그인

가격 산정 요청

영업 담당자에게 문의

Identity Manager 9.2 - Authorization and Authentication Guide

콘텐츠 탐색

About this guide One Identity Manager application roles

Application roles overview

Application roles for basic functions Application role for the Operations Support Web Portal Application role for Compliance & Security Officers Application role for auditors Application roles for identity audit Application roles for company policies Application roles for attestation Application roles for subscribable reports Application roles for management levels Application roles for business roles Application roles for organizations Application role for application roles Application roles for identity administrators Application roles for the IT Shop Application roles for target systems Application roles for Universal Cloud Interface Application role for Privileged Account Governance Application roles for Application Governance Application roles for custom tasks

Implementing the application roles Creating and editing application roles

Main data of application roles Assigning identities to application roles Custom extension of application role permissions Creating and editing dynamic roles for application roles Specifying mutually exclusive application roles Assigning subscribable reports to application roles Assigning extended properties to application roles Generating assignment resources for application roles Certification of applications roles Reports about application roles

Granting One Identity Manager schema permissions through permissions groups

Predefined permissions groups and system users Rules for determining the valid permissions for tables and columns Editing permissions groups

Dependencies between permissions groups Permissions group dependencies Copying permissions groups Creating permissions groups Permissions group properties

Editing system users

Creating system users System users’ passwords System user properties Adding system users to permission groups Which identities use the system user? Dynamic system user

Permissions for tables and columns

Displaying permissions of a permissions group Displaying permissions for tables Editing table permissions Editing column permissions Copying table permissions and column permissions Simulating permissions for system users

Displaying permissions for objects Displaying permissions for the current user Assigning role-based permissions groups to an applications

Managing permissions to program functions

Displaying the current user's program functions Assigning program functions to permissions groups Permissions for running scripts Permissions for running methods Permissions for triggering processes Modifying permissions for running actions in the Launchpad

One Identity Manager authentication modules

System users Generic single sign-on (role-based) Identity Identity (role-based) Identity (dynamic) User account User account (role-based) User account (manual input/role-based) Account based system user Active Directory user account Active Directory user account (role-based) Active Directory user account (manual input) Active Directory user account (manual input/role-based) Active Directory user account (dynamic) LDAP user account (role-based) LDAP user account (dynamic) HTTP header HTTP header (role-based) OAuth 2.0/OpenID Connect OAuth 2.0/OpenID Connect (role-based) Synchronization authentication module Web agent authentication module Component authentication module Crawler Password reset Password reset (role-based) Decentralized identity Decentralized Identity (role-based) Editing authentication modules

Enabling authentication modules Assigning authentication modules to applications Disabling or enabling authentication modules for applications Authentication module properties Initial data for authentication modules Configuration data for system user dynamic authentication

Example of a simple system user assignment Example of a system user assignment using a selection criterion Example of a function group assignment

Checking authentication

OAuth 2.0/OpenID Connect authentication

Expiry of the OAuth 2.0/OpenID Connect authentication Creating the OAuth 2.0/OpenID Connect configuration Assigning OAuth 2.0/OpenID Connect configuration to web applications Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications Specifying enabled and disabled columns for logging in Logging information about OAuth 2.0/OpenID Connect authentication Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API

Setting up OAuth 2.0/OpenID Connect authentication the on application server Authentication module for using OAuth 2.0/OpenID Connect for authentication access to the REST API Authenticating external applications on the application server using OAuth 2.0/OpenID Connect

OAuth 2.0/OpenID Connect authentication on the API Server

Setting up OAuth 2.0/OpenID Connect authentication on the API Server Authenticating external applications on the API Server using OAuth 2.0/OpenID Connect

Multi-factor authentication in One Identity Manager

Multi-factor authentication with OneLogin Multi-factor authentication with One Identity Defender

Configuring RSTS for multi-factor authentication Configuring authentication with OAuth 2.0/OpenID Connect in the Web Portal Configuring authentication with OAuth 2.0/OpenID Connect

Granular permissions for the SQL Server and database

Displaying database users Displaying users' access levels Displaying database role and server role permissions

Installing One Identity Redistributable Secure Token Server

Installing One Identity Redistributable Secure Token Server Installing and uninstalling the One Identity Redistributable Secure Token Server

Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Authentication module for using OAuth 2.0/OpenID Connect for authentication access to the REST API

An authentication module is provided within the application server to authenticate using access tokens. The application server client uses the information from the authentication module to determine the access token for logging in on the server side.

For example, the authentication module can be used for Job servers that do not have a direct connection to the database but work against an application server.

To use the authentication module, ensure that authentication for accessing the REST API is set up using OAuth 2.0/OpenID Connect.

NOTE: If authentication is by access token, other authentication modules are excluded from use and the application server returns an error.

Authentication data for establishing a connection through the application server's REST API.

Module=Token;Url=<URL of the application server>;ClientId=<client-ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>.

With the following parameters:

URL: URL of the application server
ClientId: Client ID for authentication at the token endpoint.
ClientSecret: Secret value for authentication at the token endpoint.
TokenEndpoint: URL of the token endpoint.

For more information about providing connection and authentication data to the application server for Job servers, see the One Identity Manager Configuration Guide.

Related topics

Setting up OAuth 2.0/OpenID Connect authentication the on application server

Authenticating external applications on the application server using OAuth 2.0/OpenID Connect

To access the REST API in the application server through external applications, authentication is supported by the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules. Ensure that authentication for the REST API is set up through OAuth 2.0/OpenID Connect.

To authenticate an external application using Oauth 2.0/Openid Connect in One Identity Manager

Log in to the external identity provider, for example with Redistributable STS (RSTS), and get the access token.
Ensure that the token is passed as the bearer token in the authentication header of all queries.

NOTE: The session must be handled by a bearer token when logging in using a session cookie. Clients accessing the REST API using the bearer token must therefore keep the cookie assigned during the first access and send it with subsequent accesses. Otherwise, a new session is established for each access, which costs a lot of resources.

Related topics

OAuth 2.0/OpenID Connect authentication on the API Server

To use OAuth 2.0/OpenID Connect authentication for accessing the API Server's REST API, there is support for the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules.

Authentication is done using the access token provided. The first time a request is made with a new access token, a session is established with that token and the authentication module. Further accesses with the same token use the same session. The validity period of the token is checked in the process.

Related topics

Setting up OAuth 2.0/OpenID Connect authentication on the API Server

To set up authentication using OAuth 2.0/OpenID Connect

In the Designer, set the QBM | AppServer | AccessTokenAuth configuration parameter.
In the Designer, set the respective authentication module either OAuth 2.0/OpenID Connect or OAuth 2.0/OpenID Connect (role-based).
If the OAuth 2.0/OpenID Connect (role-based) authentication module is used, set the QBM | AppServer | AccessTokenAuth | RoleBased confguration parameter as well.
In the Designer, create the OAuth 2.0/OpenID Connect configuration and assign the configuration to the web application for the API Server.
The URL for the API Server must be declared.

When the API Server is installed, an entry for the web application is created with the URL in the QBMWebApplication table. Check whether the URL (BaseURL column) is entered.

Closed

Display settings for web applications

Related topics

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택

© ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center