Configuring primary authentication with single sign-on
You can configure single sign-on authentication for API projects with the Administration Portal. In this case, a separate request to the imx/login method is not required.
Required configuration key:
TO configure primary authentication with single sign-on
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API project that you want configure with single sign-on authentication.
-
Expand the Single sign-on authentication modules configuration key.
-
Click New.
-
In the menu, select the authentication module you want to use.
TIP: You can specify additional authentication modules. To do this, click New.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
Configuring multi-factor authentication
You can set up multi-factor authentication with OneLogin for attestations and request approvals.
Prerequisite
For more information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide. For more information about setting up initial synchronization with a OneLogin domain, see the One Identity Manager Administration Guide for Integration with OneLogin Cloud Directory.
To configure multi-factor authentication with OneLogin
-
In the administration portal, set the ServerConfig/ITShopConfig/StepUpAuthenticationProvider configuration key to OneLogin MFA.
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API project for which you want to configure multi-factor authentication.
-
Expand the Request configuration / Step-up authentication provider for terms of use agreement and workflow approval configuration key.
-
In the menu, select OneLogin MFA.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
-
Ensure that the authentication data for logging in to the OneLogin domain is available. You can set up the authentication data when the API Server is installed using with the Web Installer or adjust it later. For more information, see the One Identity Manager Installation Guide.
Configuring authentication tokens
Users receive an authentication token after they have been successfully authenticated on a web application. User do not have to repeat the authentication as long as this token is valid.
Required configuration key:
-
Persistent authentication tokens (AuthTokensEnabled): Specifies whether to use persistent authentication tokens that are stored between sessions.
-
Persistent authentication token lifetime (in minutes) (AuthTokensLifetimeMinutes): Specifies how long persistent authentication tokens are valid.
To configure the use of authentication tokens.
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API Server API project.
-
Configure the following configuration keys:
-
Persistent authentication tokens: Specify whether to use persistent authentication tokens. To do this, activate or deactivate the corresponding check box.
-
Persistent authentication token lifetime (in minutes): Specify how long persistent authentication tokens are valid. Once the token lifetime has expired, the user must authenticate again.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
Configuring self-registration of new users
In the Password Reset Portal, users who are not yet registered have the option to register themselves and create new user accounts. Users who self-register, receive a verification email with a link to a verification page. On this page, users can complete registration themselves and then set their initial login password.
NOTE: To use this functionality, new users must supply an email address, otherwise the verification email cannot be sent.
NOTE: For more information about self-registration of new users and associated attestation process, see the One Identity Manager Attestation Administration Guide.
NOTE: For more information about how users register themselves or create a new user account, see the One Identity Manager Web Portal User Guide.
To configure self-registration
-
Start the Designer program.
-
Connect to the relevant database.
-
Configure the following configuration parameters:
TIP: To find out how to edit configuration parameters in Designer, see the One Identity Manager Configuration Guide.
-
QER | WebPortal | PasswordResetURL: Specify the Password Reset Portal's web address. This URL is used, for example, in the email notification to new users.
-
QER | Attestation | MailTemplateIdents | NewExternalUserVerification:
By default, the verification message and link is sent with the Attestation - new external user verification link mail template.
To use another template for this notification, change the value in the configuration parameter.
TIP: In the Designer, you can configure the current mail template in the Mail templates > Person category. For more information about mail templates, see the One Identity Manager Operational Guide.
-
QER | Attestation | ApproveNewExternalUsers: Specify whether self-registered users must be attested before they are activated. A manager then decides whether to approve the new user's registration.
-
QER | Attestation | NewExternalUserTimeoutInHours: For new self-registered users, specify the duration of the verification link in hours.
-
QER | Attestation | NewExternalUserFinalTimeoutInHours: Specify the duration in hours, within which self-registration must be successfully completed.
-
Assign at least one identity to the Identity & Access Governance | Attestation | Attestor for external users application role.
-
Ensure that an application token exists. You set the application token when installing the API server with the Web Installer. For more information, see the One Identity Manager Installation Guide.
The application token is saved as a hash value in the database in the QER | Person | PasswordResetAuthenticator | ApplicationToken configuration parameter and stored encrypted in the web.config file of the API Server.
-
Ensure that a user is configured with which the new user accounts can be created. You can set up the user and authentication data when the API Server is installed using with the Web Installer or adjust them later. For more information, see the One Identity Manager Installation Guide.
NOTE: It is recommended to use the IdentityRegistration system user. The IdentityRegistration system user has the specified permissions required for self-registration of new users in the Password Reset Portal. If you require a custom system user, ensure that it has the necessary permissions. For more information about system users and permissions, see the One Identity Manager Authorization and Authentication Guide.
