| Property | Meaning |
|---|---|
|
Enabled |
Specifies whether the authentication module can be used. |
|
Display name |
Display name for displaying the authentication module in the connection dialog of the administration tools. |
|
Authentication module |
Internal name of the authentication module. |
|
Authentication type |
Authentication module type. You can choose from Dynamic and Role based. |
|
Processing status |
The processing status is used for creating custom configuration packages. |
|
Initial data |
Initial data for logging in with this authentication module. Syntax: property1=value1;property2=value2 Example: User=<user name>;Password=<password> |
|
Class |
Authentication module class. |
|
Assembly name |
Name of the assembly file. |
|
Sort order |
Specify the order in which the modules are displayed in the login window. |
|
Single sign-on |
Specifies whether the authentication module may be authenticated without a password. |
|
Select in front-end |
Specifies whether the authentication module can be selected in the login window. |
About this guide
One Identity Manager application roles
Application roles overview
Granting One Identity Manager schema permissions through permissions groups
Application roles for basic functions
Application role for the Operations Support Web Portal
Application role for Compliance & Security Officers
Application role for auditors
Application roles for identity audit
Application roles for company policies
Application roles for attestation
Application roles for subscribable reports
Application roles for management levels
Application roles for business roles
Application roles for organizations
Application role for application roles
Application for employee administrators
Application roles for the IT Shop
Application roles for target systems
Application roles for Universal Cloud Interface
Application role for Privileged Account Governance
Application roles for Application Governance
Application roles for custom tasks
Implementing the application roles
Creating and editing application roles
Main data of application roles
Assigning employees to application roles
Custom extension of application role permissions
Creating and editing dynamic roles for application roles
Specifying mutually exclusive application roles
Assigning subscribable reports to application roles
Assigning extended properties to application roles
Generating assignment resources for application roles
Certification of applications roles
Reports about application roles
Predefined permissions groups and system users
Rules for determining the valid permissions for tables and columns
Editing permissions groups
Managing permissions to program functions
Dependencies between permissions groups
Permissions group dependencies
Copying permissions groups
Creating permissions groups
Permissions group properties
Editing system users
Creating system users
System users’ passwords
System user properties
Adding system users to permission groups
Which employees use the system user?
Dynamic system user
Permissions for tables and columns
Displaying permissions of a permissions group
Displaying permissions for tables
Editing table permissions
Editing column permissions
Copying table permissions and column permissions
Simulating permissions for system users
Displaying permissions for objects
Displaying permissions for the current user
Assigning role-based permissions groups to an applications
Displaying the current user's program functions
Assigning program functions to permissions groups
Permissions for running scripts
Permissions for running methods
Permissions for triggering processes
Modifying permissions for running actions in the Launchpad
One Identity Manager authentication modules
System users
Generic single sign-on (role-based)
Employee
Employee (role-based)
Employee (dynamic)
User account
User account (role-based)
User account (manual input/role-based)
Account based system user
Active Directory user account
Active Directory user account (role-based)
Active Directory user account (manual input)
Active Directory user account (manual input/role-based)
Active Directory user account (dynamic)
LDAP user account (role-based)
LDAP user account (dynamic)
HTTP header
HTTP header (role-based)
OAuth 2.0/OpenID Connect
OAuth 2.0/OpenID Connect (role-based)
Synchronization authentication module
Web agent authentication module
Component authentication module
Crawler
Password reset
Password reset (role-based)
Decentralized identity
Decentralized Identity (role-based)
Editing authentication modules
OAuth 2.0/OpenID Connect authentication
Enabling authentication modules
Assigning authentication modules to applications
Disabling or enabling authentication modules for applications
Authentication module properties
Initial data for authentication modules
Configuration data for system user dynamic authentication
Checking authentication
Expiry of the OAuth 2.0/OpenID Connect authentication
Creating the OAuth 2.0/OpenID Connect configuration
Assigning OAuth 2.0/OpenID Connect configuration to web applications
Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications
Specifying enabled and disabled columns for logging in
Logging information about OAuth 2.0/OpenID Connect authentication
Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API
Multi-factor authentication in One Identity Manager
Granular permissions for the SQL Server and database
Displaying database server logins
Displaying users' access levels
Displaying server roles and database roles permissions
Installing One Identity Redistributable STS
Preventing blind SQL injection
Program functions for starting the One Identity Manager tools
Minimum access levels of One Identity Manager tools
Authentication module properties
Initial data for authentication modules
Authentication data is formatted from the authentication module and its parameters and values. You can specify initial data for the parameters and their values. By default, the initial data is preset for each authentication process.
Syntax for authentication data:
Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…
Example:
Module=DialogUser;User=<user name>;Password=<password>
Setting initial data for authentication modulesTo set initial data for authentication modules
-
In the Designer, select the Base data > Security settings > Authentication modules category.
-
Select the authentication module and enter the data in Initial data.
Syntax:
property1=value1;property2=value2
Example:
User=<user name>;Password=<password>
| Authentication module | Display name | Parameters and meaning |
|---|---|---|
|
DialogUser |
System users |
User: User name Password: The user's password |
|
ADSAccount |
Active Directory user account |
No parameters required |
|
DynamicADSAccount |
Active Directory user account (dynamic) |
Product: Usage. The system user is determined through the use case configuration data. |
|
DynamicManualADS |
Active Directory user account (manual input) |
Product: Usage. The system user is determined through the use case configuration data. User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. Password: The user's password. |
|
RoleBasedADSAccount |
Active Directory user account (role-based) |
No parameters required |
|
RoleBasedManualADS |
Active Directory user account (manual input/role-based) |
User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. Password: The user's password |
|
Employee |
Employee |
User: Employee's central user account. Password: The user's password |
|
DynamicPerson |
Employee (dynamic) |
Product: Usage. The system user is determined through the use case configuration data. User: User name. Password: The user's password |
|
RoleBasedPerson |
Employee (role-based) |
User: User name. Password: The user's password. |
|
HTTPHeader |
HTTP header |
Header: The HTTP header to use. KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names. Default: CentralAccount, PersonnelNumber |
|
RoleBasedHTTPHeader |
HTTP header (role-based) |
Header: The HTTP header to use. KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names. Default: CentralAccount, PersonnelNumber |
|
DynamicLdap |
LDAP user account (dynamic) |
User: User name. Default: CN, DistinguishedName, UserID, UIDLDAP Password: The user's password |
|
RoleBasedLdap
|
LDAP user account (role-based)
|
User: User name. Default: CN, DistinguishedName, UserID, UIDLDAP Password: The user's password |
|
RoleBasedGeneric |
Generic single sign-on (role-based) |
SearchTable: Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table. SearchColumn: Column from the SearchTable in which to search for the user name of the logged-in user. DisabledBy: Pipe (|) delimited list of Boolean columns which block a user account from logging in. EnabledBy: Pipe (|) delimited list of Boolean columns which release a user account for logging in. |
|
OAuth |
OAuth 2.0/OpenID Connect |
Dependent on the authentication method of the secure token service. |
|
OAuthRoleBased |
OAuth 2.0/OpenID Connect (role-based) |
Dependent on the authentication method of the secure token service. |
|
DialogUserAccountBased |
Account based system user |
No parameters required |
|
QERAccount |
User account |
No parameters required |
|
RoleBasedQERAccount |
User account (role-based) |
No parameters required |
|
RoleBasedManualQERAccount |
User account (manual input/role-based) |
User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. Password: The user's password |
|
PasswordReset |
Password reset |
No parameters required |
|
RoleBasedPasswordReset |
Password reset (role-based) |
No parameters required |
|
DecentralizedId
|
Decentralized identity
|
Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail) Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier). |
|
RoleBasedDecentralizedId
|
Decentralized Identity (role-based)
|
Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail) Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier). |
|
Token
|
|
Internal authentication module in the application server for authentication using OAuth 2.0/OpenID Connect access tokens. For more information, see Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API. URL: URL of the application server. ClientId: ID of the application on the identity provider. ClientSecret: Secret value for authentication at the token endpoint. TokenEndpoint: Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in. |
Related topics
Configuration data for system user dynamic authentication
In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.
TIP: For system users used for dynamic authentication modules, enable the Disabled for direct login option. This prevents direct login to One Identity Manager tools with these system users.
To specify configuration data
-
In the Designer, select the Base data > Security settings > Programs category.
-
Select the application and adjust the Configuration data.
Use XML syntax for entering the configuration data:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
<Usermapping
DialogUser = "System user name"
/>
...
</Usermappings>
</DialogUserDetect>
Enter the system user (DialogUser) in the Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.
You can assign function groups to permissions groups on order to deal with complex permissions and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.
If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.
<DialogUserDetect>
<FunctionGroupMapping
PersonToFunction = "View mapping employee to function group"
FunctionToGroup = "View mapping function group to permissions group"
/>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
...
</Usermappings>
</DialogUserDetect>
Related topics
Example of a simple system user assignment
All employees should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.
To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "dlg_all"
/>
</Usermappings>
</DialogUserDetect>
Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:
-
Employee contact data
-
Requesting a product
-
Unsubscribing a product
Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.