When a user logs in, a validity check is run. Use the settings to configure additional options.
-
The system runs additional validity checks to prevent users from working with established connections, if they were deactivated after they logged in. The check takes place when the next permissions based action on the connection at a fixed interval of 20 minutes.
You can adjust the interval in the Common | Authentication | CheckInterval configuration parameter. In the Designer, edit the configuration parameter.
-
The number of session that a user can open within a short time is limited to 10 session a minute.
If this number is exceeded, the user is sent an error message.
You have logged in too often in the last minute. Please wait a moment before you log in again.
This check is done for each front-end if the login is local. If the login is on the application server, it is checked for each application server.
You can modify the number of sessions in the Common | Authentication | SessionsPerUserAndMinute configuration parameter. In the Designer, edit the configuration parameter.
-
Use the QBM | AppServer | SessionTimeout configuration parameter to add the timeout in hours, after which inactive application server sessions are closed. The default value is 24 hours. In the Designer, edit the configuration parameter.
The OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules support the authorization code flow for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.
To use the OAuth2.0/OpenID Connect authentication:
-
In the Designer, create the identity provider and the OAuth2.0/OpenID Connect applications for the identity provider. A wizard is available in the Designer to assist in this process.
-
Assign the OAuth2.0/OpenID Connect application to the web applications.
Related topics
At the endpoint of the authorization, the web application (or native application) requests the authorization code. The login endpoint is used to call an advanced login window, which serves to determine the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token.
In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, the settings of the identity provider are used. To find the certificate for testing the token, the certificate stores are queries in the following order:
-
Configuration of the OAuth 2.0/OpenID Connect application (QBMIdentityClient table)
- Certificate text (QBMIdentityClient.CertificateText).
- Subject or thumbprint from the local memory (QBMIdentityClient.CertificateSubject and QBMIdentityClient.CertificateThumbPrint).
- Certificate endpoint (QBMIdentityClient.CertificateEndpoint).
In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.
-
Configuration of the identity provider (QBMIdentityProvider table)
- Certificate text ((QBMIdentityProvider.CertificateText).
- Subject or thumbprint from the local memory (QBMIdentityProvider.CertificateSubject and QBMIdentityProvider.CertificateThumbPrint).
- Certificate endpoint (QBMIdentityProvider.CertificateEndpoint)).
In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.
- JSON-Web-Key endpoint (QBMIdentityProvider.JsonWebKeyEndpoint).
To identify the user account, the system determines which claim type is used to find the user information and which information from the One Identity Manager schema is used to find the user account.
Authentication through OpenID is built on OAuth 2.0. The OpenID Connect authentication uses the same mechanisms, but makes the claims available either in an ID token or with a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the Scope contains the openid value, the authentication module uses OpenID Connect for authentication.
Related topics
To create an OAuth 2.0/OpenID Connect configuration
-
In the Designer, select the Base data | Security settings | OAuth 2.0/OpenID Connect configuration category.
-
Select the Create a new identity provider task.
-
On the start page of the wizard, click Next.
-
On the New identity provider page, enter the display name for the configuration and a description.
-
Click Next.
-
On the Automatic configuration discovery page, you define how you want to enter the information about the identity provider.
-
If the configuration data can be determined automatically by OpenID Connect Discovery:
-
Select Automatic configuration data discovery.
-
Enter the address (URL) for automatic determination of the configuration data in the input field, or select an example address through the selection menu.
-
Click Run.
-
The configuration data is determined and a dialog window is displayed. To accept the configuration data, click OK.
-
If you do not want to determined the configuration data automatically, select Manual data input.
Enter the configuration data on the next page of the wizard.
-
Click Next.
-
On the Configuration data page, enter the general information for the database user.
NOTE: If you selected automatic determination of configuration data, some of the information is already completed.
Table 36: General configuration data for the identity provider
|
Login endpoint |
Uniform Resource Locator (URL) of the Secure Token Service login page.
Example: http://localhost/rsts/login |
|
Logout endpoint |
URL of the log-out endpoint
Example: http://localhost/rsts/login?wa=wsignout1.0 |
|
Token endpoint |
Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.
Example: https://localhost/rsts/oauth2/token |
|
UserInfo endpoint |
URL of the OpenID Connect UserInfo endpoint. |
|
Self-signed certificates allowed |
Specifies whether self-signed certificates are allowed for connecting to the token endpoint and UserInfo endpoint. |
|
Issuer |
Uniform Resource Identifier (URI) of the certificate issuer for verifying the security token.
Example: urn:STS/identity |
|
Scope |
Protocol for authentication. If the value is openid, OpenID Connect is used for authentication, otherwise OAuth 2.0 is used. |
|
Shared Secret |
Shared-Secret value used for authentication at the token endpoint. If all applications of the identity provider use the same Shared Secret, enter the value here. If the applications use different Shared Secrets, enter the Shared Secret values when creating the applications. |
-
Click Next.
-
On the Configure certificates page, enter the information for the identity provider's certificate. If all applications use the same certificate, enter the information here. If the applications use different certificate settings, enter the information when creating the application.
NOTE: If you selected automatic determination of configuration data, some of the information is already completed.
Table 37: Information about the identity provider certificate
|
Certificate endpoint |
Uniform Resource Locator (URL) of the certificate end point on the authorization server.
Example: https://localhost/RSTS/SigningCertificate |
|
Subject of the certificate |
Subject of the certificate used for verification. The subject or thumbprint must be set. |
|
Thumbprint |
Thumbprint of the certificate used to verify the security token. |
|
JSON-Web-Key endpoint |
URL of the JSON web key endpoint providing the token signing keys. |
|
Certificate |
Character string of the certificate content. It is used if no certificate is configured. |
-
Click Next.
-
On the Search rule for user information page, you define how the login information is determined between the identity provider and the One Identity Manager database.
Table 38: Determining the login information
|
Value for the search |
Full name of the claim type from which the login information is determined on the identity provider.
Example: name of an entity
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ nameidentifier
If you have determined the configuration data automatically, select a value from the list.
|
|
Column to search |
Table and column in the One Identity Manager database in which the user information is stored. The table must contain a foreign key with the name UID_Person, which points to the Person table.
Example: ADSAccount.ObjectGUID |
|
User name value |
Full name of the claim type from which the user name is determined on the identity provider. The user name is used, for example, to identify data changes in One Identity Manager (XUserInserted and XUserUpdated columns).
Example: User Principle Name (UPN)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
If you have determined the configuration data automatically, select a value from the list. |
-
Click Next.
-
On the Create OAuth 2.0/OpenID Connect applications page, enter the application information for the identity provider.
-
Click 
next to the Applications input field.
-
On the General tab, enter the general information for the application.
Table 39: General information about the application
|
Display name |
Display name of the application. |
|
Description |
Text field for additional explanation. |
|
Client ID |
ID of the application on the identity provider. For native applications, enable the Default option.
Example: urn:OneIdentityManager/Web |
|
Shared Secret |
Application-specific Shared Secret value used for authentication at the token endpoint. |
|
Resource to request |
URN of the resource to be requested, for example for ADFS. Only required if the identity provider requires this value. |
|
Redirect URL |
Forwarding address for redirection of applications.
Example: urn:InstalledApplication |
|
Default |
Specifies whether this is a standard application for native applications. |
-
On the Certificate tab, enter the information for the application certificate.
Table 40: Information about the application certificate
|
Certificate endpoint |
Uniform Resource Locator (URL) of the certificate end point on the authorization server.
Example: https://localhost/RSTS/SigningCertificate |
|
Thumbprint |
Thumbprint of the certificate used to verify the security token. |
|
Subject of the certificate |
Subject of the certificate used for verification. The subject or thumbprint must be set. |
|
Certificate |
Content of the certificate. It is used if no certificate is configured. |
-
On the Authentication tab, enter the following information
Table 41: Information about the application certificate
|
Authentication method |
Authentication method at the token endpoint. Permitted values are:
-
client_secret_basic (default value): HTTP basic authentication method. The Shared Secret is transferred in the HTTP header.
-
client_secret_post: The Shared Secret is transferred in the client_secret value of the POST-Body.
- none: No authentication at the token endpoint.
- client_secret_jwt: The Shared Secret is transferred as a JSON web token (JWT).
- private_key_jwt: The Shared Secret is transferred as JWT. In addition, encryption is carried out with the private key.
|
|
Token endpoint certificate |
Hexadecimal thumbprint of the certificate for validating the token. |
- To create the identity provider and the application in the One Identity Manager database, click Next.
- Click Finish to complete the wizard.
