Configuring the four eyes principle for issuing a passcode.
You can control whether passcodes generated by the help desk are divided into two parts. One half of the passcode is issued to the help desk staff and the other half is sent to the employee's manager. The employee must ask the manager for the second half of the passcode. This procedure increases the security for issuing passcodes.
To configure the four eye principle for issuing passcodes
-
Start the Designer program.
-
Connect to the relevant database.
-
Set the QER | Person | PasswordResetAuthenticator | PasscodeSplit configuration parameter.
NOTE: For more information about editing configuration parameters in the Designer, see the One Identity Manager Configuration Guide.
-
Set the QER | WebPortal | MailTemplateIdents | InformManagerAboutSecondHalfOfPasscode configuration parameter.
By default, the second half of the passcode is sent with the Employee - manager half of passcode for password reset mail template.
To use another template for this notification, change the value in the configuration parameter.
TIP: In the Designer, you can configure the current mail template in the Mail templates > Person category. For more information about mail templates, see the One Identity Manager Operational Guide.
Configuring password questions
If Web Portal users forget their password, they can set a new one with the help of the password questions.
To configure the use of password questions.
-
Start the Designer program.
-
Connect to the relevant database.
-
Configure the following configuration parameters:
NOTE: For more information about editing configuration parameters in the Designer, see the One Identity Manager Configuration Guide.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerDefinitions: Specify how many password questions and answers users must enter. Users who do not enter enough or any questions and answers, cannot reset their password.
NOTE: The value must not be less than the value in the QueryAnswerRequests configuration parameter.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerRequests: Specify how many password questions users have to answer before they can reset their password.
NOTE: The value must not be higher than the value in the QueryAnswerDefinitions configuration parameter.
-
QER | Person | PasswordResetAuthenticator | InvalidateUsedQuery: Specify whether users must enter new password questions and answers after successfully resetting their password. In this case, correctly answered questions are deleted.
Configuring the search
Many of the Web Portal's pages provide a search option for objects in context of the page.
To configure the search
-
Start the Web Designer program.
-
Connect to the relevant database.
-
Configure the VI_Common_SqlSearch_PrefixLike configuration key: To show the user matching search results as fast as possible, search suggestions are already shown while you are entering the word. If you set the parameter, the last word of the input will also be taken into account.
-
Start the .
-
Configure the following configuration parameters:
Common | Indexing | IndexNonTokenChars: Specify which delimiters can be used in the search.
Common | Indexing | IndexUseLegacyAnalyzer: Specify whether an alternative tokenizing is also be performed. The alternative method of tokenizing is preferable for long tokens. For example, if the string Department_01 is a token, the partial string Department is not considered to be a token.
The following tokens are named.
Table 9: Tokens for alternative tokenizing
Words |
Sequence of letters and/or numbers |
Enumeration |
Words linked by punctuation marks (_-/.,) of which at least every second one contains a number.
An example is Department_01.
Sequences are also decimal numbers and IP addresses. |
Email addresses |
An email address is often made up of first name, last name, company name and generic top-level domain (for example .com). The order or spelling of the first and last names may vary (for example, use of initials). The special character @ and the punctuation mark (.) not only separate each part of the email address but also links them so that
Examples of email addresses are Ben.King@example.com and C.Harris@example.com. |
Host names |
For example website.example.com. |
Acronym |
For example U. S. A. |
Apostrophe |
For example O'Reilly. |
@, & surrounded by letters |
For example Me&you. |
Umlauts such as ä, ö, ü |
For example Max Müller. |
NOTE: If you change these configuration parameters, the search indexes will be rebuilt, which may take some time.
WebAuthn security keys
One Identity offers users the option to log in, simply and securely, to One Identity Manager web applications with help of (physical) security keys. These security keys support the W3C standard WebAuthn.
Use of security keys guarantees increased security when logging in.
Advice
-
You can run Starling Two-Factor Authentication and WebAuthn in parallel for a web application. Users that have at least one valid security key, do not have to go through the Starling 2FA process as well. Users that do not have a security key must still use Starling 2FA.
-
In the Manager, employee administrators have the option to view all of an employee's security keys and to delete them. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.
-
The WebAuthn standard is NOT support in Internet Explorer. Users must use another browser.
Related topics