Chat now with support
Chat with Support

Identity Manager 9.1.3 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Expiry of the OAuth 2.0/OpenID Connect authentication

The web application (or client application) requests the authorization code at the authorization endpoint. The login endpoint is used to call an advanced login window, which serves to determine the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token.

In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, the settings of the identity provider are used. To find the certificate for testing the token, the certificate stores are queries in the following order:

  1. Configuration of the OAuth 2.0/OpenID Connect application (QBMIdentityClient table)

    1. Certificate text (QBMIdentityClient.CertificateText).

    2. Subject or thumbprint from the local memory (QBMIdentityClient.CertificateSubject and QBMIdentityClient.CertificateThumbPrint).

    3. Certificate endpoint (QBMIdentityClient.CertificateEndpoint).

      In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.

  2. Configuration of the identity provider (QBMIdentityProvider table)

    1. Certificate text ((QBMIdentityProvider.CertificateText).

    2. Subject or thumbprint from the local memory (QBMIdentityProvider.CertificateSubject and QBMIdentityProvider.CertificateThumbPrint).

    3. Certificate endpoint (QBMIdentityProvider.CertificateEndpoint)).

      In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.

    4. JSON-Web-Key endpoint (QBMIdentityProvider.JsonWebKeyEndpoint).

To identify the user account, the system determines which claim type is used to find the user information and which information from the One Identity Manager schema is used to find the user account.

Authentication through OpenID is built on OAuth 2.0. The OpenID Connect authentication uses the same mechanisms, but makes the claims available either in an ID token or with a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the Scope contains the openid value, the authentication module uses OpenID Connect for authentication.

Related topics

Creating the OAuth 2.0/OpenID Connect configuration

To create an OAuth 2.0/OpenID Connect configuration

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. Select the Create a new identity provider task.

  3. On the start page of the wizard, click Next.

  4. On the New identity provider page, enter the display name for the configuration and a description.

  5. Click Next.

  6. On the Automatic configuration discovery page, you define how you want to enter the information about the identity provider.

    • If the configuration data can be determined automatically by OpenID Connect Discovery:

      1. Select Automatic configuration data discovery.

      2. Enter the address (URL) for automatic determination of the configuration data in the input field, or select an example address through the selection menu.

      3. Click Run.

      4. The configuration data is determined and a dialog window is displayed. To accept the configuration data, click OK.

    • If you want to create the configuration data from a template:

      1. Select Create from template file.

      2. Click Select and choose the XML file.

        For the One Identity Redistributable STS (RSTS), the file is pre-configured. You can find the RSTS_Template.xml in the One Identity Manager installation directory.

      3. Click Open.

    • If you do not want to determined the configuration data automatically, select Manual data input.

      Enter the configuration data on the next page of the wizard.

  7. Click Next.

  8. On the Configuration data page, enter the general information for the database user.

    NOTE: If you selected automatic determination of configuration data, some of the information is already completed.

    Table 35: General configuration data for the identity provider

    Property

    Description

    Login endpoint

    Uniform Resource Locator (URL) of the Secure Token Service login page.

    Example: http://localhost/rsts/login

    Logout endpoint

    URL of the log-out endpoint

    Example: http://localhost/rsts/login?wa=wsignout1.0

    Token endpoint

    Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.

    Example: https://localhost/rsts/oauth2/token

    Issuer

    Uniform Resource Identifier (URI) of the certificate issuer for verifying the security token.

    Example: urn:STS/identity

    Scope

    Protocol for authentication. If the value is openid, OpenID Connect is used for authentication, otherwise OAuth 2.0 is used.

    UserInfo endpoint

    URL of the OpenID Connect UserInfo endpoint.

    No ID token check

    Specifies whether a check is made of the ID token. If the option is enabled, the ID token is not checked. The option can only be enabled for a scope containing the value openid and a populated UserInfo endpoint.

    Self-signed certificates allowed

    Specifies whether self-signed certificates are allowed for connecting to the token endpoint and UserInfo endpoint.

    Shared Secret

    Shared-Secret value used for authentication at the token endpoint. If all applications of the identity provider use the same Shared Secret, enter the value here. If the applications use different Shared Secrets, enter the Shared Secret values when creating the applications.

    Requested authentication context class reference values

    Space-delimited string specifying the acr values that the authorization server ought to use to process this authentication request, with the values appearing in order of preference.

  9. Click Next.

  10. On the Configure certificates page, enter the information for the identity provider's certificate. If all applications use the same certificate, enter the information here. If the applications use different certificate settings, enter the information when creating the application.

    NOTE: If you selected automatic determination of configuration data, some of the information is already completed.

    Table 36: Information about the identity provider certificate

    Property

    Description

    Certificate endpoint

    Uniform Resource Locator (URL) of the certificate end point on the authorization server.

    Example: https://localhost/RSTS/SigningCertificate

    Subject of the certificate

    Subject of the certificate used for verification. The subject or thumbprint must be set.

    Thumbprint

    Thumbprint of the certificate used to verify the security token.

    JSON-Web-Key endpoint

    URL of the JSON web key endpoint providing the token signing keys.

    Certificate

    Character string of the certificate content. It is used if no certificate is configured.

  11. Click Next.

  12. On the Search rule for user information page, you define how the login information is determined between the identity provider and the One Identity Manager database.

    Table 37: Determining the login information

    Property

    Description

    Value for the search

    Full name of the claim type from which the login information is determined on the identity provider.

    Example: name of an entity

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ nameidentifier

    If you have determined the configuration data automatically, select a value from the list.

    Column to search

    Table and column in the One Identity Manager database in which the user information is stored. The table must contain a foreign key with the name UID_Person, which points to the Person table.

    Example: ADSAccount.ObjectGUID

    User name value

    Full name of the claim type from which the user name is determined on the identity provider. The user name is used, for example, to identify data changes in One Identity Manager (XUserInserted and XUserUpdated columns).

    Example: User Principle Name (UPN)

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

    If you have determined the configuration data automatically, select a value from the list.

    Value to check

    Name of the claim type to be additionally checked. The claim type must appear under exactly this name in the token. The check ensures that only those people can log in whose token contains exactly the comparison value in the specified claim type.

    Comparison value

    Fixed value of the claim type specified under Value to check, against which is checked.

  13. Click Next.

  14. On the Create OAuth 2.0/OpenID Connect applications page, enter the application information for the identity provider.

    1. Click next to the Applications field.

      To connect using RSTS, select RSTS client. Some of the information about the RSTS client application is already predefined.

    2. On the General tab, enter the general information for the application.

      Table 38: General information about the application

      Property

      Description

      Display name

      Display name of the application.

      Description

      Text field for additional explanation.

      Client ID

      ID of the application on the identity provider. For client applications, enable the Default option.

      Example: urn:OneIdentityManager/Web

      Shared Secret

      Application-specific Shared Secret value used for authentication at the token endpoint.

      Resource to request

      URN of the resource to be requested, for example for ADFS. Only required if the identity provider requires this value.

      Redirect URL

      Forwarding address for redirection of applications.

      Example: urn:InstalledApplication

      Send post logout redirect URI

      Specifies the behavior of the client after logging off from the application. Permitted values are Send post logout redirect URI (default), Do not send a redirect URI, and Send a specific redirect URI.

      Post logout redirect URI

      URI sent after logging off from the application.

      Default

      Specifies whether this is a standard application for client applications.

    3. On the Certificate tab, enter the information for the application certificate.

      Table 39: Information about the application certificate

      Property

      Description

      Certificate endpoint

      Uniform Resource Locator (URL) of the certificate end point on the authorization server.

      Example: https://localhost/RSTS/SigningCertificate

      Thumbprint

      Thumbprint of the certificate used to verify the security token.

      Subject of the certificate

      Subject of the certificate used for verification. The subject or thumbprint must be set.

      Certificate

      Content of the certificate. It is used if no certificate is configured.

    4. On the Authentication tab, enter the following information

      Table 40: Information about the application certificate

      Property

      Description

      Authentication method

      Authentication method at the token endpoint.

      Permitted values are:

      • client_secret_basic (default value): HTTP basic authentication method. The Shared Secret is transferred in the HTTP header.

      • client_secret_post: The Shared Secret is transferred in the client_secret value of the POST-Body.

      • none: No authentication at the token endpoint.

      • client_secret_jwt: The Shared Secret is transferred as a JSON web token (JWT).

      • private_key_jwt: The Shared Secret is transferred as JWT. In addition, encryption is carried out with the private key.

      Token endpoint certificate

      Hexadecimal thumbprint of the certificate for validating the token.

      Requested authentication context class reference values

      Space-delimited string specifying the acr values that the authorization server ought to use to process this authentication request, with the values appearing in order of preference.

      If no reference values are defined here, the reference values of the identity provider are used.

  15. To create the identity provider and the application in the One Identity Manager database, click Next.

  16. Click Finish to complete the wizard.

Related topics

Assigning OAuth 2.0/OpenID Connect configuration to web applications

To use the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules in One Identity Manager web applications, assign the OAuth2.0/OpenID Connect application to the web application.

To assign an OAuth2.0/OpenID Connect application to a web application

  1. In the Designer, select the Base data > Security settings > Web server configurations category.

  2. In List Editor, select the web application.

  3. In the Properties edit view, assign the application in the OAuth2.0/OpenID Connect application selection list.

  4. Select the Database > Commit to database and click Save.

TIP: For some web applications, for example the Web Portal, you can customize the OAuth2.0/OpenID Connect configuration in the configuration file (web.config). For more information about configuring the Web Portal, see the One Identity Manager Installation Guide.

Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications

To display the configuration of an identity provider

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In List Editor, select the identity provider. The configuration data is displayed on the following tabs in the edit view.

    • General: Displays the general configuration data of the identity provider.

    • Certificate: Shows the information about the identity provider certificate.

    • Applications: Displays the configuration of the OAuth 2.0/OpenID Connect applications.

    • Columns for enabling: Displays the table and the columns that identify a user account as activated.

    • Columns for disabling: Displays the table and the columns that identify a user account as deactivated.

To display the configuration of an OAuth 2.0/OpenID Connect application

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In List Editor, select the identity provider.

  3. In the edit view, select the Applications tab.

  4. To display the configuration of an application, select the OAuth 2.0/OpenID Connect application in the Application view.

NOTE:

Click on Add to add a new OAuth 2.0/OpenID Connect application to the configuration of the identity provider.

Click on Remove to remove an OAuth 2.0/OpenID Connect application that is no longer required from the configuration of the identity provider.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating