Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Appendix: Authentication Modules for Logging into the One Identity Manager

Appendix: Authentication Modules for Logging into the One Identity Manager

The following authentication modules are available for logging into One Identity Manager in once this module has been installed.

Active Directory user account (role based)

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

Yes

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins.
Active Directory user account (manual input/role based)

Login Data

Login name and password for registering with Active Directory. You do not have to enter the domain.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The domain for logging in are entered in the configuration parameter "TargetSystem\ADS\AuthenticationDomains".

Set as default

Yes

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and employee are determined in the One Identity Manager database, which the user account is assigned to.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

Active Directory user account

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

The employee exists in the One Identity Manager database and the system user is entered in the employee's master data.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

Yes

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and access permissions are loaded through the system user that is directly assigned to the employee found. If the employee is not assigned to a system user, the system user is taken from the configuration parameter "SysConfig\Logon\DefaultUser".

Data modifications are attributed to the current user account.

NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins.
Active Directory user account (manual input)

Login Data

Login name and password for registering with Active Directory. You do not have to enter the domain.

Prerequisites

The employee exists in the One Identity Manager database.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The domain for logging in are entered in the configuration parameter "TargetSystem\ADS\AuthenticationDomains".

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and employee are determined in the One Identity Manager database, which the user account is assigned to.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

Active Directory user account (dynamic)

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The employee exists in the One Identity Manager database.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins.
Related Documents