Chat now with support
Chat with Support

Identity Manager 8.0.2 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions Scripts in One Identity Manager Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks Appendix: One Identity Manager Configuration Files

Editing Authentication Modules

To enable other authentication modules

  1. Select the category Base Data | Security settings | Authentication modules in the Designer.
  2. Select the authentication module and set the option Enabled to "True".
  3. Save the changes to the database using Database | Commit to database....

  4. Click Save.

    This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module have the required permissions to use the program.

If create custom authentication modules, assign them to the existing programs. Assignments to predefined authentication modules must not normally be changed.

To assign an authentication module to programs

  1. Select the category Base Data | Security settings | Authentication modules in the Designer.
  2. Select View | Select table relations... in the menu.
  3. Enable the table DialogProductHasAuthentifier.

    This shows the tab Programs.

  4. Select the authentication module and assign it to programs.
Detailed information about this topic

Authentication Module Properties

Table 45: Authentication Module Properties
Property Meaning
Enabled Specifies whether the authentication module can be used.
Display name This name is used to identify the authentication module in the administration tool’s login window.
Authentication Module Inter name of the authentication module.
Authentication type Specifies the type of authentication module. The options are "Dynamic" or "Role based".
Processing status The process state is used for creating custom configuration packages.
Initial data

Initial data for logging in with this authentication module.

Class Authentication module class.
Assembly name Name of the assembly file.
Sort order Specify the order in which the modules are displayed in the login window.
Single sign-on Specifies whether the authentication module may be authenticated without a password.
Select in front-end Specifies whether the authentication module can be selected in the login window.
Related Topics

Initial Data for Authentication Modules

The authentication string is formatted as follows:

Module=<name>;<property1>=<value1>;<property2>=<value2>,…

Example:

Module=DialogUser;User=viadmin;Password=*****

The initial data is one part of the authentication string (parameter-value pair without module ID). Initial data from the authentication string is preallocated by default for each authentication instance.

To specify initial data

  1. Select the category Base Data | Security settings | Authentication modules in the Designer.
  2. Select the authentication module and enter the data in Initial data.

    Syntax:

    property1=value1;property2=value2

    Example:

    user=viadmin;password=*****

You can use different initial data depending on the authentication module.

Table 46: Initial Data for Authentication Modules
Module Display Name Authentication Module Parameter Meaning/Comment

System user

DialogUser

User User name.
Password User password.

Active Directory user account

ADSAccount

   

Active Directory user account (dynamic)

DynamicADSAccount

Product Use case. The system user is determined through the use case configuration data.

Active Directory user account (manual input)

DynamicManualADS

Product Use case. The system user is determined through the use case configuration data.
User User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. You specify permitted Active Directory domains in the configuration parameter "TargetSystem\ADS\AuthenticationDomains".
Password User password.

Active Directory user account (role based)

RoleBasedADSAccount

  No parameters required

Active Directory user account (manual input/role based)

RoleBasedManualADS

User User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. You specify permitted Active Directory domains in the configuration parameter "TargetSystem\ADS\AuthenticationDomains".
Password User password.
Employee

 

Employee

 

User

Employee's central user account.

Password User password.

Employee (dynamic)

DynamicPerson

Product Use case. The system user is determined through the use case configuration data.
User User name.
Password User password.

Employee (role based)

RoleBasedPerson

User User name.
Password User password.

HTTP header

HTTPHeader

Header HTTP header to use.
KeyColumn

Comma delimited list of key columns in the table Person to be searched for user names.

Default: CentralAccount, PersonnelNumber

HTTP header (role based)

RoleBasedHTTPHeader

 

HTTP header to use.
KeyColumn

Comma delimited list of key columns in the table Person to be searched for user names.

Default: CentralAccount, PersonnelNumber

LDAP user account (dynamic)

DynamicLdap

User

User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password User password.

LDAP user account (role based)

 

RoleBasedLdap

 

User

User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password User password.

Generic single sign-on (role based)

RoleBasedGeneric

SearchTable Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person which points to the table Person.
SearchColumn Column from <SearchTable> in which to search for the user name of the logged in user.
DisabledBy Pipe (|) delimited list of Boolean columns which block a user account from logging in.
EnabledBy Pipe (|) delimited list of Boolean columns which release a user account for logging in.

OAuth 2.0/OpenID Connect

OAuth

  Dependent on the authentication method of the secure token service.
OAuth 2.0/OpenID Connect (role-based)

 

OAuthRoleBased

 

  Dependent on the authentication method of the secure token service.

Account based system user

DialogUserAccountBased

 

No parameters required

User account

QERAccount

 

 

User account (role based)

RoleBasedQERAccount

 

 

Related Topics

Configuration Data for System User Dynamic Authentication

In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.

To specify configuration data

  1. Select the category Base Data | Security settings | Programs in the Designer.
  2. Select the application and adjust the Configuration data.

Use XML syntax for entering the configuration data:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

<Usermapping

DialogUser = "System user name"

/>

...

</Usermappings>

</DialogUserDetect>

Enter the system user (DialogUser) in Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.

You can assign function groups to permissions groups on order to deal with complex rights and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.

If the section FunctionGroupMapping is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found the section Usermapping is evaluated.

<DialogUserDetect>

<FunctionGroupMapping

PersonToFunction = "View mapping employee to function group"

FunctionToGroup = "View mapping function group to permissions group"

/>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

...

</Usermappings>

</DialogUserDetect>

Related Topics
Related Documents