Configuration Parameter | Meaning |
---|---|
QER\Person\Defender | This configuration parameter specifies whether Starling Two-Factor Authentication is supported. |
QER\Person\Defender\ApiEndpoint |
This configuration parameter contains the URL of the Starling 2FA API end point used to register new users. |
QER\Person\Defender\ApiKey | This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface. |
You can set up additional authentication for particularly security critical attestations, which requires every attestor to enter a security code for attesting. Define which attestation policies require this authentication in your attestation policies. Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication.
To be able to use multi-factor authentication
For more detailed information, see the Starling Two-Factor Authentication documentation.
Multi-factor authentication cannot be used for default attestation policies.
If he user's telephone number has changed, cancel the current Starling 2FA token and request a new one. If the Starling 2FA token is no longer required, cancel it anyway.
Once the option "Approval by multi-factor authentication" is set on an attestation policy, a security code is requested in each approval step of the approval process. This means that every employee who is determined to be an attestor for this attestation policy, must have a Starling 2FA token.
|
IMPORTANT: An |
You can find detailed information about
in the One Identity Manager Web Portal User Guide.
|
NOTE: If the option "Assign by event" is set, the process "HandleObjectComponent" is queued in the Job queue immediately after a resource is added to or removed from an employee. |
To enable assigning by event for a table
For more information about editing table definitions, see the One Identity Manager Configuration Guide.
One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Starling 2FA Token in the Web Portal. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee master data.
|
NOTE: The user's default email address, mobile phone and country must be stored in their master data. This data is required for registering. |
To facilitate requesting a Starling 2FA token
The Starling 2FA token request must be granted approval by the request recipient's manager.
Configuration parameter | Meaning |
---|---|
QER\Person\Defender\DisableForceParameter |
This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA. |
If the OTP is requested for a
By default, Starling 2FA is forced to send the OTP by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the OTP. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the OTP using the app.
To use this method
Set the configuration parameter ""QER\Person\Defender\DisableForceParameter" in the Designer.
Starling 2FA can refuse to transmit the OTP by SMS or phone call if the Starling 2FA app is installed on the phone. Then the OTP must be generated by the app.
If the configuration parameter is not set (default), Starling 2FA is forced to send the OTP by SMS or phone call.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy