Chat now with support
Chat with Support

Identity Manager 8.0 - Attestation Administration Guide

Attestation and Recertification
One Identity Manager Users for Attestation Attestation Base Data Attestation Policies Creating Custom Mail Templates for Notifications
Approval Processes for Attestation Cases
Approval Policies Approval Workflows Selecting Attestors Setting up Multi-Factor Authentication for Attestation Prevent Attestation by Employee Awaiting Attestation Managing Attestation Cases
Attestation Sequence Default Attestation and Withdrawal of Entitlements User Attestation and Recertification Mitigating Controls Configuration Parameters for Attestation

Setting up Multi-Factor Authentication for Attestation

Setting up Multi-Factor Authentication for Attestation

Table 34: Multi-factor Authentication Configuration Parameters
Configuration Parameter Meaning
QER\Person\Defender This configuration parameter specifies whether Starling Two-Factor Authentication is supported.


This configuration parameter contains the URL of the Starling 2FA API end point used to register new users.

QER\Person\Defender\ApiKey This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface.

You can set up additional authentication for particularly security critical attestations, which requires every attestor to enter a security code for attesting. Define which attestation policies require this authentication in your attestation policies. Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication.

To be able to use multi-factor authentication

  1. Register your company in Starling Two-Factor Authentication.

    For more detailed information, see the Starling Two-Factor Authentication documentation.

  2. Set the configuration parameter "QER\Person\Defender" in the Designer.
    • Set the configuration parameter "QER\Person\Defender\ApiKey" and enter your company's subscription key as the value for accessing the Starling Two-Factor Authentication interface.
  3. Enable assigning by event for the table PersonHasQERResource. For more information, see Editing Table Properties.
  4. Enable the service item "New Starling 2FA token" in the Manager. For more information, see Preparing Starling 2FA Token Requests.
  5. Enable the option Approval by multi-factor authentication in the Manager on the attestation policy to which to want to apply multi-factor authentication. For more information, see General Master Data for Attestation Policies.

    Multi-factor authentication cannot be used for default attestation policies.

If he user's telephone number has changed, cancel the current Starling 2FA token and request a new one. If the Starling 2FA token is no longer required, cancel it anyway.

Once the option "Approval by multi-factor authentication" is set on an attestation policy, a security code is requested in each approval step of the approval process. This means that every employee who is determined to be an attestor for this attestation policy, must have a Starling 2FA token.

IMPORTANT: An attestation is not possible by email, if multi-factor authorization is configured for the attestation policy. Attestation emails for such requests produce an error message.
Related Topics

You can find detailed information about

  • For requesting Starling 2FA tokens.
  • Multi-factor authentication for attestation
  • Canceling products

in the One Identity Manager Web Portal User Guide.

Editing Table Properties

NOTE: If the option "Assign by event" is set, the process "HandleObjectComponent" is queued in the Job queue immediately after a resource is added to or removed from an employee.

To enable assigning by event for a table

  1. Select the category One Identity Manager Schema in the Designer.
  2. Select the table PersonHasQERResource and start the Schema Editor from the task Show table definition.
  3. Select the view Table properties | Table and set the option Assign by event.
  4. Save the changes.

For more information about editing table definitions, see the One Identity Manager Configuration Guide.

Preparing Starling 2FA Token Requests

Preparing Starling 2FA Token Requests

One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Starling 2FA Token in the Web Portal. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee master data.

NOTE: The user's default email address, mobile phone and country must be stored in their master data. This data is required for registering.

To facilitate requesting a Starling 2FA token

  1. Select the category IT Shop | Service catalog | Predefined.
  2. Select New Starling 2FA token in the result list.
  3. Select Change master data in the task view.
  4. Disable Not available.
  5. Save the changes.

The Starling 2FA token request must be granted approval by the request recipient's manager.

Requesting a Security Code

Requesting a Security Code

Table 35: Configuration Parameter for Requesting Starling 2FA Security Codes
Configuration parameter Meaning


This configuration parameter specifies whether Starling 2FA is forced to send the OTP by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameter is set, Starling 2FA can disallow the request and the user must request the OPT through Starling 2FA.

If the OTP is requested for a attestion, the user decides how the OTP is send. The following options are available:

  • By Starling 2FA app
  • By SMS
  • By phone call

By default, Starling 2FA is forced to send the OTP by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the OTP. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the OTP using the app.

To use this method

  • Set the configuration parameter ""QER\Person\Defender\DisableForceParameter" in the Designer.

    Starling 2FA can refuse to transmit the OTP by SMS or phone call if the Starling 2FA app is installed on the phone. Then the OTP must be generated by the app.

If the configuration parameter is not set (default), Starling 2FA is forced to send the OTP by SMS or phone call.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating