Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Displaying Contents of a Change Label

To display the contents of a change label

  1. Select Database | Change management... from the menu in the Designer.
  2. In the dialog box "Edit change labels...", select the change label you want from the Change labels list.
    • Under "Assigned changes" you can see all the changes made to individual object settings as well as all snapshots of objects.
    • All references to objects are shown under "Assigned objects".
Related Topics

Booking Changes to a Change Label Retrospectively

You can select individual objects and their dependencies from any objects in the database and book them to a change label. You can book objects as snapshots or references depending on which One Identity Manager tool it applies to.

IMPORTANT: Object references cannot be grouped together with changes to single properties and snapshots of objects in the same change label. Book object references to their own change labels.

NOTE: It is not possible to add changes of single properties to the change label at a later date.

In certain cases, it is necessary to add the dependent objects to the change label as well. For example, if processes are being transported, the dependent process steps, process parameters and events should also be transported. This is also true for approval policies, approval workflows, approval steps and approval procedures.

To book objects to a change label retrospectively

  1. Select Database | Change management... from the menu in the Designer.
  2. In the dialog box "Edit change labels...", select the change label using the Change label list.
  3. Select the database table from the Table list from which you want to copy objects to the change label.
  4. To limit the number of objects found
    1. Click next to the Table menu.
    2. Enter a condition in the "Filter".

      Enter the condition as a WHERE clause for a database query. You can enter the database query directly as in SQL or use the wizard, which you open by clicking on the button next to the text box.

    3. Click Apply.
  5. To map dependent objects
    1. Click next to the Table menu.

      This opens a separate selection box that displays the ChildRelation (CR), ForeignKey (FK) and many-to-many relations for the selected database table.

    2. Under "Table relations" enable the desired table relations.

      When you select and assign an object, the objects linked by these table relationships are marked with the same change label.

  6. Select the desired objects in the "Objects list".
    • Click to add all the selected objects to the change label as a reference.
    • Click to add all the selected objects to the change label as a snapshot.

    TIP: Multi-select objects using SHIFT + CLICK or CTRL + CLICK.

To remove objects from a change label

  1. Select Database | Change management... from the menu.
  2. In the dialog box "Edit change labels...", select the change label using the Change label list.

    All objects assigned to this change label are displayed.

  3. Select the objects you want to remove from the change label in the "Assigned changes" or "Assigned objects" list.

    TIP: Multi-select objects using SHIFT + CLICK or CTRL + CLICK.

  4. Click the button to remove the objects from the change label.
Related Topics

Basic System Configuration Data

The base data includes the main settings for configuring the .They are usually checked and customized on a one-off basis before the One Identity Manager goes into operation. The base data contains the database connection data, authentication module usage, languages used or the configuration parameter settings.

One Identity Manager Authentication Module

One Identity Manager Authentication Module

One Identity Manager uses different authentication modules for logging in to administration tools. Authentication modules identify the system users to be used and load the user interface and database resource editing permissions depending on their permission group memberships.

NOTE: After initial schema installation, only the authentication modules "system user" and "ComponentAuthenticator" and role-based authentication modules are enabled in the One Identity Manager.

Note: Authentication modules are defined in the One Identity Manager modules and are not available until the modules are installed.

The following authentication modules are available:

System user

Login Data

The system user's identifier and password.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

Set as default

Yes

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

No

Remarks

The user interface and the write permissions are loaded through the system user.

Data modifications are attributed to the system user.

IMPORTANT: The system user "viadmin" is supplied by default. The system user "viadmin" has a predefined user interface and has access rights to database resources. The interface and access rights for "viadmin" should not be used live or be modified, as it is a template system user and is overwritten by each schema update.

TIP: Create your own system user with the appropriate permissions. This can be done on initial installation of the One Identity Manager database. This system user can compile an initial One Identity Manager database and can be used to log into the administration tools for the first time.

Employee

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

Login Data

Employee's central user account and password.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

The employee exists in the One Identity Manager database.

  • The central user account is entered in the employee's master data.
  • The system user is entered in the employee's master data.
  • The password is entered in the employee's master data.

Set as default

Yes

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and the write permissions are loaded through the system user that is directly assigned to the logged in employee.

Changes to the data are assigned to the logged in employee.

Generic single sign-on (role based)

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager searches for the user account according to the configuration and finds the employee assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Changes to the data are assigned to the logged in employee.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 38: Configuration Parameters for the Authentication Module
Configuration parameter Meaning
QER\Person\OAuthAuthenticator This configuration parameter specifies whether authentication through single sign-on is supported.
QER\Person\GenericAuthenticator\
SearchTable

This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the table Person.

Example: ADSAccount

QER\Person\GenericAuthenticator\
SearchColumn

This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for the user name of the current user.

Example: CN

QER\Person\GenericAuthenticator\
EnabledBy

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.

QER\Person\GenericAuthenticator\
DisabledBy

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.

Example: AccountDisabled

Employee (role based)

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

Login Data

Employee's central user account and password.

Prerequisites

The employee exists in the One Identity Manager database.

  • The central user account is entered in the employee's master data.
  • The password is entered in the employee's master data.

The employee is assigned at least one application role.

Set as default

Yes

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Changes to the data are assigned to the logged in employee.

Employee (dynamic)

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

Login Data

Employee's central user account and password.

Prerequisites

The employee exists in the One Identity Manager database.

  • The central user account is entered in the employee's master data.
  • The password is entered in the employee's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

Yes

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Changes to the data are assigned to the logged in employee.

User account

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

The employee exists in the One Identity Manager database.

  • Permitted logins are entered in the employee's master data. The logins are expected in the form: domain\user.
  • The system user is entered in the employee's master data.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

All employee logins saved in the One Identity Manager database are found. The employee whose login data matches that of the current user is used for logging in.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and access permissions are loaded through the system user that is directly assigned to the employee found.

Data modifications are attributed to the current user account.

User Account (role based)

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The employee exists in the One Identity Manager database.

  • Permitted logins are entered in the employee's master data. The logins are expected in the form: domain\user.

The employee is assigned at least one application role.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

All employee logins saved in the One Identity Manager database are found. The employee whose login data matches that of the current user is used for logging in.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

Account-based system user.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

  • Permitted logins are entered in the system user's master data. The logins are expected in the form: domain\user.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

No

Remarks

All system user logins saved in the One Identity Manager database are found. The system user whose login data matches that of the current user is used for logging in.

The user interface and the write permissions are loaded through the system user.

Data modifications are attributed to the current user account.

Active Directory user account

NOTE: This authentication module is available if the module Active Directory Module is installed.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

The employee exists in the One Identity Manager database and the system user is entered in the employee's master data.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

Yes

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and access permissions are loaded through the system user that is directly assigned to the employee found. If the employee is not assigned to a system user, the system user is taken from the configuration parameter "SysConfig\Logon\DefaultUser".

Data modifications are attributed to the current user account.

NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins.
Active Directory user account (role based)

NOTE: This authentication module is available if the module Active Directory Module is installed.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

Yes

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins.
Active Directory user account (manual input/role based)

NOTE: This authentication module is available if the module Active Directory Module is installed.

Login Data

Login name and password for registering with Active Directory. You do not have to enter the domain.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The domain for logging in are entered in the configuration parameter "TargetSystem\ADS\AuthenticationDomains".

Set as default

Yes

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and employee are determined in the One Identity Manager database, which the user account is assigned to.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

Active Directory user account (manual input)

NOTE: This authentication module is available if the module Active Directory Module is installed.

Login Data

Login name and password for registering with Active Directory. You do not have to enter the domain.

Prerequisites

The employee exists in the One Identity Manager database.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The domain for logging in are entered in the configuration parameter "TargetSystem\ADS\AuthenticationDomains".

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and employee are determined in the One Identity Manager database, which the user account is assigned to.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

Active Directory user account (dynamic)

NOTE: This authentication module is available if the module Active Directory Module is installed.

Login Data

The authentication module uses the Active Directory login data of user currently logged in on the workstation.

Prerequisites

The employee exists in the One Identity Manager database.

The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins.
LDAP user account (dynamic)

NOTE: This authentication module is available if the module LDAP Module is installed.

Login Data

Login name, identifier, distinguished name or user ID of an LDAP user account.

LDAP user account's password.

Prerequisites

The employee exists in the One Identity Manager database.

The LDAP user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If you log in using a login name, identifier or user ID, the corresponding user account is determined in the One Identity Manager database through the container's domain. Logging in with a distinguished name is done directly. One Identity Manager determines which employee is assigned to the LDAP user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 39: Configuration Parameters for the Authentication Module
Configuration parameter Meaning

TargetSystem\LDAP\Authentication

The configuration parameter allows configuration of the LDAP authentication module.

TargetSystem\LDAP\Authentication\Authentication

The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default is ServerBind.

TargetSystem\LDAP\Authentication\Port

LDAP server's port. Default is port 389.

TargetSystem\LDAP\Authentication\RootDN

The configuration parameter contains the root domain's distinguished name.

Syntax:

dc=MyDomain

TargetSystem\LDAP\Authentication\Server

The configuration parameter contains the name of the LDAP server.

LDAP user account (role based)

NOTE: This authentication module is available if the module LDAP Module is installed.

Login Data

Login name, identifier, distinguished name or user ID of an LDAP user account.

LDAP user account's password.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The LDAP user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If you log in using a login name, identifier or user ID, the corresponding user account is determined in the One Identity Manager database through the container's domain. Logging in with a distinguished name is done directly. One Identity Manager determines which employee is assigned to the LDAP user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 40: Configuration Parameters for the Authentication Module
Configuration parameter Meaning

TargetSystem\LDAP\Authentication

The configuration parameter allows configuration of the LDAP authentication module.

TargetSystem\LDAP\Authentication\Authentication

The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default is ServerBind.

TargetSystem\LDAP\Authentication\Port

LDAP server's port. Default is port 389.

TargetSystem\LDAP\Authentication\RootDN

The configuration parameter contains the root domain's distinguished name.

Syntax:

dc=MyDomain

TargetSystem\LDAP\Authentication\Server

The configuration parameter contains the name of the LDAP server.

HTTP header (role based)

The authentication module support authentication through Web Single Sign-On solutions that work with proxy-based architecture.

Login Data

Employee's central user account or personnel number.

Prerequisites

The employee exists in the One Identity Manager database.

  • The central user account or personnel number is entered in the employee's master data.

The employee is assigned at least one application role.

Set as default

Yes

Single Sign-On

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Changes to the data are assigned to the logged in employee.

HTTP header

The authentication module support authentication through Web Single Sign-On solutions that work with proxy-based architecture.

Login Data

Employee's central user account or personnel number.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

The employee exists in the One Identity Manager database.

  • The central user account or personnel number is entered in the employee's master data.
  • The system user is entered in the employee's master data.

Set as default

No

Single Sign-On

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and the write permissions are loaded through the system user that is directly assigned to the logged in employee. If the employee is not assigned to a system user, the system user is taken from the configuration parameter "SysConfig\Logon\DefaultUser".

Changes to the data are assigned to the logged in employee.

OAuth 2.0/OpenID Connect

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service which can return an OAuth 2.0 token.

Login Data

Dependent on the authentication method of the secure token service.

Prerequisites

The system user with permissions exists in the One Identity Manager database.

The employee exists in the One Identity Manager database.

  • The system user is entered in the employee's master data.

The user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and access permissions are loaded through the system user that is directly assigned to the employee found.

Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared.

The respective user interface prompts for the authorization code. The configuration parameter "QER\Person\OAuthAuthenticator\LoginEndpoint" is used to open an extra login dialog box for determining the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token. In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, configuration parameters are applied. To find the certificate for testing the token, the certificate stores are queries in the following order:

  1. Web application configuration (table QBMWebApplication)
    1. Certificate text (QBMWebApplication.CertificateText) .
    2. Subject or finger print from the local store (QBMWebApplication.OAuthCertificateSubject and QBMWebApplication.OAuthCertificateThumbPrint).
    3. Certificate endpoint (QBMWebApplication.CertificateEndpoint).

      In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.

  2. Configuration Parameter
    1. Certificate text (configuration parameter "QER\Person\OAuthAuthenticator\CertificateText").
    2. Subject or finger print from the local store (configuration parameter "QER\Person\OAuthAuthenticator\CertificateSubject" and "QER\Person\OAuthAuthenticator\CertificateThumbPrint").
    3. Certificate endpoint (configuration parameter "QER\Person\OAuthAuthenticator\CertificateEndpoint").

      In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.

    4. JSON Web Key endpoint (configuration parameter "QER\Person\OAuthAuthenticator\JsonWebKeyEndpoint").

A claim type is required to find the user account from the user information. In addition, it is specified which One Identity Manager schema information should be used to search for the user account.

Authentication through OpenID is built on OAuth. OpenID Connection authentication uses the same mechanisms, but make user claims available either in an ID token or through a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the configuration parameter "QER\Person\OAuthAuthenticator\Scope" contains the value "openid", the authentication module uses OpenID Connect.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 41: Configuration Parameters for the Authentication Module

Configuration Parameter

Meaning

QER\Person\OAuthAuthenticator

This configuration parameter specifies whether authentication is supported through security tokens.

QER\Person\OAuthAuthenticator\
CertificateEndpoint

The configuration parameter contain the certificate endpoint's Uniform Resource Locator (URL) on the authorization server.

Example: https://localhost/RSTS/SigningCertificate

QER\Person\OAuthAuthenticator\
CertificateSubject

The configuration parameter contain the subject of the certificate to use for testing. Either subject or finger print must be set.

QER\Person\OAuthAuthenticator\
CertificateThumbPrint

This configuration parameter contains the fingerprint of the certificate used to verify the security token.

QER\Person\OAuthAuthenticator\
ClientID

This configuration parameter specifies whether the client application supports this authentication.

QER\Person\OAuthAuthenticator\
ClientID\Web

This configuration parameter contains the web application's Uniform Resource Name URN, which supports this authentication.

Example: urn:OneIdentityManager/Web

QER\Person\OAuthAuthenticator\
ClientID\Windows

This configuration parameter contains the native application's Uniform Resource Name URN, which supports this authentication.

Example: urn:OneIdentityManager/WinClient

QER\Person\OAuthAuthenticator\
DisabledByColumns

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.

Example: AccountDisabled

QER\Person\OAuthAuthenticator\
EnabledByColumns

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.

QER\Person\OAuthAuthenticator\
IssuerName

This configuration parameter contains the certificate issuer's Uniform Resource Name (URN) for verifying the security token.

Example: urn:STS/identity

QER\Person\OAuthAuthenticator\
LoginEndpoint

This configuration parameter contains the Uniform Resource Locator (URL) of the Secure Token Service login page.

Example: http://localhost/rsts/login

QER\Person\OAuthAuthenticator\
Resource

This configuration parameter contains the Uniform Resource Name (URN) of the resourec to be queried, for example ADFS.

QER\Person\OAuthAuthenticator\
SearchClaim

This configuration parameter contains the claim type's Uniform Resource Identifier (URI) found from the login data.

Example: name of an entity

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

QER\Person\OAuthAuthenticator\
SearchColumn

This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for user data. Equivalent to the claim type (SearchClaim) in the One Identity Manager schema.

Example: ObjectGUID

QER\Person\OAuthAuthenticator\
SearchTable

This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the table Person.

Example: ADSAccount

QER\Person\OAuthAuthenticator\
TokenEndpoint

This configuration parameter contains the token endpoint's Uniform Resource Identifier (URL) of the authorization server for returning the access token to the client for logging in.

Example: https://localhost/rsts/oauth2/token

QER\Person\OAuthAuthenticator\
UserNameClaim

This configuration parameter contains the claim type's Uniform Resource Identifier (URL) used to label change data (XUserInserted, XUserUpdated)..

Example: User Principle Name (UPN)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

QER\Person\OAuthAuthenticator\
InstalledRedirectUri

This configuration parameter contains the Uniform Resource Identifier (URL) for forwarding to installed applications.

Example: urn:InstalledApplication

QER\Person\OAuthAuthenticator\
AllowSelfSignedCertsForTLS

The configuration parameter specifies whether self-signed certificates are allowed for connecting to the token and UserInfo endpoint.

QER\Person\OAuthAuthenticator\
CertificateText

This configuration parameter contains the contents of the certificate as a Base64 coded string. It is used if no certificate is configured.

QER\Person\OAuthAuthenticator\
JsonWebKeyEndpoint

This configuration parameter contains the Uniform Resource Identifier (URL) of the JSON Web Key endpoint, which supplies the signature key. At the moment, only JWK files, which contain the certificate in the x5c field are supported.

QER\Person\OAuthAuthenticator\
LogoutEndpoint

This configuration parameter contains the Uniform Resource Identifier (URL) of the log off end point.

Example: http://localhost/rsts/login?wa=wsignout1.0

QER\Person\OAuthAuthenticator\
SharedSecret

This configuration parameter contains the Share-Secret value used for authenticating at the token enpoint.

Table 42: Additional Configuration Parameters for OpenID Connect

Configuration Parameter

Meaning

QER\Person\OAuthAuthenticator\
Scope

This configuration parameter specifies the authentication log. If the configuration parameter has the value "openid", OpenID Connect is used and otherwise OAuth2.

QER\Person\OAuthAuthenticator\
UserInfoEndpoint

This configuration parameter contains the Uniform Resource Locator (URL) of the OpenID Connection UserInfo endpoint.

OAuth 2.0/OpenID Connect (role-based)

NOTE: This authentication module is available if the module Identity Management Base Module is installed.

The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service which can return an OAuth 2.0 token.

Login Data

Dependent on the authentication method of the secure token service.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager determines which employee is assigned to the user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared.

The respective user interface prompts for the authorization code. The configuration parameter "QER\Person\OAuthAuthenticator\LoginEndpoint" is used to open an extra login dialog box for determining the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token. In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, configuration parameters are applied. To find the certificate for testing the token, the certificate stores are queries in the following order:

  1. Web application configuration (table QBMWebApplication)
    1. Certificate text (QBMWebApplication.CertificateText) .
    2. Subject or finger print from the local store (QBMWebApplication.OAuthCertificateSubject and QBMWebApplication.OAuthCertificateThumbPrint).
    3. Certificate endpoint (QBMWebApplication.CertificateEndpoint).

      In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.

  2. Configuration Parameter
    1. Certificate text (configuration parameter "QER\Person\OAuthAuthenticator\CertificateText").
    2. Subject or finger print from the local store (configuration parameter "QER\Person\OAuthAuthenticator\CertificateSubject" and "QER\Person\OAuthAuthenticator\CertificateThumbPrint").
    3. Certificate endpoint (configuration parameter "QER\Person\OAuthAuthenticator\CertificateEndpoint").

      In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.

    4. JSON Web Key endpoint (configuration parameter "QER\Person\OAuthAuthenticator\JsonWebKeyEndpoint").

A claim type is required to find the user account from the user information. In addition, it is specified which One Identity Manager schema information should be used to search for the user account.

Authentication through OpenID is built on OAuth. OpenID Connection authentication uses the same mechanisms, but make user claims available either in an ID token or through a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the configuration parameter "QER\Person\OAuthAuthenticator\Scope" contains the value "openid", the authentication module uses OpenID Connect.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 43: Configuration Parameters for the Authentication Module

Configuration Parameter

Meaning

QER\Person\OAuthAuthenticator

This configuration parameter specifies whether authentication is supported through security tokens.

QER\Person\OAuthAuthenticator\
CertificateEndpoint

The configuration parameter contain the certificate endpoint's Uniform Resource Locator (URL) on the authorization server.

Example: https://localhost/RSTS/SigningCertificate

QER\Person\OAuthAuthenticator\
CertificateSubject

The configuration parameter contain the subject of the certificate to use for testing. Either subject or finger print must be set.

QER\Person\OAuthAuthenticator\
CertificateThumbPrint

This configuration parameter contains the fingerprint of the certificate used to verify the security token.

QER\Person\OAuthAuthenticator\
ClientID

This configuration parameter specifies whether the client application supports this authentication.

QER\Person\OAuthAuthenticator\
ClientID\Web

This configuration parameter contains the web application's Uniform Resource Name URN, which supports this authentication.

Example: urn:OneIdentityManager/Web

QER\Person\OAuthAuthenticator\
ClientID\Windows

This configuration parameter contains the native application's Uniform Resource Name URN, which supports this authentication.

Example: urn:OneIdentityManager/WinClient

QER\Person\OAuthAuthenticator\
DisabledByColumns

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.

Example: AccountDisabled

QER\Person\OAuthAuthenticator\
EnabledByColumns

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.

QER\Person\OAuthAuthenticator\
IssuerName

This configuration parameter contains the certificate issuer's Uniform Resource Name (URN) for verifying the security token.

Example: urn:STS/identity

QER\Person\OAuthAuthenticator\
LoginEndpoint

This configuration parameter contains the Uniform Resource Locator (URL) of the Secure Token Service login page.

Example: http://localhost/rsts/login

QER\Person\OAuthAuthenticator\
Resource

This configuration parameter contains the Uniform Resource Name (URN) of the resourec to be queried, for example ADFS.

QER\Person\OAuthAuthenticator\
SearchClaim

This configuration parameter contains the claim type's Uniform Resource Identifier (URI) found from the login data.

Example: name of an entity

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

QER\Person\OAuthAuthenticator\
SearchColumn

This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for user data. Equivalent to the claim type (SearchClaim) in the One Identity Manager schema.

Example: ObjectGUID

QER\Person\OAuthAuthenticator\
SearchTable

This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the table Person.

Example: ADSAccount

QER\Person\OAuthAuthenticator\
TokenEndpoint

This configuration parameter contains the token endpoint's Uniform Resource Identifier (URL) of the authorization server for returning the access token to the client for logging in.

Example: https://localhost/rsts/oauth2/token

QER\Person\OAuthAuthenticator\
UserNameClaim

This configuration parameter contains the claim type's Uniform Resource Identifier (URL) used to label change data (XUserInserted, XUserUpdated)..

Example: User Principle Name (UPN)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

QER\Person\OAuthAuthenticator\
InstalledRedirectUri

This configuration parameter contains the Uniform Resource Identifier (URL) for forwarding to installed applications.

Example: urn:InstalledApplication

QER\Person\OAuthAuthenticator\
AllowSelfSignedCertsForTLS

The configuration parameter specifies whether self-signed certificates are allowed for connecting to the token and UserInfo endpoint.

QER\Person\OAuthAuthenticator\
CertificateText

This configuration parameter contains the contents of the certificate as a Base64 coded string. It is used if no certificate is configured.

QER\Person\OAuthAuthenticator\
JsonWebKeyEndpoint

This configuration parameter contains the Uniform Resource Identifier (URL) of the JSON Web Key endpoint, which supplies the signature key. At the moment, only JWK files, which contain the certificate in the x5c field are supported.

QER\Person\OAuthAuthenticator\
LogoutEndpoint

This configuration parameter contains the Uniform Resource Identifier (URL) of the log off end point.

Example: http://localhost/rsts/login?wa=wsignout1.0

QER\Person\OAuthAuthenticator\
SharedSecret

This configuration parameter contains the Share-Secret value used for authenticating at the token enpoint.

Table 44: Additional Configuration Parameters for OpenID Connect

Configuration Parameter

Meaning

QER\Person\OAuthAuthenticator\
Scope

This configuration parameter specifies the authentication log. If the configuration parameter has the value "openid", OpenID Connect is used and otherwise OAuth2.

QER\Person\OAuthAuthenticator\
UserInfoEndpoint

This configuration parameter contains the Uniform Resource Locator (URL) of the OpenID Connection UserInfo endpoint.

Synchronization authenticator

NOTE: This authentication module is available if the module Target System Synchronization Module is installed.

This authentication module integrates the default method for Synchronization Editor login.

Login Data

Use the system user "sa" to log in.

Prerequisites

 

Set as default

Yes

Single Sign-On

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The system user "sa" should not be changed, as it overwritten each time the schema is installed.

Web Agent authenticator

The authentication module integrates the default method for Web Designer login, to access the database before the first user login.

Login Data

Use the system user "sa" to log in.

Prerequisites

 

Set as default

Yes

Single Sign-On

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The system user "sa" should not be changed, as it overwritten each time the schema is installed.

Component authenticator

This authentication module integrates the default method for registering process components.

Login Data

Use the system user "sa" to log in.

Prerequisites

 

Set as default

Yes

Single Sign-On

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The system user "sa" should not be changed, as it overwritten each time the schema is updated.

Crawler

The authentication module is used by the application server to compile search indexes for full text search over the database.

Login Data

Use the system user "sa" to log in.

Prerequisites

 

Set as default

Yes

Single Sign-On

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The system user "sa" should not be changed, as it overwritten each time the schema is installed.

Related Topics
Related Documents