To enable other authentication modules
Save the changes to the database using Database | Commit to database....
This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module have the required permissions to use the program.
If create custom authentication modules, assign them to the existing programs. Assignments to predefined authentication modules must not normally be changed.
To assign an authentication module to programs
This shows the tab Programs.
| Property | Meaning |
|---|---|
| Enabled | Specifies whether the authentication module can be used. |
| Display name | This name is used to identify the authentication module in the administration tool’s login window. |
| Authentication Module | Inter name of the authentication module. |
| Authentication type | Specifies the type of authentication module. The options are "Dynamic" or "Role based". |
| Processing status | The process state is used for creating custom configuration packages. |
| Initial data |
Initial data for logging in with this authentication module. |
| Class | Authentication module class. |
| Assembly name | Name of the assembly file. |
| Sort order | Specify the order in which the modules are displayed in the login window. |
| Single sign-on | Specifies whether the authentication module may be authenticated without a password. |
| Select in front-end | Specifies whether the authentication module can be selected in the login window. |
The authentication string is formatted as follows:
Module=<name>;<property1>=<value1>;<property2>=<value2>,…
Example:
Module=DialogUser;User=viadmin;Password=*****
The initial data is one part of the authentication string (parameter-value pair without module ID). Initial data from the authentication string is preallocated by default for each authentication instance.
To specify initial data
Syntax:
property1=value1;property2=value2
Example:
user=viadmin;password=*****
You can use different initial data depending on the authentication module.
| Module Display Name | Authentication Module | Parameter | Meaning/Comment |
|---|---|---|---|
|
System user |
DialogUser |
User | User name. |
| Password | User password. | ||
|
Active Directory user account |
ADSAccount |
||
|
Active Directory user account (dynamic) |
DynamicADSAccount |
Product | Use case. The system user is determined through the use case configuration data. |
|
Active Directory user account (manual input) |
DynamicManualADS |
Product | Use case. The system user is determined through the use case configuration data. |
| User | User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. You specify permitted Active Directory domains in the configuration parameter "TargetSystem\ADS\AuthenticationDomains". | ||
| Password | User password. | ||
|
Active Directory user account (role based) |
RoleBasedADSAccount |
No parameters required | |
|
Active Directory user account (manual input/role based) |
RoleBasedManualADS |
User | User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. You specify permitted Active Directory domains in the configuration parameter "TargetSystem\ADS\AuthenticationDomains". |
| Password | User password. | ||
| Employee
|
Employee
|
User |
Employee's central user account. |
| Password | User password. | ||
|
Employee (dynamic) |
DynamicPerson |
Product | Use case. The system user is determined through the use case configuration data. |
| User | User name. | ||
| Password | User password. | ||
|
Employee (role based) |
RoleBasedPerson |
User | User name. |
| Password | User password. | ||
|
HTTP header |
HTTPHeader |
Header | HTTP header to use. |
| KeyColumn |
Comma delimited list of key columns in the table Person to be searched for user names. Default: CentralAccount, PersonnelNumber | ||
|
HTTP header (role based) |
RoleBasedHTTPHeader |
|
HTTP header to use. |
| KeyColumn |
Comma delimited list of key columns in the table Person to be searched for user names. Default: CentralAccount, PersonnelNumber | ||
|
LDAP user account (dynamic) |
DynamicLdap |
User |
User name. Default: CN, DistinguishedName, UserID, UIDLDAP |
| Password | User password. | ||
|
LDAP user account (role based)
|
RoleBasedLdap
|
User |
User name. Default: CN, DistinguishedName, UserID, UIDLDAP |
| Password | User password. | ||
|
Generic single sign-on (role based) |
RoleBasedGeneric |
SearchTable | Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person which points to the table Person. |
| SearchColumn | Column from <SearchTable> in which to search for the user name of the logged in user. | ||
| DisabledBy | Pipe (|) delimited list of Boolean columns which block a user account from logging in. | ||
| EnabledBy | Pipe (|) delimited list of Boolean columns which release a user account for logging in. | ||
|
OAuth 2.0/OpenID Connect |
OAuth |
Dependent on the authentication method of the secure token service. | |
| OAuth 2.0/OpenID Connect (role-based)
|
OAuthRoleBased
|
Dependent on the authentication method of the secure token service. | |
|
Account based system user |
DialogUserAccountBased |
|
No parameters required |
|
User account |
QERAccount |
|
|
|
User account (role based) |
RoleBasedQERAccount |
|
|
In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.
To specify configuration data
Use XML syntax for entering the configuration data:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
<Usermapping
DialogUser = "System user name"
/>
...
</Usermappings>
</DialogUserDetect>
Enter the system user (DialogUser) in Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.
You can assign function groups to permissions groups on order to deal with complex rights and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.
If the section FunctionGroupMapping is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found the section Usermapping is evaluated.
<DialogUserDetect>
<FunctionGroupMapping
PersonToFunction = "View mapping employee to function group"
FunctionToGroup = "View mapping function group to permissions group"
/>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
...
</Usermappings>
</DialogUserDetect>
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy
