Error: Enter email address in configuration parameter
The parameter SenderAddress or Address contains the value <Enter email address in configuration parameter "..."> in a process for sending emails. Check process parameters in Job Queue Info.
The message is also sent to the One Identity Manager Service log file if extended error reporting in debug mode is configured for the One Identity Manager Service.
Probable Issue
The One Identity Manager sends email notifications about various actions taken within the system. The One Identity Manager email notification system is not completely configured.
Solution
- Check the configuration parameter for the e-mail notification system in the category Base data | General | Configuration parameters in the Designer and customize the values.
NOTE: In addition to the configuration parameters listed in the following, other configuration parameters may be necessary for different notification processes. Some configuration parameters are only available when the module is installed.
|
Configuration Parameter |
Meaning | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Common\InternationalEMail |
This parameter specifies whether international domain names and unicode characters are supported in email addresses.
| ||||||||||||
|
Common\MailNotification |
Notification data. | ||||||||||||
|
Common\MailNotification\DefaultAddress |
Default email address (recipient) for sending notifications. | ||||||||||||
|
Common\MailNotification\DefaultCulture |
Default language that emails are sent in if no language can be determined for a recipient. | ||||||||||||
|
Common\MailNotification\DefaultLanguage |
Default language for sending messages. | ||||||||||||
|
Common\MailNotification\DefaultSender |
Default email address (sender) for sending notifications. | ||||||||||||
|
Common\MailNotification\Encrypt |
Specifies whether emails are encrypted. | ||||||||||||
|
Common\MailNotification\Encrypt\ConnectDC |
Domain controller to use. | ||||||||||||
|
Common\MailNotification\Encrypt\ConnectPassword |
User password. This is optional. | ||||||||||||
|
Common\MailNotification\Encrypt\ConnectUser |
User account for querying Active Directory. This is optional. | ||||||||||||
|
Common\MailNotification\Encrypt\DomainDN |
Distinguished name of the domain to search through. | ||||||||||||
|
Common\MailNotification\Encrypt\EncryptionCertificateScript |
Script, which supplies a list of encrypted certificates (default: QBM_GetCertificates). | ||||||||||||
|
Common\MailNotification\NotifyAboutWaitingJobs |
Specifies whether a message should be sent if the process steps have a particular execution state in the job queue. | ||||||||||||
|
Common\MailNotification\SignCertificateThumbprint |
SHA1 thumbprint of the certificate to use for the signature. This can be in the computer's or the user's My Store. | ||||||||||||
|
Common\MailNotification\SMTPAccount |
User account name for authentication on an SMTP server. | ||||||||||||
|
Common\MailNotification\SMTPDomain |
User account domain for authentication on the SMTP server. | ||||||||||||
|
Common\MailNotification\SMTPPassword |
User account password for authentication on the SMTP server. | ||||||||||||
|
Common\MailNotification\SMTPPort |
Port for SMTP services on the SMTP server (default: 25). | ||||||||||||
|
Common\MailNotification\SMTPRelay |
SMTP server for sending notifications. | ||||||||||||
|
Common\MailNotification\SMTPUseDefaultCredentials |
If this parameter is set, the One Identity Manager Service login credentials are used for authentication on the SMTP server. If the configuration parameter is not set, the login data stored in the parameters "Common\MailNotification\SMTPDomain", "Common\MailNotification\SMTPAccount" and "Common\MailNotification\SMTPPassword" is used. | ||||||||||||
|
Common\MailNotification\TransportSecurity |
This configuration parameter defined the encryption method for sending notification by email. If none of the following options are given, the port is used to define the behavior (port: 25 = no encryption, port: 465 = with SSL/TLS encryption).
| ||||||||||||
|
Common\MailNotification\VendorNotification |
Enables the email address of your company's contact person. The email address is used as the return address for notifying vendors. If the configuration parameter is set, One Identity Manager generates a list of system settings once a month and sends the list to One Identity. This list does not contain any personal data. You may review the most recent list at any time from in the Help | Info... menu. The list will be reviewed by our customer support team who will look for material changes in a proactive effort to identify potential issues before they materialize on your system. The lists may be used by our R&D staff for analysis, diagnosis, and replication for testing purposes. We will keep and refer to this information for as long as your company remains on support for this product. |
| Configuration parameter | Description |
|---|---|
|
QER\Attestation\DefaultSenderAddress |
This configuration parameter contains the sender email address for messages automatically generated for attestation. |
|
QER\ComplianceCheck\EmailNotification\DefaultSenderAddress |
This configuration parameter contains the sender email address for automatically generated messages during rule checking. |
|
QER\ITShop\DefaultSenderAddress |
This configuration parameter contains the sender email address for automatically generated messages within the IT Shop. |
|
QER\Policy\EmailNotification\DefaultSenderAddress |
This configuration parameter contains the sender email address for automatically generated messages within company policy checking. |
|
QER\RPS\DefaultSenderAddress |
This configuration parameter contains the sender email address for automatically generated notifications. |
|
TargetSystem\ADS\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system Active Directory. |
|
TargetSystem\ADS\Exchange2000\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system Microsoft Exchange. |
|
TargetSystem\ADS\MemberShipRestriction\MailNotification |
This configuration parameter contain the default email address for sending warnings by email. |
|
TargetSystem\AzureAD\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system Azure Active Directory. |
|
TargetSystem\AzureAD\ExchangeOnline\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system Exchange Online. |
|
TargetSystem\CSM\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the cloud target system. |
|
TargetSystem\LDAP\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system LDAP. |
|
TargetSystem\NDO\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system IBM Notes. |
|
TargetSystem\SAPR3\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system SAP R/3. |
|
TargetSystem\SharePoint\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system SharePoint. |
|
TargetSystem\Unix\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the Unix target system. |
|
TargetSystem\UNS\DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the custom target system. |
Database error 50000: Job queue is not empty. This may cause in deadlocks while compiling database.
Problem
There are processes in the Job queue which must be finished before the database can be updated. The data does not start updating.
Solution
- Ensure that the Job queue processes and task in the DBQueue have been processed before starting the update. There should be no processes in the Jon queue or the DBQueue when the database update starts.
Error: Database error migrating a database in an SQL Server AlwaysOn availability group
Error: Database error migrating a database in an SQL Server AlwaysOn availability group
The following error occurs during a One Identity Manager schema update:
Database error 1468: The operation cannot be performed on database "<database name>" because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group. ALTER DATABASE statement failed.
Problem
The database is a component of an AlwaysOn availability group and the SQL Server Service Broker no longer exists. The One Identity Manager schema update tries to add the SQL Server Service Broker again.
Solution
-
Remove the database from the AlwaysOn availability group.
-
Update the One Identity Manager schema. This recreates the SQL Server Service Broker again.
- Add the database to the AlwaysOn availability group again.
Appendix: One Identity Manager Authentication Modules
Appendix: One Identity Manager Authentication Modules
|
|
Note: Authentication modules are defined in the One Identity Manager modules and are not available until the modules are installed. |
The following authentication modules are available:
System user
|
Login Data |
The system user's identifier and password. |
|
Prerequisites |
The system user with permissions exists in the database. |
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
No |
|
Remarks |
The user interface and the write permissions are loaded through the system user. Data modifications are attributed to the system user. |
|
|
IMPORTANT: The system user "viadmin" is supplied by default. The system user "viadmin" has a predefined user interface and has access rights to database resources. The interface and access rights for "viadmin" should not be used live or be modified, as it is a template system user and is overwritten by each schema update. |
|
|
TIP: Create your own system user with the appropriate permissions. This can be done on initial installation of the One Identity Manager database. This system user can compile an initial One Identity Manager database and can be used to log into the administration tools for the first time. |
Employee
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
|
Login Data |
Employee's central user account and password. |
|
Prerequisites |
The system user with permissions exists in the database. The employee exists in the database.
|
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The user interface and the write permissions are loaded through the system user that is directly assigned to the logged in employee. Changes to the data are assigned to the logged in employee. |
Generic single sign-on (role based)
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The employee exists in the database. The employee is assigned at least one application role. The user account exists in the database and the employee is entered in the user account's master data. |
|
Set as default |
No |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
One Identity Manager searches for the user account according to the configuration and finds the employee assigned to the user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Changes to the data are assigned to the logged in employee. |
Modify the following configuration parameters in the Designer to implement the authentication module.
| Configuration parameter | Meaning |
|---|---|
| QER\Person\OAuthAuthenticator | This configuration parameter specifies whether authentication through single sign-on is supported. |
| QER\Person\GenericAuthenticator\ SearchTable |
This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the table Person. Example: ADSAccount |
| QER\Person\GenericAuthenticator\ SearchColumn |
This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for the user name of the current user. Example: CN |
| QER\Person\GenericAuthenticator\ EnabledBy |
This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login. |
| QER\Person\GenericAuthenticator\ DisabledBy |
This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login. Example: AccountDisabled |
Employee (role based)
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
|
Login Data |
Employee's central user account and password. |
|
Prerequisites |
The employee exists in the database.
The employee is assigned at least one application role. |
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Changes to the data are assigned to the logged in employee. |
Employee (dynamic)
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
|
Login Data |
Employee's central user account and password. |
|
Prerequisites |
The employee exists in the database.
The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership. |
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee. Changes to the data are assigned to the logged in employee. |
User account
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The system user with permissions exists in the database. The employee exists in the database.
|
|
Set as default |
No |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
All employee logins saved in the database are found. The employee whose login data matches that of the current user is used for logging in. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The user interface and access permissions are loaded through the system user that is directly assigned to the employee found. Data modifications are attributed to the current user account. |
User Account (role based)
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The employee exists in the database.
The employee is assigned at least one application role. |
|
Set as default |
No |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
All employee logins saved in the database are found. The employee whose login data matches that of the current user is used for logging in. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Data modifications are attributed to the current user account. |
Account-based system user.
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The system user with permissions exists in the database.
|
|
Set as default |
No |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
No |
|
Remarks |
All system user logins saved in the database are found. The system user whose login data matches that of the current user is used for logging in. The user interface and the write permissions are loaded through the system user. Data modifications are attributed to the current user account. |
Active Directory user account
|
|
NOTE: This authentication module is available if the module Active Directory Module is installed. |
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The system user with permissions exists in the database. The employee exists in the database and the system user is entered in the employee's master data. The Active Directory user account exists in the database and the employee is entered in the user account's master data. |
|
Set as default |
Yes |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The user interface and access permissions are loaded through the system user that is directly assigned to the employee found. If the employee is not assigned to a system user, the system user is taken from the configuration parameter "SysConfig\Logon\DefaultUser". Data modifications are attributed to the current user account. |
|
|
NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins. |
Active Directory user account (role based)
|
|
NOTE: This authentication module is available if the module Active Directory Module is installed. |
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The employee exists in the database. The employee is assigned at least one application role. The Active Directory user account exists in the database and the employee is entered in the user account's master data. |
|
Set as default |
Yes |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Data modifications are attributed to the current user account. |
|
|
NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins. |
Active Directory user account (manual input/role based)
|
|
NOTE: This authentication module is available if the module Active Directory Module is installed. |
|
Login Data |
Login name and password for registering with Active Directory. You do not have to enter the domain. |
|
Prerequisites |
The employee exists in the database. The employee is assigned at least one application role. The Active Directory user account exists in the database and the employee is entered in the user account's master data. The domain for logging in are entered in the configuration parameter "TargetSystem\ADS\AuthenticationDomains". |
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and employee are determined in the database, which the user account is assigned to. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Data modifications are attributed to the current user account. |
Active Directory user account (manual input)
|
|
NOTE: This authentication module is available if the module Active Directory Module is installed. |
|
Login Data |
Login name and password for registering with Active Directory. You do not have to enter the domain. |
|
Prerequisites |
The employee exists in the database. The Active Directory user account exists in the database and the employee is entered in the user account's master data. The domain for logging in are entered in the configuration parameter "TargetSystem\ADS\AuthenticationDomains". The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership. |
|
Set as default |
No |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
The user‘s identity is determined from a predefined list of permitted Active Directory domains. The corresponding user account and employee are determined in the database, which the user account is assigned to. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee. Data modifications are attributed to the current user account. |
Active Directory user account (dynamic)
|
|
NOTE: This authentication module is available if the module Active Directory Module is installed. |
|
Login Data |
The authentication module uses the Active Directory login data of user currently logged in on the workstation. |
|
Prerequisites |
The employee exists in the database. The Active Directory user account exists in the database and the employee is entered in the user account's master data. The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership. |
|
Set as default |
No |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee. Data modifications are attributed to the current user account. |
|
|
NOTE: If the option Connect automatically is set, authentication is no longer necessary for subsequent logins. |
LDAP user account (dynamic)
|
|
NOTE: This authentication module is available if the module LDAP Module is installed. |
|
Login Data |
Login name, identifier, distinguished name or user ID of an LDAP user account. LDAP user account's password. |
|
Prerequisites |
The employee exists in the database. The LDAP user account exists in the database and the employee is entered in the user account's master data. The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership. |
|
Set as default |
No |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
If you log in using a login name, identifier or user ID, the corresponding user account is determined in the One Identity Manager database through the container's domain. Logging in with a distinguished name is done directly. One Identity Manager determines which employee is assigned to the LDAP user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee. Data modifications are attributed to the current user account. |
Modify the following configuration parameters in the Designer to implement the authentication module.
| Configuration parameter | Meaning |
|---|---|
|
TargetSystem\LDAP\Authentication |
The configuration parameter allows configuration of the LDAP authentication module. |
|
TargetSystem\LDAP\Authentication\Authentication |
The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). Default is ServerBind. |
|
TargetSystem\LDAP\Authentication\Port |
LDAP server's port. Default is port 389. |
|
TargetSystem\LDAP\Authentication\RootDN |
The configuration parameter contains the root domain's distinguished name. Syntax: dc=MyDomain |
|
TargetSystem\LDAP\Authentication\Server |
The configuration parameter contains the name of the LDAP server. |
LDAP user account (role based)
|
|
NOTE: This authentication module is available if the module LDAP Module is installed. |
|
Login Data |
Login name, identifier, distinguished name or user ID of an LDAP user account. LDAP user account's password. |
|
Prerequisites |
The employee exists in the database. The employee is assigned at least one application role. The LDAP user account exists in the database and the employee is entered in the user account's master data. The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership. |
|
Set as default |
No |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
If you log in using a login name, identifier or user ID, the corresponding user account is determined in the One Identity Manager database through the container's domain. Logging in with a distinguished name is done directly. One Identity Manager determines which employee is assigned to the LDAP user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Data modifications are attributed to the current user account. |
Modify the following configuration parameters in the Designer to implement the authentication module.
| Configuration parameter | Meaning |
|---|---|
|
TargetSystem\LDAP\Authentication |
The configuration parameter allows configuration of the LDAP authentication module. |
|
TargetSystem\LDAP\Authentication\Authentication |
The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). Default is ServerBind. |
|
TargetSystem\LDAP\Authentication\Port |
LDAP server's port. Default is port 389. |
|
TargetSystem\LDAP\Authentication\RootDN |
The configuration parameter contains the root domain's distinguished name. Syntax: dc=MyDomain |
|
TargetSystem\LDAP\Authentication\Server |
The configuration parameter contains the name of the LDAP server. |
HTTP header (role based)
The authentication module support authentication through Web Single Sign-On solutions that work with proxy-based architecture.
|
Login Data |
Employee's central user account or personnel number. |
|
Prerequisites |
The employee exists in the database.
The employee is assigned at least one application role. |
|
Set as default |
Yes |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
No |
|
Web Portal login allowed |
Yes |
|
Remarks |
You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Changes to the data are assigned to the logged in employee. |
HTTP header
The authentication module support authentication through Web Single Sign-On solutions that work with proxy-based architecture.
|
Login Data |
Employee's central user account or personnel number. |
|
Prerequisites |
The system user with permissions exists in the database. The employee exists in the database.
|
|
Set as default |
No |
|
Single Sign-On |
Yes |
|
Front-end login allowed |
No |
|
Web Portal login allowed |
Yes |
|
Remarks |
You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The user interface and the write permissions are loaded through the system user that is directly assigned to the logged in employee. If the employee is not assigned to a system user, the system user is taken from the configuration parameter "SysConfig\Logon\DefaultUser". Changes to the data are assigned to the logged in employee. |
OAuth 2.0/OpenID Connect
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.
This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service which can return an OAuth 2.0 token.
|
Login Data |
Dependent on the authentication method of the secure token service. |
|
Prerequisites |
The system user with permissions exists in the database. The employee exists in the database.
The user account exists in the database and the employee is entered in the user account's master data. |
|
Set as default |
No |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
One Identity Manager determines which employee is assigned to the user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
The user interface and access permissions are loaded through the system user that is directly assigned to the employee found. Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared. |
The respective user interface prompts for the authorization code. The configuration parameter "QER\Person\OAuthAuthenticator\LoginEndpoint" is used to open an extra login dialog box for determining the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token. In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, configuration parameters are applied. To find the certificate for testing the token, the certificate stores are queries in the following order:
- Web application configuration (table QBMWebApplication)
- Certificate text (QBMWebApplication.CertificateText) .
- Subject or finger print from the local store (QBMWebApplication.OAuthCertificateSubject and QBMWebApplication.OAuthCertificateThumbPrint).
- Certificate endpoint (QBMWebApplication.CertificateEndpoint).
In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.
- Configuration Parameter
- Certificate text (configuration parameter "QER\Person\OAuthAuthenticator\CertificateText").
- Subject or finger print from the local store (configuration parameter "QER\Person\OAuthAuthenticator\CertificateSubject" and "QER\Person\OAuthAuthenticator\CertificateThumbPrint").
- Certificate endpoint (configuration parameter "QER\Person\OAuthAuthenticator\CertificateEndpoint").
In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.
- JSON Web Key endpoint (configuration parameter "QER\Person\OAuthAuthenticator\JsonWebKeyEndpoint").
A claim type is required to find the user account from the user information. In addition, it is specified which One Identity Manager schema information should be used to search for the user account.
Authentication through OpenID is built on OAuth. OpenID Connection authentication uses the same mechanisms, but make user claims available either in an ID token or through a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the configuration parameter "QER\Person\OAuthAuthenticator\Scope" contains the value "openid", the authentication module uses OpenID Connect.
Modify the following configuration parameters in the Designer to implement the authentication module.
|
Configuration Parameter |
Meaning |
|---|---|
|
QER\Person\OAuthAuthenticator |
This configuration parameter specifies whether authentication is supported through security tokens. |
|
QER\Person\OAuthAuthenticator\ |
The configuration parameter contain the certificate endpoint's Uniform Resource Locator (URL) on the authorization server. Example: https://localhost/RSTS/SigningCertificate |
|
QER\Person\OAuthAuthenticator\ |
The configuration parameter contain the subject of the certificate to use for testing. Either subject or finger print must be set. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the fingerprint of the certificate used to verify the security token. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter specifies whether the client application supports this authentication. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the web application's Uniform Resource Name URN, which supports this authentication. Example: urn:OneIdentityManager/Web |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the native application's Uniform Resource Name URN, which supports this authentication. Example: urn:OneIdentityManager/WinClient |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login. Example: AccountDisabled |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the certificate issuer's Uniform Resource Name (URN) for verifying the security token. Example: urn:STS/identity |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Locator (URL) of the Secure Token Service login page. Example: http://localhost/rsts/login |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Name (URN) of the resourec to be queried, for example ADFS. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the claim type's Uniform Resource Identifier (URI) found from the login data. Example: name of an entity http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for user data. Equivalent to the claim type (SearchClaim) in the One Identity Manager schema. Example: ObjectGUID |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the table Person. Example: ADSAccount |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the token endpoint's Uniform Resource Identifier (URL) of the authorization server for returning the access token to the client for logging in. Example: https://localhost/rsts/oauth2/token |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the claim type's Uniform Resource Identifier (URL) used to label change data (XUserInserted, XUserUpdated).. Example: User Principle Name (UPN) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Identifier (URL) for forwarding to installed applications. Example: urn:InstalledApplication |
|
QER\Person\OAuthAuthenticator\ |
The configuration parameter specifies whether self-signed certificates are allowed for connecting to the token and UserInfo endpoint. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the contents of the certificate as a Base64 coded string. It is used if no certificate is configured. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Identifier (URL) of the JSON Web Key endpoint, which supplies the signature key. At the moment, only JWK files, which contain the certificate in the x5c field are supported. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Identifier (URL) of the log off end point. Example: http://localhost/rsts/login?wa=wsignout1.0 |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Share-Secret value used for authenticating at the token enpoint. |
|
Configuration Parameter |
Meaning |
|---|---|
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter specifies the authentication log. If the configuration parameter has the value "openid", OpenID Connect is used and otherwise OAuth2. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Locator (URL) of the OpenID Connection UserInfo endpoint. |
OAuth 2.0/OpenID Connect (role-based)
|
|
NOTE: This authentication module is available if the module Identity Management Base Module is installed. |
The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.
This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service which can return an OAuth 2.0 token.
|
Login Data |
Dependent on the authentication method of the secure token service. |
|
Prerequisites |
The employee exists in the database. The employee is assigned at least one application role. The user account exists in the database and the employee is entered in the user account's master data. |
|
Set as default |
No |
|
Single Sign-On |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
One Identity Manager determines which employee is assigned to the user account. If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.
A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user. Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared. |
The respective user interface prompts for the authorization code. The configuration parameter "QER\Person\OAuthAuthenticator\LoginEndpoint" is used to open an extra login dialog box for determining the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token. In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, configuration parameters are applied. To find the certificate for testing the token, the certificate stores are queries in the following order:
- Web application configuration (table QBMWebApplication)
- Certificate text (QBMWebApplication.CertificateText) .
- Subject or finger print from the local store (QBMWebApplication.OAuthCertificateSubject and QBMWebApplication.OAuthCertificateThumbPrint).
- Certificate endpoint (QBMWebApplication.CertificateEndpoint).
In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.
- Configuration Parameter
- Certificate text (configuration parameter "QER\Person\OAuthAuthenticator\CertificateText").
- Subject or finger print from the local store (configuration parameter "QER\Person\OAuthAuthenticator\CertificateSubject" and "QER\Person\OAuthAuthenticator\CertificateThumbPrint").
- Certificate endpoint (configuration parameter "QER\Person\OAuthAuthenticator\CertificateEndpoint").
In addition, the subject or finger print is used to check certificates from the server if they are given and do not exist locally on the server.
- JSON Web Key endpoint (configuration parameter "QER\Person\OAuthAuthenticator\JsonWebKeyEndpoint").
A claim type is required to find the user account from the user information. In addition, it is specified which One Identity Manager schema information should be used to search for the user account.
Authentication through OpenID is built on OAuth. OpenID Connection authentication uses the same mechanisms, but make user claims available either in an ID token or through a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the configuration parameter "QER\Person\OAuthAuthenticator\Scope" contains the value "openid", the authentication module uses OpenID Connect.
Modify the following configuration parameters in the Designer to implement the authentication module.
|
Configuration Parameter |
Meaning |
|---|---|
|
QER\Person\OAuthAuthenticator |
This configuration parameter specifies whether authentication is supported through security tokens. |
|
QER\Person\OAuthAuthenticator\ |
The configuration parameter contain the certificate endpoint's Uniform Resource Locator (URL) on the authorization server. Example: https://localhost/RSTS/SigningCertificate |
|
QER\Person\OAuthAuthenticator\ |
The configuration parameter contain the subject of the certificate to use for testing. Either subject or finger print must be set. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the fingerprint of the certificate used to verify the security token. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter specifies whether the client application supports this authentication. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the web application's Uniform Resource Name URN, which supports this authentication. Example: urn:OneIdentityManager/Web |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the native application's Uniform Resource Name URN, which supports this authentication. Example: urn:OneIdentityManager/WinClient |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login. Example: AccountDisabled |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the certificate issuer's Uniform Resource Name (URN) for verifying the security token. Example: urn:STS/identity |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Locator (URL) of the Secure Token Service login page. Example: http://localhost/rsts/login |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Name (URN) of the resourec to be queried, for example ADFS. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the claim type's Uniform Resource Identifier (URI) found from the login data. Example: name of an entity http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for user data. Equivalent to the claim type (SearchClaim) in the One Identity Manager schema. Example: ObjectGUID |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the table Person. Example: ADSAccount |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the token endpoint's Uniform Resource Identifier (URL) of the authorization server for returning the access token to the client for logging in. Example: https://localhost/rsts/oauth2/token |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the claim type's Uniform Resource Identifier (URL) used to label change data (XUserInserted, XUserUpdated).. Example: User Principle Name (UPN) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Identifier (URL) for forwarding to installed applications. Example: urn:InstalledApplication |
|
QER\Person\OAuthAuthenticator\ |
The configuration parameter specifies whether self-signed certificates are allowed for connecting to the token and UserInfo endpoint. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the contents of the certificate as a Base64 coded string. It is used if no certificate is configured. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Identifier (URL) of the JSON Web Key endpoint, which supplies the signature key. At the moment, only JWK files, which contain the certificate in the x5c field are supported. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Identifier (URL) of the log off end point. Example: http://localhost/rsts/login?wa=wsignout1.0 |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Share-Secret value used for authenticating at the token enpoint. |
|
Configuration Parameter |
Meaning |
|---|---|
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter specifies the authentication log. If the configuration parameter has the value "openid", OpenID Connect is used and otherwise OAuth2. |
|
QER\Person\OAuthAuthenticator\ |
This configuration parameter contains the Uniform Resource Locator (URL) of the OpenID Connection UserInfo endpoint. |
Synchronization authenticator
|
|
NOTE: This authentication module is available if the module Target System Synchronization Module is installed. |
This authentication module integrates the default method for Synchronization Editor login.
|
Login Data |
Use the system user "sa" to log in. |
|
Prerequisites |
|
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
No |
|
Web Portal login allowed |
No |
|
Remarks |
The system user "sa" should not be changed, as it overwritten each time the schema is installed. |
Web Agent authenticator
The authentication module integrates the default method for Web Designer login, to access the database before the first user login.
|
Login Data |
Use the system user "sa" to log in. |
|
Prerequisites |
|
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
No |
|
Web Portal login allowed |
No |
|
Remarks |
The system user "sa" should not be changed, as it overwritten each time the schema is installed. |
Component authenticator
This authentication module integrates the default method for registering process components.
|
Login Data |
Use the system user "sa" to log in. |
|
Prerequisites |
|
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
No |
|
Web Portal login allowed |
No |
|
Remarks |
The system user "sa" should not be changed, as it overwritten each time the schema is updated. |
Crawler
The authentication module is used by the application server to compile search indexes for full text search over the database.
|
Login Data |
Use the system user "sa" to log in. |
|
Prerequisites |
|
|
Set as default |
Yes |
|
Single Sign-On |
No |
|
Front-end login allowed |
No |
|
Web Portal login allowed |
No |
|
Remarks |
The system user "sa" should not be changed, as it overwritten each time the schema is installed. |