Chat now with support
Chat with Support

Identity Manager 8.1.1 - Authorization and Authentication Guide

About this guide One Identity Manager Application roles Granting One Identity Manager schema permissions Managing permissions to program features One Identity Manager Authentication modules OAuth 2.0/OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

HTTP Header

The authentication module supports authentication via web single sign-on solutions that work with a proxy--based architecture.

Credentials

Employee's central user account or personnel number.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.
  • The employee exists in the One Identity Manager database.
  • The central user account or personnel number is entered in the employee's master data.
  • The system user is entered in the employee's master data.

Set as default

No

Single sign-on

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and the write permissions are loaded through the system user that is directly assigned to the logged in employee. If a system user is not assigned to the employee, the system user from the SysConfig | Logon | DefaultUser configuration parameter is used.

Changes to the data are assigned to the logged in employee.

HTTP Header (role-based)

The authentication module supports authentication via web single sign-on solutions that work with a proxy-based architecture.

Credentials

Employee's central user account or personnel number.

Prerequisites

  • The employee exists in the One Identity Manager database.
  • The central user account or personnel number is entered in the employee's master data.
  • The employee is assigned at least one application role.

Set as default

Yes

Single sign-on

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Changes to the data are assigned to the logged in employee.

OAuth 2.0 / OpenID Connect

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service that can return an OAuth 2.0 token.

Credentials

Dependent on the authentication method of the secure token service.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.
  • The employee exists in the One Identity Manager database.
  • The system user is entered in the employee's master data.
  • The user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager determines which employee is assigned to the user account.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The user interface and access permissions are loaded through the system user that is directly assigned to the employee found.

Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared.

Related topics

OAuth 2.0 / OpenID Connect (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service that can return an OAuth 2.0 token.

Credentials

Dependent on the authentication method of the secure token service.

Prerequisites

  • The employee exists in the One Identity Manager database.
  • The employee is assigned at least one application role.
  • The user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager determines which employee is assigned to the user account.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared.

Related topics
Related Documents