Chat now with support
Chat with Support

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Assigning authentication modules to applications

If create custom authentication modules, assign them to the existing programs. In general, you do not need to change assignments of predefined authentication modules.

NOTE: Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.

To assign an authentication module to applications

  1. In the Designer, select the Base data | Security settings | Authentication modules category.

  2. Select View | Select table relations and enable the DialogProductHasAuthentifier table.

  3. In List Editor, select the authentication module.

  4. Assign the application in the Applications edit view.

  5. Save the changes.

Related topics

Disabling or enabling authentication modules for applications

To disable an authentication module for an application

  1. In the Designer, select the Base data | Security settings | Programs category.

  2. In List Editor, select the application and click on Usage overview.

  3. In the Effective authenticators form element, select the authentication module.

  4. Use the Edit object task to start the Object Editor.

  5. In the Disabled property, set the value to True.

  6. Save the changes.

To enable an authentication module for an application

  1. In the Designer, select the Base data | Security settings | Programs category.

  2. In List Editor, select the application and click on Usage overview.

  3. In the Disabled authenticators form element, select the authentication module.

  4. Use the Edit object task to start the Object Editor.

  5. In the Disabled property, set the value to False.

  6. Save the changes.

Related topics

Authentication module properties

Table 34: Authentication module properties
Property Meaning
Enabled Specifies whether the authentication module can be used.
Display name This name is used to identify the authentication module in the administration tool’s login window.
Authentication module Internal name of the authentication module.
Authentication type Specifies the type of authentication module. You can choose from Dynamic and Role based.
Processing status The processing status is used for creating custom configuration packages.
Initial data

Initial data for logging in with this authentication module.

Class Authentication module class.
Assembly name Name of the assembly file.
Sort order Specify the order in which the modules are displayed in the login window.
Single sign-on Specifies whether the authentication module may be authenticated without a password.
Select in front-end Specifies whether the authentication module can be selected in the login window.

Initial data for authentication modules

The initial data is one part of the authentication string (parameter-value pair without module ID). Initial data from the authentication string is preallocated by default for each authentication instance.

The authentication string is formatted as follows:

Module=<name>;<property1>=<value1>;<property2>=<value2>,…

Example:

Module=DialogUser;User=<user name>;Password=<password>

To specify initial data

  1. In the Designer, select the Base data | Security settings | Authentication modules category.
  2. Select the authentication module and enter the data in Initial data.

    Syntax:

    property1=value1;property2=value2

    Example

    User=<user name>;Password=<password>

You can use different initial data depending on the authentication module.

Table 35: Initial data for authentication modules
Module Display Name Authentication module Parameters Meaning/Comment

System users

DialogUser

User

User name.

Password

User password.

Active Directory user account

ADSAccount

 

 

Active Directory user account (dynamic)

DynamicADSAccount

Product

Use case. The system user is determined through the use case configuration data.

Active Directory user account (manual input)

DynamicManualADS

Product

Use case. The system user is determined through the use case configuration data.

User

User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password

User password.

Active Directory user account (role-based)

RoleBasedADSAccount

 

No parameters required

Active Directory user account (manual input/role-based)

RoleBasedManualADS

User

User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password

User password.

Employee

 

Employee

 

User

Employee's central user account.

Password

User password.

Employee (dynamic)

DynamicPerson

Product

Use case. The system user is determined through the use case configuration data.

User

User name.

Password

User password.

Employee (role-based)

RoleBasedPerson

User

User name.

Password

User password.

HTTP header

HTTPHeader

Header

HTTP Header to use.

KeyColumn

Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

HTTP header (role-based)

RoleBasedHTTPHeader

 

HTTP header to use.

KeyColumn

Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

LDAP user account (dynamic)

DynamicLdap

User

User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password

User password.

LDAP user account (role-based)

 

RoleBasedLdap

 

User

User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password

User password.

Generic single sign-on (role-based)

RoleBasedGeneric

SearchTable

Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table.

SearchColumn

Column from the SearchTable in which to search for the user name of the logged-in user.

DisabledBy

Pipe (|) delimited list of Boolean columns which block a user account from logging in.

EnabledBy

Pipe (|) delimited list of Boolean columns which release a user account for logging in.

OAuth 2.0/OpenID Connect

OAuth

 

Dependent on the authentication method of the secure token service.

OAuth 2.0/OpenID Connect (role-based)

 

OAuthRoleBased

 

 

Dependent on the authentication method of the secure token service.

Account based system user

DialogUserAccountBased

 

No parameters required

User account

QERAccount

 

No parameters required

User account (role-based)

RoleBasedQERAccount

 

No parameters required

Password reset

PasswordReset

 

No parameters required

Password reset (role-based)

RoleBasedPasswordReset

 

No parameters required

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating