Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Checking authentication

When a user logs in, a validity check is run. Use the settings to configure additional options.

  • The system runs additional validity checks to prevent users from working with established connections, if they were deactivated after they logged in. The check takes place when the next permissions based action on the connection at a fixed interval of 20 minutes.

    You can adjust the interval in the Common | Authentication | CheckInterval configuration parameter. In the Designer, edit the configuration parameter.

  • The number of session that a user can open within a short time is limited to 10 session a minute.

    If this number is exceeded, the user is sent an error message.

    You have logged in too often in the last minute. Please wait a moment before you log in again.

    This check is done for each front-end if the login is local. If the login is on the application server, it is checked for each application server.

    You can modify the number of sessions in the Common | Authentication | SessionsPerUserAndMinute configuration parameter. In the Designer, edit the configuration parameter.

  • Use the QBM | AppServer | SessionTimeout configuration parameter to add the timeout in hours, after which inactive application server sessions are closed. The default value is 24 hours. In the Designer, edit the configuration parameter.

OAuth 2.0 / OpenID Connect configuration

The OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules support the authorization code flow for OAuth 2.0 and OpenID Connect. For more detailed information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

To use the OAuth2.0/OpenID Connect authentication:

  • In the Designer, create the identity provider and the OAuth2.0/OpenID Connect applications for the identity provider. A wizard is available in the Designer to assist in this process.

  • Assign the OAuth2.0/OpenID Connect application to the web applications.

Related topics

Expiry of the OAuth 2.0/OpenID Connect authentication

At the endpoint of the authorization, the web application (or native application) requests the authorization code. The login endpoint is used to call an advanced login window, which serves to determine the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token.

In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, the settings of the identity provider are used. To find the certificate for testing the token, the certificate stores are queries in the following order:

  1. Configuration of the OAuth 2.0/OpenID Connect application (QBMIdentityClient table)

    1. Certificate text (QBMIdentityClient.CertificateText).
    2. Subject or thumbprint from the local memory (QBMIdentityClient.CertificateSubject and QBMIdentityClient.CertificateThumbPrint).
    3. Certificate endpoint (QBMIdentityClient.CertificateEndpoint).

      In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.

  2. Configuration of the identity provider (QBMIdentityProvider table)

    1. Certificate text ((QBMIdentityProvider.CertificateText).
    2. Subject or thumbprint from the local memory (QBMIdentityProvider.CertificateSubject and QBMIdentityProvider.CertificateThumbPrint).
    3. Certificate endpoint (QBMIdentityProvider.CertificateEndpoint)).

      In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.

    4. JSON-Web-Key endpoint (QBMIdentityProvider.JsonWebKeyEndpoint).

To identify the user account, the system determines which claim type is used to find the user information and which information from the One Identity Manager schema is used to find the user account.

Authentication through OpenID is built on OAuth 2.0. The OpenID Connect authentication uses the same mechanisms, but makes the claims available either in an ID token or with a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the Scope contains the openid value, the authentication module uses OpenID Connect for authentication.

Related topics

Creating the OAuth 2.0/OpenID Connect configuration

To create an OAuth 2.0/OpenID Connect configuration

  1. In the Designer, select the Base data | Security settings | OAuth 2.0/OpenID Connect configuration category.

  2. Select the Create a new identity provider task.

  3. On the start page of the wizard, click Next.

  4. On the New identity provider page, enter the display name for the configuration and a description.

  5. Click Next.

  6. On the Automatic configuration discovery page, you define how you want to enter the information about the identity provider.

    • If the configuration data can be determined automatically by OpenID Connect Discovery:

      1. Select Automatic configuration data discovery.

      2. Enter the address (URL) for automatic determination of the configuration data in the input field, or select an example address through the selection menu.

      3. Click Run.

      4. The configuration data is determined and a dialog window is displayed. To accept the configuration data, click OK.

    • If you do not want to determined the configuration data automatically, select Manual data input.

      Enter the configuration data on the next page of the wizard.

  7. Click Next.

  8. On the Configuration data page, enter the general information for the database user.

    NOTE: If you selected automatic determination of configuration data, some of the information is already completed.

    Table 36: General configuration data for the identity provider

    Property

    Description

    Login endpoint

    Uniform Resource Locator (URL) of the Secure Token Service login page.

    Example: http://localhost/rsts/login

    Logout endpoint

    URL of the log-out endpoint

    Example: http://localhost/rsts/login?wa=wsignout1.0

    Token endpoint

    Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.

    Example: https://localhost/rsts/oauth2/token

    UserInfo endpoint

    URL of the OpenID Connect UserInfo endpoint.

    Self-signed certificates allowed

    Specifies whether self-signed certificates are allowed for connecting to the token endpoint and UserInfo endpoint.

    Issuer

    Uniform Resource Identifier (URI) of the certificate issuer for verifying the security token.

    Example: urn:STS/identity

    Scope

    Protocol for authentication. If the value is openid, OpenID Connect is used for authentication, otherwise OAuth 2.0 is used.

    Shared Secret

    Shared-Secret value used for authentication at the token endpoint. If all applications of the identity provider use the same Shared Secret, enter the value here. If the applications use different Shared Secrets, enter the Shared Secret values when creating the applications.

  9. Click Next.

  10. On the Configure certificates page, enter the information for the identity provider's certificate. If all applications use the same certificate, enter the information here. If the applications use different certificate settings, enter the information when creating the application.

    NOTE: If you selected automatic determination of configuration data, some of the information is already completed.

    Table 37: Information about the identity provider certificate

    Property

    Description

    Certificate endpoint

    Uniform Resource Locator (URL) of the certificate end point on the authorization server.

    Example: https://localhost/RSTS/SigningCertificate

    Subject of the certificate

    Subject of the certificate used for verification. The subject or thumbprint must be set.

    Thumbprint

    Thumbprint of the certificate used to verify the security token.

    JSON-Web-Key endpoint

    URL of the JSON web key endpoint providing the token signing keys.

    Certificate

    Character string of the certificate content. It is used if no certificate is configured.

  11. Click Next.

  12. On the Search rule for user information page, you define how the login information is determined between the identity provider and the One Identity Manager database.

    Table 38: Determining the login information

    Property

    Description

    Value for the search

    Full name of the claim type from which the login information is determined on the identity provider.

    Example: name of an entity

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ nameidentifier

    If you have determined the configuration data automatically, select a value from the list.

    Column to search

    Table and column in the One Identity Manager database in which the user information is stored. The table must contain a foreign key with the name UID_Person, which points to the Person table.

    Example: ADSAccount.ObjectGUID

    User name value

    Full name of the claim type from which the user name is determined on the identity provider. The user name is used, for example, to identify data changes in One Identity Manager (XUserInserted and XUserUpdated columns).

    Example: User Principle Name (UPN)

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

    If you have determined the configuration data automatically, select a value from the list.

  13. Click Next.

  14. On the Create OAuth 2.0/OpenID Connect applications page, enter the application information for the identity provider.

    1. Click next to the Applications input field.

    2. On the General tab, enter the general information for the application.

      Table 39: General information about the application

      Property

      Description

      Display name

      Display name of the application.

      Description

      Text field for additional explanation.

      Client ID

      ID of the application on the identity provider. For native applications, enable the Default option.

      Example: urn:OneIdentityManager/Web

      Shared Secret

      Application-specific Shared Secret value used for authentication at the token endpoint.

      Resource to request

      URN of the resource to be requested, for example for ADFS. Only required if the identity provider requires this value.

      Redirect URL

      Forwarding address for redirection of applications.

      Example: urn:InstalledApplication

      Default

      Specifies whether this is a standard application for native applications.

    3. On the Certificate tab, enter the information for the application certificate.

      Table 40: Information about the application certificate

      Property

      Description

      Certificate endpoint

      Uniform Resource Locator (URL) of the certificate end point on the authorization server.

      Example: https://localhost/RSTS/SigningCertificate

      Thumbprint

      Thumbprint of the certificate used to verify the security token.

      Subject of the certificate

      Subject of the certificate used for verification. The subject or thumbprint must be set.

      Certificate

      Content of the certificate. It is used if no certificate is configured.

    4. On the Authentication tab, enter the following information

      Table 41: Information about the application certificate

      Property

      Description

      Authentication method

      Authentication method at the token endpoint. Permitted values are:

      • client_secret_basic (default value): HTTP basic authentication method. The Shared Secret is transferred in the HTTP header.

      • client_secret_post: The Shared Secret is transferred in the client_secret value of the POST-Body.

      • none: No authentication at the token endpoint.
      • client_secret_jwt: The Shared Secret is transferred as a JSON web token (JWT).
      • private_key_jwt: The Shared Secret is transferred as JWT. In addition, encryption is carried out with the private key.

      Token endpoint certificate

      Hexadecimal thumbprint of the certificate for validating the token.

  15. To create the identity provider and the application in the One Identity Manager database, click Next.
  16. Click Finish to complete the wizard.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating