If a new user logs in to the Web Portal or new external employees need to be certified, they receive an email containing a link to the Password Reset Portal. Using the link, employees verify their contact email address, set a password and password questions.
To send notification with a verification link
-
In the Designer, set the QER | Attestation | MailTemplateIdents | NewExternalUserVerification configuration parameter.
By default, notification is sent using the Attestation - new external user verification link mail template.
TIP: To use something other than the default mail template for these notifications, change the value of the configuration parameter.
Detailed information about this topic
One Identity Manager supplies mail templates by default. These mail templates are available in English and German. If you require the mail body in other languages, you can add mail definitions for these languages to the default mail template.
To edit a default mail template
Related topics
To provide attestors who are temporarily unable to access One Identity Manager tools with the option of making attestation case decisions, you can set up attestation by email. In this process, attestors are notified by email when an attestation case is pending their approval. Approvers can use the links in the email to make approval decisions without having to connect to the Web Portal. This generates an email that contains the approval decision and in which attestors can state the reasons for their approval decision. This email is sent to a central mailbox. One Identity Manager checks this mailbox regularly, evaluates the incoming emails and updates the status of the attestation cases correspondingly.
IMPORTANT: An attestation cannot be sent by email if multi-factor authentication is configured for the attestation policy. Attestation mails for such attestations produce an error message.
Prerequisites
-
If you use a Microsoft Exchange mailbox, configure the Microsoft Exchange with:
-
Microsoft Exchange Client Access Server version 2007, Service Pack 1 or higher
-
Microsoft Exchange Web Service .NET API Version 1.2.1, 32-bit
-
If you use an Exchange Online mailbox, register an application in your Azure Active Directory tenant in the Microsoft Azure Management Portal. For example, One Identity Manager <Approval by mail>.
For detailed information about how to register an application, see https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.
-
The One Identity Manager Service user account used to log into Microsoft Exchange or Exchange Online requires full access to the mailbox given in the QER | Attestation | MailApproval | Inbox configuration parameter.
-
The QER | Attestation | MailTemplateIdents | RequestApproverByCollection configuration parameter is not set.
To set up attestation by email
-
In the Designer, set the QER | Attestation | MailApproval | Inbox configuration parameter and enter the mailbox to which the approval mails are to be sent.
-
Set up mailbox access.
-
In the Designer, set the QER | Attestation | MailTemplateIdents | ITShopApproval configuration parameter.
The mail template used to create the attestation mail is stored with this configuration parameter. You can use the default mail template or add a custom mail template.
TIP: To use a company-specific mail template for attestation mails, change the value of the configuration parameter.To use a company-specific mail template for approval decision mails, change the value of the configuration parameter. In this case, also change the VI_MailApproval_ProcessMail script.
-
Assign the following mail templates to the approval steps.
Table 39: Mail templates for approval by mail
Mail template request |
Attestation - approval required (by mail) |
Mail template reminder |
Attestation - remind approver (by mail) |
Mail template delegation |
Attestation - delegated/additional approval (by mail) |
Mail template rejection |
Attestation - reject approval (by mail) |
-
In the Designer, configure and enable the Processes attestation mail approvals schedule.
Based on this schedule, One Identity Manager regularly checks the mailbox for new attestation mails. The mailbox is checked every 15 minutes. You can change how frequently it checks, by altering the interval in the schedule as required.
To clean up a mail box
Related topics
The Processes attestation mail approvals schedule starts the VI_Attestation_Process Approval Inbox process. This process runs the VI_MailApproval_ProcessInBox script, which searches the mailbox for new attestation mails and updates the attestation cases in the One Identity Manager database. The contents of the attestation mail are processed at the same time.
NOTE: The validity of the email certificate is checked with the VID_ValidateCertificate script. You can customize this script to suit your security requirements. Take into account that this script is also used for attestations by email.
If an self-signed root certification authority is used, the user account under which the One Identity Manager Service is running, must trust the root certificate.
TIP: The VI_MailApproval_ProcessInBox script finds the Exchange Web Service URL that uses AutoDiscover through the given mailbox as default. This assumes that the AutoDiscover service is running.
If this is not possible, enter the URL in the QER | Attestation | MailApproval | ExchangeURI configuration parameter.
Attestation mails are processed with the VI_MailApproval_ProcessMail script. The script finds the relevant approval decision, sets the Approved option if approval is granted, and stores the reason for the approval decision with the attestation cases. The attestor is found through the sender address. Then the attestation mail is removed from the mailbox depending on the selected cleanup method.
NOTE: If you use a custom mail template for the attestation mail, check the script and modify it as required. Take into account that this script is also used for approval decisions for IT Shop requests by email.