Chat now with support
Chat with Support

Identity Manager 8.1.5 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Multi-factor authentication in One Identity Manager

Table 42: Multi-factor authentication configuration parameters

Configuration parameter

Meaning

QER | Person | Defender

This configuration parameter specifies whether classic Starling Two-Factor Authentication integration is supported.

QER | Person | Defender | ApiEndpoint

This configuration parameter contains the URL of the Starling 2FA API end point used to register new users.

QER | Person | Defender | ApiKey

This configuration parameter contains your company's subscription key for accessing the Starling Two-Factor Authentication interface.

QER | Person | Starling

This configuration parameter specifies whether One Identity Starling Cloud is supported.

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling Cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.

QER | Person | Starling | ApiEndpoint

This configuration parameter contains the touch endpoint for login to the One Identity Starling software-as-a-service platform. The value is determined by the Starling configuration wizard.

QER | Person | Starling | ApiKey

This configuration parameter contains the credential string for login to the One Identity Starling software-as-a-service platform. The value is determined by the Starling configuration wizard.

You can set up multi-factor authentication for specific security-critical actions in One Identity Manager. You can use these, for example, for attestation or when approving requests in the Web Portal.

Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. This service is normally provided over a One Identity Starling Cloud platform. If your company does not use a Starling Cloud, select the conventional Starling Two-Factor Authentication integration. Use configuration parameters to specify which of the two solutions are applied in your company.

To be able to use multi-factor authentication

  1. Register your company in Starling Two-Factor Authentication.

    For more detailed information, see the Starling Two-Factor Authentication documentation.

  2. Specify which authentication solution is used.

    • To use Starling Cloud

      1. Start the Launchpad.

      2. Select Connection to Starling Cloud and click Run.

        This starts the Starling Cloud configuration wizard.

      3. Follow the Starling Cloud configuration wizard’s instruction.

      The configuration parameters under QER | Person | Starling are enabled and the authentication information is entered.

    • To use conventional Starling Two-Factor Authentication integration

      1. In the Designer, enable the QER | Person | Defender configuration parameter.

        • Enable the QER | Person | Defender | ApiKey configuration parameter and enter your company’s subscription key as the value for accessing the Starling Two-Factor Authentication interface.

        The default URL of the Starling 2FA API end point is already entered in the QER | Person | Defender | ApiEndpoint configuration parameter.

  3. Enable assigning by event for the PersonHasQERResource table. For more information, see Editing table properties.

  4. (Optional) Specify whether the security code must be requested from the Starling 2FA app. For more information, see Requesting a security code.

  5. (Optional) Specify whether requests can be approved using the Starling 2FA app. For more information, see Allowing approval decisions using the Starling 2FA app.

  6. In the Manager, enable the New Starling 2FA token service item. For more information, see Preparing the Starling 2FA token request.

If the user's telephone number has changed, cancel the current Starling 2FA token and request a new one. If the Starling 2FA token is no longer required, cancel it anyway.

For detailed information, see the following guides:

Theme

Guide

Preparing the IT Shop for multi-factor authentication

One Identity Manager IT Shop Administration Guide

Setting up multi-factor authentication for attestation

One Identity Manager Attestation Administration Guide

Setting up Starling Two-Factor Authentication in the web project

One Identity Manager Web Application Configuration Guide

Requesting the Starling 2FA Token

Requesting products requiring multi-factor authentication

Approving requests with multi-factor authentication

Attestation with multi-factor authentication

One Identity Manager Web Portal User Guide

Editing table properties

NOTE: If the Assign by event option is enabled, the HandleObjectComponent process is placed in the job queue as soon as a resource assignment is added to or removed from an employee.

To enable assigning by event for a table

  1. In the Designer, select One Identity Manager Schema.
  2. Select the PersonHasQERResource table and start Schema Editor using the Show table definition task.
  3. In the Table properties view, select the Table tab and enable the Assign by event option.
  4. Save the changes.

For detailed information about editing table definitions, see the One Identity Manager Configuration Guide.

Preparing the Starling 2FA token request

One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Web Portal Token in the Starling 2FA. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee master data.

NOTE: The user's default email address, mobile phone and country must be stored in their master data. This data is required for registering.

To facilitate requesting a Starling 2FA token

  1. Select the IT Shop | Service catalog | Predefined category.

  2. Select New Starling 2FA token in the results list.

  3. Select the Change master data task.

  4. Disable Not available.

  5. Save the changes.

The Starling 2FA token request must be granted approval by the request recipient's manager.

Requesting a security code

Table 43: Configuration parameter for requesting Starling 2FA security codes

Configuration parameter

Meaning

QER | Person | Defender | DisableForceParameter

QER | Person | Starling | DisableForceParameter

The configuration parameters specify whether Starling 2FA is forced to send the security code by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameters are enabled, Starling 2FA can refuse this request; the user must then request the security code by the Starling 2FA app.

If the security code is requested for an attestation, request, or request approval, the user decides how the security code is sent. The following options are available:

  • By Starling 2FA app
  • By SMS
  • By phone call

By default, Starling 2FA is forced to send the security code by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the security code. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the security code using the app.

To use this method

  • If you use Starling Cloud, in the Designer, set the QER | Person | Starling | DisableForceParameter configuration parameter.

    - OR -

  • If you use classic Starling Two-Factor Authentication integration, in the Designer, set the QER | Person | Defender | DisableForceParameter configuration parameter.

    Starling 2FA can refuse to transmit the security code by SMS or phone call if the Starling 2FA app is installed on the phone. Then the security code must be generated by the app.

If the configuration parameter is not set (default), Starling 2FA is forced to send the security code by SMS or phone call.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating