Chat now with support
Chat with Support

Identity Manager 8.2.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Multi-factor authentication in One Identity Manager

Table 41: Multi-factor authentication configuration parameters

Configuration parameter

Meaning

QER | Person | Defender

Specifies whether classic Starling Two-Factor Authentication integration is supported.

QER | Person | Defender | ApiEndpoint

URL of the Starling 2FA API endpoint used to register new users.

QER | Person | Defender | ApiKey

Your company's subscription key for accessing the Starling Two-Factor Authentication interface.

QER | Person | Starling

Specifies whether One Identity Starling Cloud is supported.

Initiate your subscription within your One Identity on-prem product and join your on-prem solutions to our One Identity Starling Cloud platform. Giving your organization immediate access to a number of cloud-delivered microservices, which expand the capabilities of your One Identity on-prem solutions. We will continuously make available new products and features to our Starling Cloud platform. For a free trial of our One Identity Starling offerings and to get the latest product feature updates, visit cloud.oneidentity.com.

QER | Person | Starling | ApiEndpoint

Token endpoint for logging in on the One Identity Starling platform. The value is determined by the Starling configuration wizard.

QER | Person | Starling | ApiKey

Credential string for logging in on the One Identity Starling platform. The value is determined by the Starling configuration wizard.

You can set up multi-factor authentication for specific security-critical actions in One Identity Manager. You can use these, for example, for attestation or when approving requests in the Web Portal.

Use One Identity Manager One Identity Starling Two-Factor Authentication for multi-factor authentication. This service is normally provided over a One Identity Starling Cloud platform. If your company does not use a Starling Cloud, select the conventional Starling Two-Factor Authentication integration. Use configuration parameters to specify which of the two solutions are applied in your company.

To be able to use multi-factor authentication

  1. Register your company in Starling Two-Factor Authentication.

    For more information, see the Starling Two-Factor Authentication documentation.

  2. Specify which authentication solution is used.

    • To use Starling Cloud

      1. Start the Launchpad.

      2. Select Connection to Starling Cloud and click Run.

        This starts the Starling Cloud configuration wizard.

      3. Follow the Starling Cloud configuration wizard’s instruction.

      The configuration parameters under QER | Person | Starling are enabled and the authentication information is entered.

    • To use conventional Starling Two-Factor Authentication integration

      1. In the Designer, enable the QER | Person | Defender configuration parameter.

        • Enable the QER | Person | Defender | ApiKey configuration parameter and enter your company’s subscription key as the value for accessing the Starling Two-Factor Authentication interface.

        The default URL of the Starling 2FA API end point is already entered in the QER | Person | Defender | ApiEndpoint configuration parameter.

  3. Enable assigning by event for the PersonHasQERResource table. For more information, see Editing table properties.

  4. (Optional) Specify whether the security code must be requested from the Starling 2FA app. For more information, see Requesting a security code.

  5. In the Manager, enable the New Starling 2FA token service item. For more information, see Preparing the Starling 2FA token request.

If the user's telephone number has changed, cancel the current Starling 2FA token and request a new one. If the Starling 2FA token is no longer required, cancel it anyway.

For detailed information, see the following guides:

Theme

Guide

Preparing the IT Shop for multi-factor authentication

One Identity Manager IT Shop Administration Guide

Setting up multi-factor authentication for attestation

One Identity Manager Attestation Administration Guide

Setting up Starling Two-Factor Authentication in the web project

One Identity Manager Web Application Configuration Guide

Requesting the Starling 2FA Token

Requesting products requiring multi-factor authentication

Approving requests with multi-factor authentication

Attestation with multi-factor authentication

One Identity Manager Web Designer Web Portal User Guide

Editing table properties

NOTE: If the Assign by event option is enabled, the HandleObjectComponent process is placed in the job queue as soon as a resource assignment is added to or removed from an employee.

To enable assigning by event for a table

  1. In the Designer, select One Identity Manager Schema.

  2. Select the PersonHasQERResource table and start Schema Editor using the Show table definition task.

  3. In the Table properties view, select the Table tab and enable the Assign by event option.

  4. Select the Database > Save to database and click Save.

For more information about editing table definitions, see the One Identity Manager Configuration Guide.

Preparing the Starling 2FA token request

One Identity Manager users must be registered with Starling Two-Factor Authentication in order to use multi-factor authentication. To register, a user must request the Web Portal Token in the Starling 2FA. Once the request has been granted approval, the user receives a link to the Starling Two-Factor Authentication app and a Starling 2FA user ID. The app generates one-time passwords, which are required for authentication. The Starling 2FA user ID is saved in the user's employee main data.

NOTE: The user's default email address, mobile phone and country must be stored in their main data. This data is required for registering.

To facilitate requesting a Starling 2FA token

  1. In the Manager, select the IT Shop > Service catalog > Predefined category.

  2. Select New Starling 2FA token in the results list.

  3. Select the Change main data task.

  4. Disable Not available.

  5. Save the changes.

The Starling 2FA token request must be granted approval by the request recipient's manager.

Requesting a security code

Table 42: Configuration parameter for requesting Starling 2FA security codes

Configuration parameter

Meaning

QER | Person | Defender | DisableForceParameter

QER | Person | Starling | DisableForceParameter

The configuration parameters specify whether Starling 2FA is forced to send the security code by SMS or phone call if one of these options is selected for multi-factor authentication. If the configuration parameters are enabled, Starling 2FA can refuse this request; the user must then request the security code by the Starling 2FA app.

If the security code is requested for an attestation, request, or request approval, the user decides how the security code is sent. The following options are available:

  • By Starling 2FA app

  • By SMS

  • By phone call

By default, Starling 2FA is forced to send the security code by SMS or by phone call if the user has selected one of these options. However, for security reasons, the user should use the Starling 2FA app to generate the security code. If the app is installed on the user's mobile phone, Starling 2FA can refuse the SMS or phone demand and the user must generate the security code using the app.

To use this method

  • If you use Starling Cloud, in the Designer, set the QER | Person | Starling | DisableForceParameter configuration parameter.

    - OR -

  • If you use classic Starling Two-Factor Authentication integration, in the Designer, set the QER | Person | Defender | DisableForceParameter configuration parameter.

    Starling 2FA can refuse to transmit the security code by SMS or phone call if the Starling 2FA app is installed on the phone. Then the security code must be generated by the app.

If the configuration parameter is not set (default), Starling 2FA is forced to send the security code by SMS or phone call.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating