Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Active Directory user account (dynamic)

NOTE: This authentication module is available if the Active Directory Module is installed.

Credentials

The authentication module uses the Active Directory login data of the user currently logged in on the workstation.

Prerequisites

  • The employee exists in the One Identity Manager database.

  • The Active Directory user account exists in the One Identity Manager database and the employee is entered in the user account's main data.

  • The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single sign-on

Yes

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

The appropriate user account is found in the One Identity Manager database through the user's SID and the domain given at login. One Identity Manager determines which employee is assigned to the user account.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.

  • If this configuration parameter is set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

NOTE: If the Connect automatically option is set, authentication is no longer necessary for subsequent logins.

Related topics

LDAP user account (role-based)

NOTE: This authentication module is available if the LDAP Module is installed.

Credentials

Login name, identifier, distinguished name or user ID of an LDAP user account.

LDAP user account's password.

Prerequisites

  • The employee exists in the One Identity Manager database.

  • The employee is assigned at least one application role.

  • The LDAP user account exists in the One Identity Manager database and the employee is entered in the user account's main data.

  • The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If you log in using a login name, identifier, or user ID, the corresponding user account is determined in the One Identity Manager database through the domain. The domains permitted for logging in are entered in the TargetSystem | LDAP | Authentication | RootDN configuration parameter and the TargetSystem | LDAP | AuthenticationV2 | RootDN configuration parameter. If log in uses a distinguished name, the LDAP user account is determined that uses this distinguished name. One Identity Manager determines which employee is assigned to the LDAP user account.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.

  • If this configuration parameter is set, the employee’s subidentity is used for authentication.

A dynamic system user is determined from the employee's application roles. The user interface and the permissions are loaded through this system user.

Data modifications are attributed to the current user account.

In the Designer, modify the following configuration parameters to implement the authentication module.

Table 29: Configuration parameters for the authentication module
Configuration parameter Meaning

TargetSystem | LDAP | Authentication

Allows configuration of the LDAP authentication module.

TargetSystem | LDAP | Authentication | Authentication

Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default: ServerBind

TargetSystem | LDAP | Authentication | Port

Communications port on the server.

Default: 389

TargetSystem | LDAP | Authentication | RootDN

Pipe (|) delimited list of root domains to be used to find the user account for authentication.

Syntax:

DC=<MyDomain>|DC=<MyOtherDomain>

Example:

DC=Root1,DC=com|DC=Root2,DC=de

TargetSystem | LDAP | Authentication | Server

Name of the LDAP server.

TargetSystem | LDAP | AuthenticationV2

Allows configuration of the LDAP authentication module.

TargetSystem | LDAP | AuthenticationV2 | AcceptSelfSigned

Specifies whether self-signed certificates are accepted.

TargetSystem | LDAP | AuthenticationV2 | Authentication

Authentication method for logging in to LDAP. The following are permitted:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

Default: Basic

For more information about authentication types, see the MSDN Library.

TargetSystem | LDAP | AuthenticationV2 | ClientTimeout

Client timeout in seconds.

TargetSystem | LDAP | AuthenticationV2 | Port

Communications port on the server.

Default: 389

TargetSystem | LDAP | AuthenticationV2 | ProtocolVersion

Version of the LDAP protocol. The values 2 and 3 are permitted.

Default: 3

TargetSystem | LDAP | AuthenticationV2 | RootDN

Pipe (|) delimited list of root domains to be used to find the user account for authentication.

Syntax:

DC=<MyDomain>|DC=<MyOtherDomain>

Example:

DC=Root1,DC=com|DC=Root2,DC=de

TargetSystem | LDAP | AuthenticationV2 | Security

Connection security. Permitted values are None, SSL and STARTTLS.

TargetSystem | LDAP | AuthenticationV2 | Server

Name of the LDAP server.

TargetSystem | LDAP | AuthenticationV2 | UseSealing

Specifies whether sealing is enabled.

TargetSystem | LDAP | AuthenticationV2 | UseSigning

Specifies whether signing is enabled.

TargetSystem | LDAP | AuthenticationV2 | VerifyServerCertificate

Specifies whether to check the server certificate when encrypting with SSL.

LDAP user account (dynamic)

NOTE: This authentication module is available if the LDAP Module is installed.

Credentials

Login name, identifier, distinguished name or user ID of an LDAP user account.

LDAP user account's password.

Prerequisites

  • The employee exists in the One Identity Manager database.

  • The LDAP user account exists in the One Identity Manager database and the employee is entered in the user account's main data.

  • The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If you log in using a login name, identifier, or user ID, the corresponding user account is determined in the One Identity Manager database through the domain. The domains permitted for logging in are entered in the TargetSystem | LDAP | Authentication | RootDN configuration parameter and the TargetSystem | LDAP | AuthenticationV2 | RootDN configuration parameter. If log in uses a distinguished name, the LDAP user account is determined that uses this distinguished name. One Identity Manager determines which employee is assigned to the LDAP user account.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.

  • If this configuration parameter is set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

In the Designer, modify the following configuration parameters to implement the authentication module.

Table 30: Configuration parameters for the authentication module
Configuration parameter Meaning

TargetSystem | LDAP | Authentication

Allows configuration of the LDAP authentication module.

TargetSystem | LDAP | Authentication | Authentication

Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default: ServerBind

TargetSystem | LDAP | Authentication | Port

Communications port on the server.

Default: 389

TargetSystem | LDAP | Authentication | RootDN

Pipe (|) delimited list of root domains to be used to find the user account for authentication.

Syntax:

DC=<MyDomain>|DC=<MyOtherDomain>

Example:

DC=Root1,DC=com|DC=Root2,DC=de

TargetSystem | LDAP | Authentication | Server

Name of the LDAP server.

TargetSystem | LDAP | AuthenticationV2

Allows configuration of the LDAP authentication module.

TargetSystem | LDAP | AuthenticationV2 | AcceptSelfSigned

Specifies whether self-signed certificates are accepted.

TargetSystem | LDAP | AuthenticationV2 | Authentication

Authentication method for logging in to LDAP. The following are permitted:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

Default: Basic

For more information about authentication types, see the MSDN Library.

TargetSystem | LDAP | AuthenticationV2 | ClientTimeout

Client timeout in seconds.

TargetSystem | LDAP | AuthenticationV2 | Port

Communications port on the server.

Default: 389

TargetSystem | LDAP | AuthenticationV2 | ProtocolVersion

Version of the LDAP protocol. The values 2 and 3 are permitted.

Default: 3

TargetSystem | LDAP | AuthenticationV2 | RootDN

Pipe (|) delimited list of root domains to be used to find the user account for authentication.

Syntax:

DC=<MyDomain>|DC=<MyOtherDomain>

Example:

DC=Root1,DC=com|DC=Root2,DC=de

TargetSystem | LDAP | AuthenticationV2 | Security

Connection security. Permitted values are None, SSL and STARTTLS.

TargetSystem | LDAP | AuthenticationV2 | Server

Name of the LDAP server.

TargetSystem | LDAP | AuthenticationV2 | UseSealing

Specifies whether sealing is enabled.

TargetSystem | LDAP | AuthenticationV2 | UseSigning

Specifies whether signing is enabled.

TargetSystem | LDAP | AuthenticationV2 | VerifyServerCertificate

Specifies whether to check the server certificate when encrypting with SSL.

Related topics

HTTP header

NOTE: This authentication module is available if the Configuration Module is installed.

The authentication module supports authentication by web single sign-on solutions that work with a proxy-based architecture.

Credentials

Employee's central user account or personnel number.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The employee exists in the One Identity Manager database.

  • The central user account or personnel number is entered in the employee's main data.

  • The system user is entered in the employee's main data.

Set as default

No

Single sign-on

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The employee is found in the One Identity Manager database whose central user account or personnel number matches the user name passed down.

If an employee has more than one identity, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which employee identity is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.

  • If this configuration parameter is set, the employee’s subidentity is used for authentication.

The user interface and permissions are loaded through the system user that is directly assigned to the logged in employee. If a system user is not assigned to the employee, the system user from the SysConfig | Logon | DefaultUser configuration parameter is used.

Changes to the data are assigned to the logged in employee.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating