Authentication module for using OAuth 2.0/OpenID Connect for authentication access to the REST API
An authentication module is provided within the application server to authenticate using access tokens. The application server client uses the information from the authentication module to determine the access token for logging in on the server side.
For example, the authentication module can be used for Job servers that do not have a direct connection to the database but work against an application server.
To use the authentication module, ensure that authentication for accessing the REST API is set up using OAuth 2.0/OpenID Connect.
NOTE: If authentication is by access token, other authentication modules are excluded from use and the application server returns an error.
Authentication data for establishing a connection through the application server's REST API.
Module=Token;Url=<URL of the application server>;ClientId=<client-ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>.
With the following parameters:
-
URL: URL of the application server
-
ClientId: Client ID for authentication at the token endpoint.
-
ClientSecret: Secret value for authentication at the token endpoint.
-
TokenEndpoint: URL of the token endpoint.
For more information about providing connection and authentication data to the application server for Job servers, see the One Identity Manager Configuration Guide.
Related topics
Authenticating external applications using OAuth 2.0/OpenID Connect
To access the REST API in the application server through external applications, authentication is supported by the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules. Ensure that authentication for the REST API is set up through OAuth 2.0/OpenID Connect.
To authenticate an external application using Oauth 2.0/Openid Connect in One Identity Manager
-
Log in to the external identity provider, for example with Redistributable STS (RSTS), and get the access token.
-
Ensure that the token is passed as the bearer token in the authentication header of all queries.
NOTE: The session must be handled by a bearer token when logging in using a session cookie. Clients accessing the REST API using the bearer token must therefore keep the cookie assigned during the first access and send it with subsequent accesses. Otherwise, a new session is established for each access, which costs a lot of resources.
Related topics
Multi-factor authentication in One Identity Manager
One Identity Defender can be used for multi-factor authentication on One Identity Manager tools and the Web Portal . For more information, see Multi-factor authentication with One Identity Defender.
You can set up multi-factor authentication with OneLogin for attestations and request approvals. For more information, see Multi-factor authentication with OneLogin.
Multi-factor authentication with OneLogin
You can set up multi-factor authentication with OneLogin for specific security-critical actions in One Identity Manager. You can use these, for example, for attestation or when approving requests in the Web Portal. Each employee that wants to use this functionality, must be linked to a OneLogin user account.
Prerequisite
In OneLogin:
In One Identity Manager:
To use multi-factor authentication for attestations or requests
-
Set up synchronization with a OneLogin domain and start the synchronization.
-
Link employees to their OneLogin user accounts.
-
Configure the API Server and the Web Portal for using OneLogin multi-factor authentication.
-
Set up multi-factor authentication for attestations and requests in the IT Shop.
For more information, see the following guides:
Set up and start synchronization of a OneLogin domain. |
One Identity Manager Administration Guide for Connecting to OneLogin |
Multi-factor authentication configuration in the web application |
One Identity Manager Web Application Configuration Guide |
Preparing the IT Shop for multi-factor authentication |
One Identity Manager IT Shop Administration Guide |
Setting up multi-factor authentication for attestation |
One Identity Manager Attestation Administration Guide |
Requesting products requiring multi-factor authentication
Approving requests with multi-factor authentication
Attestation with multi-factor authentication |
One Identity Manager Web Portal User Guide |