Chat now with support
Chat with Support

Identity Manager 9.2.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Password reset

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module is used for login to Password Reset Portal. The authentication module checks the passcode or the identity’s answers to the password questions. In the case of login with an passcode, this information is deleted after a successful login.

Credentials

Central user account and passcode.

- OR -

Central user account and answers to the password questions.

- OR -

Target system user account and passcode.

- OR -

Target system user account and answers to password questions.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • Using the central user account: The central user account is entered in the identity main data.

  • Using the target system user account: The user account exists in the One Identity Manager database and the identity is entered in the main data of the identity’s user account.

  • The identity is not deactivated or has the certification status New.

  • The identity has an passcode or the questions and answers for the password prompt have been specified.

Set as default

No

Single sign-on

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The application token for Password Reset Portal must be specified. You set the application token when installing Password Reset Portal. The application token is saved as a hash value in the database in the QER | Person | PasswordResetAuthenticator | ApplicationToken parameter and stored encrypted in the web.config file. For more information about setting up the Password Reset Portal, see the One Identity Manager Web Application Configuration Guide.

In the Designer, modify the following configuration parameters so that target system accounts can be used for logging in. If the configuration parameters are not set, the identity’s central user account is used.

Table 31: Configuration parameters for the authentication module
Configuration parameter Meaning

QER | Person | PasswordResetAuthenticator | SearchTable

Table in the One Identity Manager schema which stores the user information. The table must contain a foreign key with the name UIDPerson (or CCC_UID_Person) that references the Person table.

Example: ADSAccount

QER | Person | PasswordResetAuthenticator | SearchColumn

Pipe (|) delimited list of columns from the One Identity Manager table (SearchTable) used to search for the user name of the logged in user.

Example: CN|SamAccountName

NOTE: The QBMSplittedLookup table can be used as a lookup table. SplittedElement can be used as a search column.

QER | Person | PasswordResetAuthenticator | EnabledBy

Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.

QER | Person | PasswordResetAuthenticator | DisabledBy

Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.

Example: AccountDisabled

Password reset (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module is used for login to Password Reset Portal. The authentication module checks the passcode or the identity’s answers to the password questions. In the case of login with an passcode, this information is deleted after a successful login.

Credentials

Central user account and passcode.

- OR -

Central user account and answers to the password questions.

- OR -

Target system user account and passcode.

- OR -

Target system user account and answers to password questions.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • Using the central user account: The central user account is entered in the identity main data.

  • Using the target system user account: The user account exists in the One Identity Manager database and the identity is entered in the main data of the identity’s user account.

  • The identity is not deactivated or has the certification status New.

  • The identity has an passcode or the questions and answers for the password prompt have been specified.

  • The identity is assigned at least one application role.

Set as default

Yes

Single sign-on

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The application token for Password Reset Portal must be specified. You set the application token when installing Password Reset Portal. The application token is saved as a hash value in the database in the QER | Person | PasswordResetAuthenticator | ApplicationToken parameter and stored encrypted in the web.config file. For more information about configuring the Password Reset Portal, see the One Identity Manager Web Application Configuration Guide.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

In the Designer, modify the following configuration parameters so that target system accounts can be used for logging in. If the configuration parameters are not set, the identity’s central user account is used.

Table 32: Configuration parameters for the authentication module
Configuration parameter Meaning

QER | Person | PasswordResetAuthenticator | SearchTable

Table in the One Identity Manager schema which stores the user information. The table must contain a foreign key with the name UIDPerson (or CCC_UID_Person) that references the Person table.

Example: ADSAccount

QER | Person | PasswordResetAuthenticator | SearchColumn

Pipe (|) delimited list of columns from the One Identity Manager table (SearchTable) used to search for the user name of the logged in user.

Example: CN|SamAccountName

NOTE: The QBMSplittedLookup table can be used as a lookup table. SplittedElement can be used as a search column.

QER | Person | PasswordResetAuthenticator | EnabledBy

Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login.

QER | Person | PasswordResetAuthenticator | DisabledBy

Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.

Example: AccountDisabled

Decentralized identity

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module can be used to log in using a decentralized identity.

Credentials

The identity's email address and decentralized identity.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The identity exists in the One Identity Manager database.

  • The decentralized identity is entered in the identity main data.

  • The default email address or the contact email address is in the identity main data.

  • The system user is entered in the identity's main data.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

To identify the identity, the email address provided during login is verified against the default email address and the contact email address.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

The user interface and permissions are loaded through the system user that is directly assigned to the logged in identity.

Changes to the data are assigned to the logged in identity.

Decentralized Identity (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module can be used to log in using a decentralized identity.

Credentials

The identity's email address and decentralized identity.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • The decentralized identity is entered in the identity main data.

  • The default email address or the contact email address is in the identity main data.

  • The identity is assigned at least one application role.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

To identify the identity, the email address provided during login is verified against the default email address and the contact email address.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is not set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Changes to the data are assigned to the logged in identity.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating