Chat now with support
Chat with Support

Identity Manager 9.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

HTTP header

NOTE: This authentication module is available if the Configuration Module is installed.

The authentication module supports authentication by web single sign-on solutions that work with a proxy-based architecture.

Credentials

Identity's central user account or personnel number.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The identity exists in the One Identity Manager database.

  • The central user account or personnel number is entered in the identity's main data.

  • The system user is entered in the identity's main data.

Set as default

No

Single sign-on

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The identity found in the One Identity Manager database has the central user account or personnel number that matches the given user name.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

The user interface and permissions are loaded through the system user that is directly assigned to the logged in identity. If a system user is not assigned to the identity, the system user from the SysConfig | Logon | DefaultUser configuration parameter is used.

Changes to the data are assigned to the logged in identity.

HTTP header (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module supports authentication by web single sign-on solutions that work with a proxy-based architecture.

Credentials

Identity's central user account or personnel number.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • The central user account or personnel number is entered in the identity's main data.

  • The identity is assigned at least one application role.

Set as default

Yes

Single sign-on

Yes

Front-end login allowed

No

Web Portal login allowed

Yes

Remarks

You must pass the user (in the form: UserName =<user name of authenticated user>) in the HTTP header. The identity found in the One Identity Manager database has the central user account or personnel number that matches the given user name.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Changes to the data are assigned to the logged in identity.

OAuth 2.0/OpenID Connect

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service that can return an OAuth 2.0 token.

Credentials

Dependent on the authentication method of the secure token service.

Prerequisites

  • The system user with permissions exists in the One Identity Manager database.

  • The identity exists in the One Identity Manager database.

  • The system user is entered in the identity's main data.

  • The user account exists in the One Identity Manager database and the identity is entered in the user account's main data.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager finds the identity assigned to the user account.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

The user interface and permissions are loaded through the system user that is directly assigned to the identity found.

Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared.

NOTE: If the authentication module cannot find a matching user for the claim value, it searches for the claim value in permitted system users' credentials (DialogUser.AuthentifierLogons). If an entry is found there, then that system user is logged in. To allocate the data changes, the values are used from the respective claims. If a matching user is found, the fallback cannot be used anymore.

Related topics

OAuth 2.0/OpenID Connect (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.

This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service that can return an OAuth 2.0 token.

Credentials

Dependent on the authentication method of the secure token service.

Prerequisites

  • The identity exists in the One Identity Manager database.

  • The identity is assigned at least one application role.

  • The user account exists in the One Identity Manager database and the identity is entered in the user account's main data.

Set as default

No

Single sign-on

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

One Identity Manager finds the identity assigned to the user account.

If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.

  • If this configuration parameter is set, the identity’s main identity is used for authentication.

  • If this configuration parameter is set, the identity’s subidentity is used for authentication.

NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.

A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.

Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared.

NOTE: If the authentication module cannot find a matching user for the claim value, it searches for the claim value in permitted system users' credentials (DialogUser.AuthentifierLogons). If an entry is found there, then that system user is logged in. To allocate the data changes, the values are used from the respective claims. If a matching user is found, the fallback cannot be used anymore.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating