Chat now with support
Chat with Support

Identity Manager 9.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Authentication module properties

Table 33: Authentication module properties
Property Meaning

Enabled

Specifies whether the authentication module can be used.

Display name

Display name for displaying the authentication module in the connection dialog of the administration tools.

Authentication module

Internal name of the authentication module.

Authentication type

Authentication module type. You can choose from Dynamic and Role based.

Processing status

The processing status is used for creating custom configuration packages.

Initial data

Initial data for logging in with this authentication module.

Syntax:

property1=value1;property2=value2

Example:

User=<user name>;Password=<password>

Class

Authentication module class.

Assembly name

Name of the assembly file.

Sort order

Specify the order in which the modules are displayed in the login window.

Single sign-on

Specifies whether the authentication module may be authenticated without a password.

Select in front-end

Specifies whether the authentication module can be selected in the login window.

Related topics

Initial data for authentication modules

Authentication data is formatted from the authentication module and its parameters and values. You can specify initial data for the parameters and their values. By default, the initial data is preset for each authentication process.

Syntax for authentication data:

Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

Example:

Module=DialogUser;User=<user name>;Password=<password>

Table 34: Authentication data for authentication modules
Authentication module Display name Parameters and meaning

DialogUser

System users

User: User name

Password: The user's password

ADSAccount

Active Directory user account

No parameters required

DynamicADSAccount

Active Directory user account (dynamic)

Product: Usage. The system user is determined through the use case configuration data.

DynamicManualADS

Active Directory user account (manual input)

Product: Usage. The system user is determined through the use case configuration data.

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password.

RoleBasedADSAccount

Active Directory user account (role-based)

No parameters required

RoleBasedManualADS

Active Directory user account (manual input/role-based)

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password

Employee

Identity

User: Identity's central user account.

Password: The user's password

DynamicPerson

Identity (dynamic)

Product: Usage. The system user is determined through the use case configuration data.

User: User name.

Password: The user's password

RoleBasedPerson

Identity (role-based)

User: User name.

Password: The user's password.

HTTPHeader

HTTP header

Header: The HTTP header to use.

KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

RoleBasedHTTPHeader

HTTP header (role-based)

Header: The HTTP header to use.

KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

DynamicLdap

LDAP user account (dynamic)

User: User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password: The user's password

RoleBasedLdap

 

LDAP user account (role-based)

 

User: User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password: The user's password

RoleBasedGeneric

Generic single sign-on (role-based)

SearchTable: Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table.

SearchColumn: Column from the SearchTable in which to search for the user name of the logged-in user.

DisabledBy: Pipe (|) delimited list of Boolean columns which block a user account from logging in.

EnabledBy: Pipe (|) delimited list of Boolean columns which release a user account for logging in.

OAuth

OAuth 2.0/OpenID Connect

Dependent on the authentication method of the secure token service.

OAuthRoleBased

OAuth 2.0/OpenID Connect (role-based)

Dependent on the authentication method of the secure token service.

DialogUserAccountBased

Account based system user

No parameters required

QERAccount

User account

No parameters required

RoleBasedQERAccount

User account (role-based)

No parameters required

RoleBasedManualQERAccount

User account (manual input/role-based)

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password

PasswordReset

Password reset

No parameters required

RoleBasedPasswordReset

Password reset (role-based)

No parameters required

DecentralizedId

 

Decentralized identity

 

Email: Default email address of the identity (Person.DefaultEmailAddress) or contact email address of the identity (Person.ContactEmail)

Identifier: Decentralized identity of the identity (Person.DecentralizedIdentifier).

RoleBasedDecentralizedId

 

Decentralized Identity (role-based)

 

Email: Default email address of the identity (Person.DefaultEmailAddress) or contact email address of the identity (Person.ContactEmail)

Identifier: Decentralized identity of the identity (Person.DecentralizedIdentifier).

Token

 

 

 

Internal authentication module in the application server for authentication using OAuth 2.0/OpenID Connect access tokens. For more information, see Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API.

URL: URL of the application server.

ClientId: ID of the application on the identity provider.

ClientSecret: Secret value for authentication at the token endpoint.

TokenEndpoint: Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.

Related topics

Configuration data for system user dynamic authentication

In the case of dynamic authentication modules, the system user assigned to the identity is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.

TIP: For system users used for dynamic authentication modules, enable the Disabled for direct login option. This prevents direct login to One Identity Manager tools with these system users.

To specify configuration data

  1. In the Designer, select the Base data > Security settings > Programs category.

  2. Select the application and adjust the Configuration data.

Use XML syntax for entering the configuration data:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

<Usermapping

DialogUser = "System user name"

/>

...

</Usermappings>

</DialogUserDetect>

Enter the system user (DialogUser) in the Usermappings section. Specify which identity the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.

You can assign function groups to permissions groups on order to deal with complex permissions and user interface structures. The function groups allow you to map the functions an identity has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.

If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.

<DialogUserDetect>

<FunctionGroupMapping

PersonToFunction = "View mapping identity to function group"

FunctionToGroup = "View mapping function group to permissions group"

/>

<Usermappings>

<Usermapping

DialogUser = "System user name"

Selection = "Selection criterion"

/>

...

</Usermappings>

</DialogUserDetect>

Related topics

Example of a simple system user assignment

All identities should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.

To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:

<DialogUserDetect>

<Usermappings>

<Usermapping

DialogUser = "dlg_all"

/>

</Usermappings>

</DialogUserDetect>

Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:

  • Employee contact data

  • Requesting a product

  • Unsubscribing a product

Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating