Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 9.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Specifying enabled and disabled columns for logging in

In the determination of the user account for the OAuth 2.0/OpenID Connect authentication, the system checks whether the user account is enabled or disabled. You define which columns can mark a user account as enabled or disabled.

Note:

  • Only the columns of the table that you selected in the OAuth 2.0/OpenID Connect configuration of the identity provider in the Column to search are displayed.

  • A column can either be used as an enabled or a disabled column.

  • You can specify just enabled columns or just disabled columns, or a combination of enabled and disabled columns.

Example:

A search column references the ADSAccount table.

Case a) Only enabled Active Directory user accounts are allowed to login.

  • Select ADSAccount.AccountDisabled as the disabled column.

    If the ADSAccount.AccountDisabled column of the user account is set, login is not permitted.

Case b) Only privileged Active Directory user accounts are allowed to login.

  • Select ADSAccount.IsPrivilegedAccount as the enabled column.

    If the ADSAccount.IsPrivilegedAccount column of the user account is set, login is permitted.

Case c) Only enabled, privileged Active Directory user accounts are allowed to login.

  • Select ADSAccount.IsPrivilegedAccount as the enabled column and ADSAccount.AccountDisabled as the disabled column.

    If the ADSAccount.IsPrivilegedAccount column of the user account is set and the ADSAccount.AccountDisabled column of the user account is not set, login is permitted.

To define which columns can enable a user account for login

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the List Editor, select the configuration.

  3. In the edit view, select the Columns for enabling tab.

  4. In the Add assignment view, assign the columns that enable the user account for logon.

  5. Select the Database > Commit to database and click Save.

To define which columns can disable a user account for login

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the List Editor, select the configuration.

  3. Select the Columns for disabling tab in the edit view.

  4. In the Add assignment view, assign the columns that disable the user account for logon.

  5. Select the Database > Commit to database and click Save.

Logging information about OAuth 2.0/OpenID Connect authentication

To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

To log authentication data

  • In the Designer, set the QBM | DebugMode | OAuth2 | LogPersonalInfoOnException configuration parameter.

Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API

The One Identity Manager REST API is an integral part of the application server. To use OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API, there is support for the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules.

Authentication is done using the access token provided. The first time a request is made with a new access token, a session is established with that token and the authentication module. Further accesses with the same token use the same session. The validity period of the token is checked in the process.

For more information about the One Identity Manager REST API, see One Identity Manager REST API Reference Guide.

Related topics

Setting up OAuth 2.0/OpenID Connect authentication the on application server

NOTE: To access the REST API in the application server, users need the AppServer_API program function.

To set up authentication for the REST API using OAuth 2.0/OpenID Connect

  • In the Designer, set the QBM | AppServer | AccessTokenAuth configuration parameter.

  • In the Designer, set the respective authentication module either OAuth 2.0/OpenID Connect or OAuth 2.0/OpenID Connect (role-based).

  • If the OAuth 2.0/OpenID Connect (role-based) authentication module is used, set the QBM | AppServer | AccessTokenAuth | RoleBased confguration parameter as well.

  • In the Designer, create the OAuth 2.0/OpenID Connect configuration and assign the configuration to the web application for the application server.

  • The URL for the application server must be declared.

    When the application server is installed, an entry for the web application is created with the URL in the QBMWebApplication table. Check whether the URL (BaseURL column) is entered.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating