Chat now with support
Chat with Support

Identity Manager 9.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Authenticating external applications on the API Server using OAuth 2.0/OpenID Connect

To access the REST API in the API Server through external applications, authentication is supported by the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules. Ensure that authentication for the REST API is set up through OAuth 2.0/OpenID Connect.

To authenticate an external application using Oauth 2.0/Openid Connect in One Identity Manager

  1. Log in to the external identity provider, for example with Redistributable STS (RSTS), and get the access token.

  2. Ensure that the token is passed as the bearer token in the authentication header of all queries.

NOTE: The session must be handled by a bearer token when logging in using a session cookie. Clients accessing the REST API using the bearer token must therefore keep the cookie assigned during the first access and send it with subsequent accesses. Otherwise, a new session is established for each access, which costs a lot of resources.

Related topics

Multi-factor authentication in One Identity Manager

One Identity Defender can be used for multi-factor authentication on One Identity Manager tools and the Web Portal . For more information, see Multi-factor authentication with One Identity Defender.

You can set up multi-factor authentication with OneLogin for attestations and request approvals. For more information, see Multi-factor authentication with OneLogin.

Multi-factor authentication with OneLogin

You can set up multi-factor authentication with OneLogin for specific security-critical actions in One Identity Manager. You can use these, for example, for attestation or when approving requests in the Web Portal. Each identity that wants to use this functionality, must be linked to a OneLogin user account.

Prerequisite

In OneLogin:

  • At least one authentication method is configured on all user accounts that are going to use multi-factor authentication.

In One Identity Manager:

  • The OneLogin Module is installed.

To use multi-factor authentication for attestations or requests

  1. Set up synchronization with a OneLogin domain and start the synchronization.

  2. Link identities to their OneLogin user accounts.

  3. Configure the API Server and the Web Portal for using OneLogin multi-factor authentication.

  4. Set up multi-factor authentication for attestations and requests in the IT Shop.

For more information, see the following guides:

Theme

Guide

Set up and start synchronization of a OneLogin domain.

One Identity Manager Administration Guide for Integration with OneLogin Cloud Directory

Multi-factor authentication configuration in the web application

One Identity Manager Web Application Configuration Guide

Preparing the IT Shop for multi-factor authentication

One Identity Manager IT Shop Administration Guide

Setting up multi-factor authentication for attestation

One Identity Manager Attestation Administration Guide

Requesting products requiring multi-factor authentication

Approving requests with multi-factor authentication

Attestation with multi-factor authentication

One Identity Manager Web Portal User Guide

Multi-factor authentication with One Identity Defender

One Identity Defender can be used for multi-factor authentication on One Identity Manager tools and the Web Portal . A Redistributable STS (RSTS) is set up to provide Active Directory authentication over a RADIUS server.

Prerequisite

  • One Identity Defender is installed and set up.

To set up multi-factor authentication using Defender

  1. Install the RSTS.

    In the Installation Wizard on the Installation Settings page, enter the signing certificate, URL, and configuration password for the RSTS administration interface. For test or demonstration environments, you can use the Redistributable STS Demo signing certificate.

  2. Configure the RSTS.

  3. Set up the OAuth 2.0/OpenID Connect configuration.

    In doing so, you create a new identity provider. You will need this identity provider for configuring authentication with Oauth 2.0/Openid Connect.

  4. Configure authentication with Oauth 2.0/Openid Connect for the Web Portal.

  5. Configure authentication with OAuth 2.0/OpenID Connect for the One Identity Manager administration tools.

  6. Test the access to the Web Portal.

    • After entering the URL of the Web Portals in your web browser, you should be redirected to the RSTS login page.

    • After logging in with user name and password, you are prompted to enter your Defender Token.

    If both authentications were successful, you can work with the Web Portal.

  7. Test access to the One Identity Manager administration tools.

    • Start an administration tool, for example, the Launchpad, and select the OAuth 2.0/OpenID Connect authentication method.

    • After logging in with user name and password, you are prompted to enter your Defender Token.

    If both authentications were successful, you can work with the administration tool.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating