Chat now with support
Chat with Support

Identity Manager 9.2 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program functions One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable Secure Token Server Preventing blind SQL injection Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Installing One Identity Redistributable Secure Token Server

You can install multiple instances of the Redistributable Secure Token Server on one server.

To install the Redistributable Secure Token Server

  1. Launch autorun.exe from the root directory of the One Identity Manager installation medium.

  2. Switch to the Other Products tab

  3. Select One Identity Redistributable STS and click Install.

  4. On the start page of the installation wizard, click Next.

  5. On the Remove STS page, you can uninstall an existing STS service or install another instance of the Redistributable STS.

    NOTE: This page is only shown if you have already installed an STS service.

    • Select Install a new instance of Secure Token Server to install another instance and click Next.

  6. On the Select database page, select the One Identity Manager database connection. Select a user who has a minimum of administrative permissions for the database.

    • To use an existing connection to the One Identity Manager database, select it in the Select a database connection menu.

      - OR -

    • To create a new connection to the One Identity Manager database, click Add new connection and enter a new connection.

  7. On the Installation settings page, enter the required information.

    • Installation folder: Select the directory where you want to install the STS.

    • Signature certificate: This certificate is used to sign authentication responses.

    • SSL certificate: This certificate is user for encrypting the SSL transport. If an SSL website is already setup, the SSL configuration of the IIS is used.

      NOTE: The Redistributable STS Demo (for test purposes only) certificate can be used only for test purposes.

    • URL: Specify the URL for reaching the STS.

    • Client ID: Enter the client ID.

    • Configuration password and Confirm password: Enter the password that you want to use later to access the STS configuration via the RSTS administration interface.

    • User account: The STS service runs under the user account given here. A domain account must be used to support Kerberos authentication. Ensure that the user account has the user permissions required to login as a service. Enter the user name and password.

  8. On the Identity provider page, configure the RSTS to be the identity provider for One Identity Manager.

    • Identity provider name: Enter the name of the identity provider.

    • Create a default OAuth 2.0/OpenID Connect application: Specify whether to create and configure the identity provider in One Identity Manager. Enable this option to create an OAuth 2.0/OpenID Connect configuration.

  9. On the Installation page you can see the installation progress. When the installation has finished, click Next.

  10. Click Finish to close the installation wizard.

NOTE: In a default installation, the service is entered in the server’s services manager with the name Redistributable Secure Token Server. Further instances of the service are entered in the server's services manager with a sequential number, for example Redistributable Secure Token Server1, Redistributable Secure Token Server2.

Related topics

Installing and uninstalling the One Identity Redistributable Secure Token Server

If you have multiple instances of a service installed, you can select the instance that you want to uninstall. To update the RSTS, uninstall the current service and the reinstall it again.

To uninstall the Redistributable Secure Token Server

  1. Launch autorun.exe from the root directory of the One Identity Manager installation medium.

  2. Switch to the Other products tab

  3. Select One Identity Redistributable STS and click Install.

  4. On the start page of the installation wizard, click Next.

  5. On the Remove STS page, select the instance that you want to uninstall and click Next.

  6. On the Installation page you can see the uninstall in progress. When the uninstall has finished, click Next.

  7. Click Finish to close the installation wizard.

Related topics

Preventing blind SQL injection

Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE, NOT LIKE, <, <=, >, or >=.

In order to continue using certain functions in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function.

Users who do not have this program function can only run database queries that are classified as trusted or pose no risk (risk index = 0.0). Some of the functions in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function.

If you want to allow certain users to run security-critical queries, you can assign permissions to users through permission groups.

  • The QBM_Critical_WhereClause permissions group is provided for non role-based login. This group owns the program function. Add the system users who are allowed to run security-critical queries to the permissions group. Administrative system users automatically obtain these permissions groups.

  • The QER_4_Critical_WhereClause permissions group is provided for non role-based login. This group owns the program function. The permissions group is linked to the Base roles | security-critical queries application role. Add the identities who are allowed to run security-critical queries in the application role.

Using configuration parameters, you can also control the risk assessment of running the SQL statements.

NOTE: The configuration parameters are effective only for users who have the Common_AllowRiskyWhereClauses program function.

  • Use the QBM | SQLCheck | RiskEvaluation configuration parameter to define the risk assessment of running the SQL statements. Permitted values are:

    • Low: SQL statements with some risk are allowed.

    • Medium: The risk of SQL statements is assessed at a mitigated level. Thus, the threshold for blocking the user is reached later and more queries are possible.

    • Strict: The risk of SQL statements is assessed in full. However, the user is not blocked until a certain threshold is reached.

    If the configuration parameter is not set, the risk assessment is performed with the value Strict.

  • Use the QBM | SQLCheck | SubSelect configuration parameter to specify how SQL statements with sub-queries are assessed. If the configuration parameter is set, then places where SQL statements with sub-queries are found are classified as higher risk.

Notes for customizations
  • As an example, database queries that are required on customized forms or database queries that are run over the application server API, must be formulated as predefined database queries in One Identity Manager. Database queries are always run with the permissions of the current user. For more information about using predefined database queries, see the One Identity Manager Configuration Guide.

  • You will find examples on the installation medium in the QBM\dvd\AddOn\ApiSamples directory.

  • For the alphabetical display of objects such as identities or company structures, you can use the QERVFirstUnicodeChar table in customized menus.

Program functions for starting the One Identity Manager tools

The One Identity Manager tools can only be started if the user has the relevant program function permissions. The following program functions allow the One Identity Manager tools to be started.

To make the program function available to users

  • In the Designer under the Permissions > Program functions category, check which permissions group contains the required program function and assign the program functions to other permissions groups as necessary.

  • For non role-based login: Add the system user to the permissions group in the Designer under Permissions > System users.

  • For role-based logins: Ensure that the user is assigned to the application role that owns the program function through its permissions group.

Table 41: Program functions for starting the One Identity Manager tools

Program function

Description

ApplicationStart_Analyzer

Allows the program Analyzer (Analyzer.exe) to be started.

ApplicationStart_ConfigWizard

Allows the program Configuration Wizard (ConfigWizard.exe) to be started.

ApplicationStart_CryptoConfig

Allows the program Crypto Configuration (CryptoConfig.exe) to be started.

ApplicationStart_DataImporter

Allows the program Data Import (DataImporter.exe) to be started.

ApplicationStart_DBClone

Allows the program (DBClone.exe) to be started.

ApplicationStart_DBComparer

Allows the program (DBComparer.exe) to be started.

ApplicationStart_DBCompiler

Allows the program Database Compiler (DBCompiler.exe) to be started.

ApplicationStart_Designer

Allows the program Designer (Designer.exe) to be started.

ApplicationStart_JobQueueInfo

Allows the program Job Queue Info (JobQueueInfo.exe) to be started.

ApplicationStart_LaunchPad

Allows the program Launchpad (LaunchPad.exe) to be started.

ApplicationStart_LicenseMeter

Allows the program License Meter (LicenseMeter.exe) to be started.

ApplicationStart_Manager

Allows the program Manager (Manager.exe) to be started.

ApplicationStart_ObjectBrowser

Allows the program Object Browser (ObjectBrowser.exe) to be started.

ApplicationStart_OpSupport

Enables start-up of the Operations Support Web Portal.

ApplicationStart_ReportEdit

Allows the program Report Editor (ReportEdit2.exe) to be started.

ApplicationStart_SchemaExtension

Allows the program Schema Extension (SchemaExtension.exe) to be started.

ApplicationStart_ServerInstaller

Allows the program Server Installer (ServerInstaller.exe) to be started.

ApplicationStart_SoftwareLoader

Allows the program Software Loader (SoftwareLoader.exe) to be started.

ApplicationStart_SynchronizationEditor

Allows the program Synchronization Editor (SynchronizationEditor.exe) to be started.

ApplicationStart_SystemDebugger

Allows the program System Debugging (SystemDebugger.exe) to be started.

ApplicationStart_Transporter

Allows the program Database Transporter (Transporter.exe) to be started.

ApplicationStart_WebDesignerCompiler

Allows the program (VI.WebDesigner.CompilerCmd.exe) to be started.

ApplicationStart_WebConfig

Allows the program Web Designer Configuration Editor (WebConfigEditor.exe) to be started.

ApplicationStart_WebDesigner

Allows the program Web Designer (WebDesigner.exe) to be started.

ApplicationStart_WebDesignerInstall

Allows the program Web Installer (WebDesigner.Installer.exe) to be started.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating