Chat now with support
Chat with Support

Identity Manager 9.2 - Web Designer Web Application Configuration Guide

About this guide Configuring the Web Portal Configuring self-registration of new users Configuring the Password Reset Portal WebAuthn security keys Configuring the Application Governance Module Recommendations for secure operation of web applications

WebAuthn security keys

One Identity offers users the option to log in, simply and securely, to One Identity Manager web applications with help of (physical) security keys. These security keys support the W3C standard WebAuthn.

Use of security keys guarantees increased security when logging in.

Advice
  • In the Manager, identity administrators have the option to view all of an identity's security keys and to delete them. For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  • The WebAuthn standard is NOT support in Internet Explorer. Users must use another browser.

Detailed information about this topic

WebAuthn configuration

To configure WebAuthn for a web application, carry out these four steps:

  1. Configure the OAuth certificate to enable secure communication between RSTS and One Identity Manager.

  2. Configure the RSTS.

  3. Configure the application server.

  4. Configure the web application.

Detailed information about this topic

Step 1: Configuring an OAuth certificate

Communication between the RSTS (redistributable security token service) and One Identity Manager uses tokens that are signed with the private key of a certificate. This certificate must be valid and trusted because the RSTS also uses this certificate for client certificate registration on the application server. One Identity recommends that either you use a public key infrastructure (PKI) that already exists or a new certificate chain from the root certificate and the associated OAuth signing certificate.

To configure the OAuth signing certificate

  1. Create a new, valid, and trusted, OAuth signing certificate.

  2. Ensure the following:

    • The RSTS must have access to the OAuth signing certificate with a private key.

    • The application server from which, the RSTS requests the WebAuthn security keys, must trust the certificate chain of the OAuth signing certificate.

    • The web application that allows login by RSTS, must have access to the OAuth signing certificate with a private key.

    • The web application used to manage the WebAuthn security keys, must have access to the OAuth signing certificate with a private key.

Related topics

Step 2: Configuring the RSTS

NOTE: Before you can configure the RSTS, you must configure the OAuth signing certificate. For more information, see Step 1: Configuring an OAuth certificate.

To configure WebAuthn on the RSTS

  1. Perform one of the following tasks:

    • If you are installing the RSTS: When you install the RSTS, select the previously created OAuth signing certificate so that the corresponding entry in the identity provider in One Identity Manager is set.

    • If the RSTS is already installed: Stop the relevant service, uninstall it and install the new version.

  2. In your web browser, call the URL of the RSTS administration interface: https://<Webanwendung>/RSTS/admin.

  3. On the start page, click Applications.

  4. On the Applications page, click Add Application.

  5. On the Edit page, complete the data on the various tabs.

    NOTE: The forwarding URLs (Redirect Url) on the General tab us the following formats:

    • For the API Server:

      https://<server name>/<application server path>/html/<web application>/?Module=OAuthRoleBased

    • For the Web Portal:

      https://<server name>/<web application>/

  6. Switch to the Two Factor Authentication tab.

  7. On the Two Factor Authentication tab, in the list in Required by pane, click:

    • All Users: All users must log in with two-factor authentication.

    • Specific Users/Groups: Specific users must log in using two-factor authentication. You can add these by clicking Add.

    • Note Required: The application server decided which users must log in using two-factor authentication.

  8. In the navigation, click Home.

  9. On the home page, click Authentication providers.

  10. On the Authentication Providers page, edit the entry in the list.

  11. On the Edit page, switch to the Two Factor Authentication tab.

  12. In the Two Factor Authentication Settings pane, click FIDO2/WebAuthn.

  13. Edit the following input fields:

    • Relying Party Name: Enter any name.

    • Domain Suffix: Enter the suffix of your Active Directory domain that hosts the RSTS.

    • API URL Format: Enter the application server's URL. The given URL must contain a place-holder in {0} format that supplies a unique identifier for the user.

      The API URL Format is used by RSTS to call the list of WebAuthn security keys of a specified user. Enter the URL in the following format:

      https://<server name>/<application server path>/appServer/WebAuthn/<identity provider>/Users/{0}

      • Server name – fully qualified host name of the web server hosting the application server

      • <Application server path> – path to the web application of the application server (default: AppServer)

      • <Identity provider> – name of the identity provider

        TIP: You can find the name of the identity provider in the Designer:

        Basic data > Security settings > OAuth 2.0/OpenId Connect configuration


      Example:
      https://www.example.com/AppServer/appServer/webauthn/OneIdentity/Users/{0}

  14. Click Finish.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating