One Identity Manager uses different authentication modules for logging in to administration tools. Authentication modules identify the system users to be used and load the user interface and database resource editing permissions depending on their permission group memberships.
-
The permissions assigned to the system user are found from the permissions groups for logging into One Identity Manager tools with an authentication module that expects a defined system user.
-
Dynamic system users are used for logging into One Identity Manager tools with role-based authentication modules. First, the identity memberships in the One Identity Manager application roles are determined during login. Assignments of permissions groups to One Identity Manager application roles are used to determine which permissions groups apply to the identity. A dynamic system user is determined from these permissions groups that will be used for the identity’s login.
Before you can use an authentication module for logging on, the following prerequisites must be fulfilled:
-
The authentication module must be enabled.
-
The authentication module must be assigned to the application.
-
The assignment of the authentication module to the application must be enabled.
This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module also have the required program function to use the program.
NOTE: After the initial schema installation, only the System user and Component authenticator authentication modules and the role-based authentication modules are enabled in One Identity Manager.
Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.
NOTE: Authentication modules are defined in the One Identity Manager modules and are not available until the modules are installed.
NOTE: This authentication module is available if the Configuration Module is installed.
|
Credentials |
The system user's identifier and password. |
|
Prerequisites |
- The system user with permissions exists in the database.
|
|
Set as default |
Yes |
|
Single sign-on |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
No |
|
Remarks |
The user interface and the permissions are loaded through the system user.
Data modifications are attributed to the system user. |
IMPORTANT: The viadmin system user is available by default. The system user has the predefined user interface and access permissions to database resources. You must not use or change the user interface and the permissions structure of the system user in live systems because this system user is overwritten with each schema update as it is from a system user template.
TIP: Create your own system user with the appropriate permissions. This can be done on initial installation of the One Identity Manager database. This system user can compile an initial One Identity Manager database and can be used to log into the administration tools for the first time.
NOTE: This authentication module is available if the Identity Management Base Module is installed.
|
Credentials |
The authentication module uses the login data of the user currently logged in on the workstation. |
|
Prerequisites |
-
The identity exists in the database.
-
The identity is assigned at least one application role.
-
The user account exists in the database and the identity is entered in the user account's main data. |
|
Set as default |
No |
|
Single sign-on |
Yes |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
One Identity Manager searches for the user account according to the configuration and finds the identity assigned to the user account.
If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.
-
If this configuration parameter is set, the identity’s main identity is used for authentication.
-
If this configuration parameter is not set, the identity’s subidentity is used for authentication.
NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.
A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user.
Changes to the data are assigned to the logged in identity. |
Modify the following configuration parameters in the Designer to implement the authentication module.
Table 28: Configuration parameters for the authentication module
|
QER | Person | GenericAuthenticator |
Specifies whether authentication through single sign-on is supported. |
|
QER | Person | GenericAuthenticator | SearchTable |
Table in the One Identity Manager schema which stores the user information. The table must contain a foreign key with the name UIDPerson (or CCC_UID_Person) that references the Person table.
Example: ADSAccount |
|
QER | Person | GenericAuthenticator | SearchColumn |
Column from the One Identity Manager table (SearchTable) that is used to search for user name of the current user.
Example: CN |
|
QER | Person | GenericAuthenticator | EnabledBy |
Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) enabled by the user account for the login. |
|
QER | Person | GenericAuthenticator | DisabledBy |
Pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable) disabled by the user account for the login.
Example: AccountDisabled |
NOTE: This authentication module is available if the Identity Management Base Module is installed.
|
Credentials |
Identity's central user account and password. |
|
Prerequisites |
-
The system user with permissions exists in the database.
-
The identity exists in the database.
-
The central user account is entered in the identity main data.
-
The system user is entered in the identity's main data.
-
The system user password is entered in the identity main data. |
|
Set as default |
Yes |
|
Single sign-on |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.
-
If this configuration parameter is set, the identity’s main identity is used for authentication.
-
If this configuration parameter is not set, the identity’s subidentity is used for authentication.
NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter.
The user interface and permissions are loaded through the system user that is directly assigned to the logged in identity.
Changes to the data are assigned to the logged in identity. |
