NOTE: This authentication module is available if the Identity Management Base Module is installed.
The authorization module supports the authorization code for OAuth 2.0 and OpenID Connect. For more information about the authorization code flow, see, for example, the OAuth Specification or the OpenID Connect Specification.
This authentication module uses a Secure Token Service for logging in. This login procedure can be used with every Secure Token Service that can return an OAuth 2.0 token.
|
Credentials |
Dependent on the authentication method of the secure token service. |
|
Prerequisites |
|
|
Set as default |
No |
|
Single sign-on |
No |
|
Front-end login allowed |
Yes |
|
Web Portal login allowed |
Yes |
|
Remarks |
One Identity Manager finds the identity assigned to the user account. If an identity has a main identity or several subidentities, the QER | Person | MasterIdentity | UseMasterForAuthentication configuration parameter controls which identity is used for authentication.
NOTE: Identities that are classified as a security risk are no longer be able to log in to One Identity Manager. To allow login, set the QER | Person | AllowLoginWithSecurityIncident configuration parameter. A dynamic system user is determined from the identity's application roles. The user interface and the permissions are loaded through this system user. Data modifications are attributed to the current user account. To do this, the claim type whose value is used for labeling data changes must be declared. |
NOTE: If the authentication module cannot find a matching user for the claim value, it searches for the claim value in permitted system users' credentials (DialogUser.AuthentifierLogons). If an entry is found there, then that system user is logged in. To allocate the data changes, the values are used from the respective claims. If a matching user is found, the fallback cannot be used anymore.