Authentication module properties
The following properties are displayed for authentication modules.
Table 33: Authentication module properties
|
Enabled |
Specifies whether the authentication module can be used. |
|
Display name |
Display name for displaying the authentication module in the connection dialog of the administration tools. |
|
Authentication module |
Internal name of the authentication module. |
|
Authentication type |
Authentication module type. You can choose from Dynamic and Role based. |
|
Processing status |
The processing status is used for creating custom configuration packages. |
|
Initial data |
Initial data for logging in with this authentication module.
Syntax:
property1=value1;property2=value2
Example:
User=<user name>;Password=<password> |
|
Class |
Authentication module class. |
|
Assembly name |
Name of the assembly file. |
|
Sort order |
Specify the order in which the modules are displayed in the login window. |
|
Single sign-on |
Specifies whether the authentication module may be authenticated without a password. |
|
Select in front-end |
Specifies whether the authentication module can be selected in the login window. |
Initial data for authentication modules
Authentication data is formatted from the authentication module and its parameters and values. You can specify initial data for the parameters and their values. By default, the initial data is preset for each authentication process.
Syntax for authentication data:
Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…
Example:
Module=DialogUser;User=<user name>;Password=<password>
To set initial data for authentication modules
-
In the Designer, select the Base data > Security settings > Authentication modules category.
-
Select the authentication module and enter the data in Initial data.
Syntax:
property1=value1;property2=value2
Example:
User=<user name>;Password=<password>
Table 34: Authentication data for authentication modules
|
DialogUser |
System users |
User: User name
Password: The user's password |
|
ADSAccount |
Active Directory user account |
No parameters required |
|
DynamicADSAccount |
Active Directory user account (dynamic) |
Product: Usage. The system user is determined through the use case configuration data. |
|
DynamicManualADS |
Active Directory user account (manual input) |
Product: Usage. The system user is determined through the use case configuration data.
User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.
Password: The user's password. |
|
RoleBasedADSAccount |
Active Directory user account (role-based) |
No parameters required |
|
RoleBasedManualADS |
Active Directory user account (manual input/role-based) |
User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.
Password: The user's password |
|
Employee |
Identity |
User: Identity's central user account.
Password: The user's password |
|
DynamicPerson |
Identity (dynamic) |
Product: Usage. The system user is determined through the use case configuration data.
User: User name.
Password: The user's password |
|
RoleBasedPerson |
Identity (role-based) |
User: User name.
Password: The user's password. |
|
HTTPHeader |
HTTP header |
Header: The HTTP header to use.
KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.
Default: CentralAccount, PersonnelNumber |
|
RoleBasedHTTPHeader |
HTTP header (role-based) |
Header: The HTTP header to use.
KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.
Default: CentralAccount, PersonnelNumber |
|
DynamicLdap |
LDAP user account (dynamic) |
User: User name.
Default: CN, DistinguishedName, UserID, UIDLDAP
Password: The user's password |
|
RoleBasedLdap
|
LDAP user account (role-based)
|
User: User name.
Default: CN, DistinguishedName, UserID, UIDLDAP
Password: The user's password |
|
RoleBasedGeneric |
Generic single sign-on (role-based) |
SearchTable: Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table.
SearchColumn: Column from the SearchTable in which to search for the user name of the logged-in user.
DisabledBy: Pipe (|) delimited list of Boolean columns which block a user account from logging in.
EnabledBy: Pipe (|) delimited list of Boolean columns which release a user account for logging in. |
|
OAuth |
OAuth 2.0/OpenID Connect |
Dependent on the authentication method of the secure token service. |
|
OAuthRoleBased |
OAuth 2.0/OpenID Connect (role-based) |
Dependent on the authentication method of the secure token service. |
|
DialogUserAccountBased |
Account based system user |
No parameters required |
|
QERAccount |
User account |
No parameters required |
|
RoleBasedQERAccount |
User account (role-based) |
No parameters required |
|
RoleBasedManualQERAccount |
User account (manual input/role-based) |
User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.
Password: The user's password |
|
PasswordReset |
Password reset |
No parameters required |
|
RoleBasedPasswordReset |
Password reset (role-based) |
No parameters required |
|
DecentralizedId
|
Decentralized identity
|
Email: Default email address of the identity (Person.DefaultEmailAddress) or contact email address of the identity (Person.ContactEmail)
Identifier: Decentralized identity of the identity (Person.DecentralizedIdentifier). |
|
RoleBasedDecentralizedId
|
Decentralized Identity (role-based)
|
Email: Default email address of the identity (Person.DefaultEmailAddress) or contact email address of the identity (Person.ContactEmail)
Identifier: Decentralized identity of the identity (Person.DecentralizedIdentifier). |
|
Token
|
|
Internal authentication module in the application server for authentication using OAuth 2.0/OpenID Connect access tokens. For more information, see Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API.
URL: URL of the application server.
ClientId: ID of the application on the identity provider.
ClientSecret: Secret value for authentication at the token endpoint.
TokenEndpoint: Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in. |
Configuration data for system user dynamic authentication
In the case of dynamic authentication modules, the system user assigned to the identity is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.
TIP: For system users used for dynamic authentication modules, enable the Disabled for direct login option. This prevents direct login to One Identity Manager tools with these system users.
To specify configuration data
-
In the Designer, select the Base data > Security settings > Programs category.
-
Select the application and adjust the Configuration data.
Use XML syntax for entering the configuration data:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
<Usermapping
DialogUser = "System user name"
/>
...
</Usermappings>
</DialogUserDetect>
Enter the system user (DialogUser) in the Usermappings section. Specify which identity the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.
You can assign function groups to permissions groups on order to deal with complex permissions and user interface structures. The function groups allow you to map the functions an identity has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.
If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.
<DialogUserDetect>
<FunctionGroupMapping
PersonToFunction = "View mapping identity to function group"
FunctionToGroup = "View mapping function group to permissions group"
/>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
...
</Usermappings>
</DialogUserDetect>
Example of a simple system user assignment
All identities should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.
To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:
<DialogUserDetect>
<Usermappings>
</Usermappings>
</DialogUserDetect>
Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:
-
Employee contact data
-
Requesting a product
-
Unsubscribing a product
Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.
Setting initial data for authentication modules