立即与支持人员聊天
与支持团队交流

Identity Manager 8.2.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Assigning OAuth 2.0/OpenID Connect configuration to web applications

To use the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules in One Identity Manager web applications, assign the OAuth2.0/OpenID Connect application to the web application.

To assign an OAuth2.0/OpenID Connect application to a web application

  1. In the Designer, select the Base data > Security settings > Web server configurations category.

  2. In List Editor, select the web application.

  3. In the Properties edit view, assign the application in the OAuth2.0/OpenID Connect application selection list.

  4. Select the Database > Save to database and click Save.

TIP: For some web applications, for example the Web Portal, you can customize the OAuth2.0/OpenID Connect configuration in the configuration file (web.config). For more information about configuring the Web Portal, see the One Identity Manager Installation Guide.

Displaying the configuration of the identity provider and the OAuth 2.0/OpenID Connect applications

To display the configuration of an identity provider

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In List Editor, select the identity provider. The configuration data is displayed on the following tabs in the edit view.

    • General: Displays the general configuration data of the identity provider.

    • Certificate: Shows the information about the identity provider certificate.

    • Applications: Displays the configuration of the OAuth 2.0/OpenID Connect applications.

    • Columns for enabling: Displays the table and the columns that identify a user account as activated.

    • Columns for disabling: Displays the table and the columns that identify a user account as deactivated.

To display the configuration of an OAuth 2.0/OpenID Connect application

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In List Editor, select the identity provider.

  3. In the edit view, select the Applications tab.

  4. To display the configuration of an application, select the OAuth 2.0/OpenID Connect application in the Application view.

NOTE:

Click on Add to add a new OAuth 2.0/OpenID Connect application to the configuration of the identity provider.

Click on Remove to remove an OAuth 2.0/OpenID Connect application that is no longer required from the configuration of the identity provider.

Related topics

Specifying enabled and disabled columns for logging in

In the determination of the user account for the OAuth 2.0/OpenID Connect authentication, the system checks whether the user account is enabled or disabled. You define which columns can mark a user account as enabled or disabled.

Note:

  • Only the columns of the table that you selected in the OAuth 2.0/OpenID Connect configuration of the identity provider in the Column to search are displayed.

  • A column can either be used as an enabled or a disabled column.

  • You can specify just enabled columns or just disabled columns xxx, or a combination of enabled and disabled columns.

Example:

A search column references the ADSAccount table.

Case a) Only enabled Active Directory user accounts are allowed to login.

  • Select ADSAccount.AccountDisabled as the disabled column.

    If the ADSAccount.AccountDisabled column of the user account is set, login is not permitted.

Case b) Only privileged Active Directory user accounts are allowed to login.

  • Select ADSAccount.IsPrivilegedAccount as the enabled column.

    If the ADSAccount.IsPrivilegedAccount column of the user account is set, login is permitted.

Case c) Only enabled, privileged Active Directory user accounts are allowed to login.

  • Select ADSAccount.IsPrivilegedAccount as the enabled column and ADSAccount.AccountDisabled as the disabled column.

    If the ADSAccount.IsPrivilegedAccount column of the user account is set and the ADSAccount.AccountDisabled column of the user account is not set, login is permitted.

To define which columns can enable a user account for login

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the List Editor, select the configuration.

  3. In the edit view, select the Columns for enabling tab.

  4. In the Add assignment view, assign the columns that enable the user account for logon.

  5. Select the Database > Save to database and click Save.

To define which columns can disable a user account for login

  1. In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.

  2. In the List Editor, select the configuration.

  3. Select the Columns for disabling tab in the edit view.

  4. In the Add assignment view, assign the columns that disable the user account for logon.

  5. Select the Database > Save to database and click Save.

Logging information about OAuth 2.0/OpenID Connect authentication

To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

To log authentication data

  • In the Designer, set the QBM | DebugMode | OAuth2 | LogPersonalInfoOnException configuration parameter.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级