Authenticating external applications using OAuth 2.0/OpenID Connect
To access the REST API in the application server through external applications, authentication is supported by the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules. Ensure that authentication for the REST API is set up through OAuth 2.0/OpenID Connect.
To authenticate an external application using Oauth 2.0/Openid Connect in One Identity Manager
-
Log in to the external identity provider, for example with Redistributable STS (RSTS), and get the access token.
-
Ensure that the token is passed as the bearer token in the authentication header of all queries.
NOTE: The session must be handled by a bearer token when logging in using a session cookie. Clients accessing the REST API using the bearer token must therefore keep the cookie assigned during the first access and send it with subsequent accesses. Otherwise, a new session is established for each access, which costs a lot of resources.
Related topics
Multi-factor authentication in One Identity Manager
One Identity Defender can be used for multi-factor authentication on One Identity Manager tools and the Web Portal . For more information, see Multi-factor authentication with One Identity Defender.
You can set up multi-factor authentication with OneLogin for attestations and request approvals. Weitere Informationen finden Sie unter Multifaktor-Authentifizierung mit OneLogin.
Multi-factor authentication with One Identity Defender
One Identity Defender can be used for multi-factor authentication on One Identity Manager tools and the Web Portal . A Redistributable STS (RSTS) is set up to provide Active Directory authentication over a RADIUS server.
Prerequisite
- One Identity Defender is installed and set up.
To set up multi-factor authentication using Defender
-
Install the RSTS.
In the Installation Wizard on the Installation Settings page, enter the signing certificate, URL, and configuration password for the RSTS administration interface. For test or demonstration environments, you can use the Redistributable STS Demo signing certificate.
-
Configure the RSTS.
-
Set up the OAuth 2.0/OpenID Connect configuration.
In doing so, you create a new identity provider. You will need this identity provider for configuring authentication with Oauth 2.0/Openid Connect.
-
Configure authentication with Oauth 2.0/Openid Connect for the Web Portal.
-
Configure authentication with OAuth 2.0/OpenID Connect for the One Identity Manager administration tools.
-
Test the access to the Web Portal.
-
After entering the URL of the Web Portals in your web browser, you should be redirected to the RSTS login page.
-
After logging in with user name and password, you are prompted to enter your Defender Token.
If both authentications were successful, you can work with the Web Portal.
-
Test access to the One Identity Manager administration tools.
-
Start an administration tool, for example, the Launchpad, and select the OAuth 2.0/OpenID Connect authentication method.
-
After logging in with user name and password, you are prompted to enter your Defender Token.
If both authentications were successful, you can work with the administration tool.
Detailed information about this topic
Configuring RSTS for multi-factor authentication
To configure multi-factor authentication using a RADIUS server on the RSTS
-
Start a web browser and open the URL of the RSTS administration interface.
https://<webapplication>/RSTS/admin
Use the configuration password assigned during installation to log in.
-
On the home page, click Authentication providers.
-
On the Authentication Providers page, select the Default Active Directory default provider and click Edit.
-
On the Edit page, select the Authentication provider tab and edit the following settings.
-
Select the Two Factor Authentication tab and edit the settings for your Defender Security Server.
-
Two Factor Authentication Settings > RADIUS: enabled
-
Server, Port, Shared Secret and Username Attributes: Connection data for the RADIUS server.
-
(Optional) Connection Information > Pre-authenticate For ChallengeResponse: Uses the response text of the defender, instead of the default RADIUS response text.
-
Switch to the home page and select Applications.
-
On the Applications page, click Add Application.
-
On the Edit page, select the General Settings tab and edit the following settings.
The redirect URL for the Web Portal (Redirect Url) is formed as follows: https://<Server>/<Application Name>/
-
Select the Certificates tab and under Signing Certificate (Required) activate the signing certificate that you specified when installing the RSTS.
For more information, see Multi-factor authentication with One Identity Defender.
-
Click Finish.
Related topics