Configuring authentication
User authentication is carried out on the API Server for each API project.
Authentication has two steps:
-
Required primary authentication: Default authentication through an authentication module
-
Optional secondary authentication: Multi-factor authentication (by OneLogin)
For more information about authentication, see the One Identity Manager API Development Guide and the One Identity Manager Authorization and Authentication Guide.
Detailed information about this topic
Configuring primary authentication with single sign-on
You can configure single sign-on authentication for API projects with the Administration Portal. In this case, a separate request to the imx/login method is not required.
Required configuration key:
TO configure primary authentication with single sign-on
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API project that you want configure with single sign-on authentication.
-
Expand the Single sign-on authentication modules configuration key.
-
Click New.
-
In the menu, select the authentication module you want to use.
TIP: You can specify additional authentication modules. To do this, click New.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
Configuring multi-factor authentication
You can set up multi-factor authentication with OneLogin for attestations and request approvals.
Prerequisite
For more information about setting up multi-factor authentication, see the One Identity Manager Authorization and Authentication Guide.
To configure multi-factor authentication with OneLogin
-
In the administration portal, set the ServerConfig/ITShopConfig/StepUpAuthenticationProvider configuration key to OneLogin MFA.
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the API project for which you want to configure multi-factor authentication.
-
Expand the Request configuration / Step-up authentication provider for terms of use agreement and workflow approval configuration key.
-
In the menu, select OneLogin MFA.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.
-
In the API Server's configuration file, add the connection parameters to your OneLogin domain.
-
In the API Server's installation directory, open the web.config file.
NOTE: If the file is encrypted, decrypt it first.
-
In the <connectionStrings> section, add the following entry:
<add name="OneLogin" connectionString="Domain=<domain>;ClientId=<clientid>;ClientSecret=<clientSecret>" />
-
<domain> stands for the DNS name of the synchronized OneLogin domain (OLGAPIDomain.DNSName).
-
<clientid> stands for the client ID of the OneLogin application.
-
<clientSecret> stands for the OneLogin application's security token.
-
Save your changes to the file.
NOTE: If the file was encrypted beforehand, encrypt it again.
Configuring authentication tokens
Users receive an authentication token after they have been successfully authenticated on a web application. User do not have to repeat the authentication as long as this token is valid.
Required configuration key:
-
Persistent authentication tokens (AuthTokensEnabled): Specifies whether to use persistent authentication tokens that are stored between sessions.
-
Persistent authentication token lifetime (in minutes) (AuthTokensLifetimeMinutes): Specifies how long persistent authentication tokens are valid.
To configure the use of authentication tokens.
-
Log in to the Administration Portal (see Logging in to the Administration Portal).
-
In the navigation, click Configuration.
-
On the Configuration page, in the Show configuration for the following API project menu, select the imx API project.
-
Configure the following configuration keys:
-
Persistent authentication tokens: Specify whether to use persistent authentication tokens. To do this, activate or deactivate the corresponding check box.
-
Persistent authentication token lifetime (in minutes): Specify how long persistent authentication tokens are valid. Once the token lifetime has expired, the user must authenticate again.
-
Click Apply.
-
Perform one of the following actions:
-
If you want to apply the changes locally only, click Apply locally.
-
If you want to apply the changes globally, click Apply globally.
-
Click Apply.