立即与支持人员聊天
与支持团队交流

Identity Manager 8.2.1 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0/OpenID Connect authentication Multi-factor authentication in One Identity Manager Granular permissions for the SQL Server and database Installing One Identity Redistributable STS Program functions for starting the One Identity Manager tools Minimum access levels of One Identity Manager tools

Assigning authentication modules to applications

NOTE: Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.

If create custom authentication modules, assign them to the existing programs. In general, you do not need to change assignments of predefined authentication modules.

To assign an authentication module to an application

  1. In the Designer, select the Base data > Security settings > Authentication modules category.

  2. Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.

  3. In List Editor, select the authentication module.

  4. Assign the application in the Applications edit view.

  5. Select the Database > Save to database and click Save.

Related topics

Disabling or enabling authentication modules for applications

NOTE: Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.

To use an authentication module for login, assignment of the authentication module to the application must be enabled.

To enable an authentication module for an application

  1. In the Designer, select the Base data > Security settings > Authentication modules category.

  2. Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.

  3. In List Editor, select the authentication module.

  4. In the Application edit view, select the assigned application.

  5. Disable the Disable option.

  6. Select the Database > Save to database and click Save.

To disable an authentication module for an application

  1. In the Designer, select the Base data > Security settings > Authentication modules category.

  2. Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.

  3. In List Editor, select the authentication module.

  4. In the Application edit view, select the assigned application.

  5. Enable the Disable option.

  6. Select the Database > Save to database and click Save.

Related topics

Authentication module properties

Table 33: Authentication module properties
Property Meaning

Enabled

Specifies whether the authentication module can be used.

Display name

Display name for displaying the authentication module in the connection dialog of the administration tools.

Authentication module

Internal name of the authentication module.

Authentication type

Authentication module type. You can choose from Dynamic and Role based.

Processing status

The processing status is used for creating custom configuration packages.

Initial data

Initial data for logging in with this authentication module.

Syntax:

property1=value1;property2=value2

Example:

User=<user name>;Password=<password>

Class

Authentication module class.

Assembly name

Name of the assembly file.

Sort order

Specify the order in which the modules are displayed in the login window.

Single sign-on

Specifies whether the authentication module may be authenticated without a password.

Select in front-end

Specifies whether the authentication module can be selected in the login window.

Related topics

Initial data for authentication modules

Authentication data is formatted from the authentication module and its parameters and values. You can specify initial data for the parameters and their values. By default, the initial data is preset for each authentication process.

Syntax for authentication data:

Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

Example:

Module=DialogUser;User=<user name>;Password=<password>

ClosedSetting initial data for authentication modules
Table 34: Authentication data for authentication modules
Authentication module Display name Parameters and meaning

DialogUser

System users

User: User name

Password: The user's password

ADSAccount

Active Directory user account

No parameters required

DynamicADSAccount

Active Directory user account (dynamic)

Product: Usage. The system user is determined through the use case configuration data.

DynamicManualADS

Active Directory user account (manual input)

Product: Usage. The system user is determined through the use case configuration data.

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password.

RoleBasedADSAccount

Active Directory user account (role-based)

No parameters required

RoleBasedManualADS

Active Directory user account (manual input/role-based)

User: User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains.

Password: The user's password

Employee

Employee

User: Employee's central user account.

Password: The user's password

DynamicPerson

Employee (dynamic)

Product: Usage. The system user is determined through the use case configuration data.

User: User name.

Password: The user's password

RoleBasedPerson

Employee (role-based)

User: User name.

Password: The user's password.

HTTPHeader

HTTP header

Header: The HTTP header to use.

KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

RoleBasedHTTPHeader

HTTP header (role-based)

Header: The HTTP header to use.

KeyColumn: Comma delimited list of key columns in the Person table to be searched for user names.

Default: CentralAccount, PersonnelNumber

DynamicLdap

LDAP user account (dynamic)

User: User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password: The user's password

RoleBasedLdap

 

LDAP user account (role-based)

 

User: User name.

Default: CN, DistinguishedName, UserID, UIDLDAP

Password: The user's password

RoleBasedGeneric

Generic single sign-on (role-based)

SearchTable: Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table.

SearchColumn: Column from the SearchTable in which to search for the user name of the logged-in user.

DisabledBy: Pipe (|) delimited list of Boolean columns which block a user account from logging in.

EnabledBy: Pipe (|) delimited list of Boolean columns which release a user account for logging in.

OAuth

OAuth 2.0/OpenID Connect

Dependent on the authentication method of the secure token service.

OAuthRoleBased

OAuth 2.0/OpenID Connect (role-based)

Dependent on the authentication method of the secure token service.

DialogUserAccountBased

Account based system user

No parameters required

QERAccount

User account

No parameters required

RoleBasedQERAccount

User account (role-based)

No parameters required

PasswordReset

Password reset

No parameters required

RoleBasedPasswordReset

Password reset (role-based)

No parameters required

DecentralizedId

 

Decentralized identity

 

Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail)

Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier).

RoleBasedDecentralizedId

 

Decentralized Identity (role-based)

 

Email: Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail)

Identifier: Decentralized identity of the employee (Person.DecentralizedIdentifier).

Token

 

 

 

Internal authentication module in the application server for authentication using OAuth 2.0/OpenID Connect access tokens. For more information, see Setting up OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API.

URL: URL of the application server.

ClientId: ID of the application on the identity provider.

ClientSecret: Secret value for authentication at the token endpoint.

TokenEndpoint: Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级