To verify the identity of users who log in to Identity Governance, you need an LDAP identity service and an authentication service. These two items allow Identity Governance to control who has access to the Identity Governance resource. The authentication service allows you to enable SSO for the Identity Governance users or provide additional authentication methods such as two-factor authentication.
Identity Governance supports Active Directory and eDirectory as identity services and One SSO Provider (OSP) and Access Manager as authentication services. For example, you can use the Identity Vault for Identity Manager as an identity service. Users can log in to Identity Governance immediately after installation if the users in the specified containers of the identity service have passwords for the users’ accounts. However, the accounts cannot do much until the bootstrap administrator account assigns access rights to the features in Identity Governance.
The bootstrap administrator is the only account that can log in immediately after the installation and make configuration changes.
During installation, you can create a bootstrap administrator account that can immediately log in and configure Identity Governance. This account is useful if you do not have an identity service populated with user accounts before installing Identity Governance.
NOTE:The name for the bootstrap administrator account must be unique. Do not duplicate the name of any accounts, the root container, or subtrees that you use for authentication. The default file-based bootstrap administrator account name is igadmin. You can specify an alternative name for this account through the bootstrap administrator script. Do not use “admin” or “administrator” for the account name.
During the installation, you select one of two methods to create a bootstrap administrator account. You must select one of the options. The options are:
File: If the bootstrap administrator account is file-based, this account does not link to any account in the LDAP directory. This account exists in a file that the installer for OSP creates for you. The default name of the file that contains the bootstrap administrator account is adminusers.txt. The default bootstrap administrator account name is igadmin.The file-based bootstrap administrator account can access all items in the administration console except for Reviews and Access Request.
If you selected to use the LDAP-based bootstrap administrator and want to move back to file-base, you must use a script included in the Identity Governance product to make this change. For more information, see Creating a Bootstrap Administrator Using a Script.
You should not continue using the file-based bootstrap administrator account after you have Identity Governance running in a production environment. As soon as you have collected user accounts in Identity Governance, assign one of the collected LDAP accounts as a global administrator. For more information about assigning authentications, see Global Authorizations
in Identity Governance User and Administration Guide.
LDAP: If you have not performed a data collection on the LDAP directory where the LDAP-based bootstrap administrator resides or mapped this account to an identity in Identity Governance, the LDAP-based bootstrap administrator account has limited rights. When you have performed a data collection on the LDAP directory or mapped this account to an identity in Identity Governance, Identity Governance adds the Identity Governance Global Administrator role to this LDAP-based bootstrap administrator account and it has unrestricted access.
The restricted LDAP-based bootstrap administrator account can access all items in the administration console except for Reviews and Access Request. After you collect and publish the data from a data source and you map the LDAP-based bootstrap administrator account to an identity in Identity Governance, Identity Governance changes the restricted LDAP-based bootstrap administrator account into a full global administrator account. For more information, see Global Authorizations
in the Identity Governance User and Administration Guide.
IMPORTANT:Due to access to the file system and security updates for Identity Governance 3.6 or later you cannot always use the file-based bootstrap administrator account.
If your environment matches any of the following conditions, you must always use the LDAP-based bootstrap administrator account.
Integrated with Identity Manager
Using SAML authentication method
Using Access Manager as the authentication service
Not using OSP as the authentication service
The silent installation, guided installation, and the console installation can create the bootstrap administrator account for you or you can use a script to create the account. For more information, see Section 15.2.1, Creating a Bootstrap Administrator Using a Script.
Identity Governance allows the following authentication service configurations to achieve SSO in your environment:
OSP
Access Manager
Access Manager connecting to OSP with SAML
The OSP authentication service supports the OAuth2 specification and requires an LDAP identity service. Identity Governance works with eDirectory, Identity Manager Identity Vault, and Microsoft Active Directory. You must deploy the identity service before you install Identity Governance. For more information, see Section 3.6, Preparing or Installing an Identity Service.
You can configure the type of authentication that you want OSP to use: userID and password, Kerberos, or SAML 2.0. However, OSP does not support MIT-style Kerberos or SAP login tickets.
Access Manager supports several authentication methods, such as name/password, RADIUS token-based authentication, X.509 digital certificates, Kerberos, risk-based authentication, Time-Based One-Time Password (TOTP), social authentication, and OpenID Connect. Plus, Access Manager can integrate with Advanced Authentication to provide many more authentication methods.
If you use Identity Manager Identity Vault as your identity service, users with the names (CN) and passwords in the specified container can log in to Identity Governance immediately after installation. Without these login accounts, only the administrator that you specify during installation can log in immediately.
When a user directs the browser to one of the browser-based components, the component determines that it requires authentication and temporarily redirects the browser to the OSP or to the Access Manager authentication service. The OSP service or the Access Manager service authenticates the user by asking the configured authentication method for the user. The authentication service then issues an OAuth2 access token and redirects the browser back to the browser-based component. The component uses the token during the user’s session to provide SSO access to any of the browser-based components.
The authentication service and Kerberos ensure that users only need to log in once to create a session with Identity Governance and Identity Reporting. If the user’s session times out, authentication occurs automatically and without the user’s intervening.
Identity Governance allows you to configure the users’ logout experiences to be the same. If the option Use Logout Landing page is set to True, the users in a Kerberos environment can log out and the authentication service does not reauthorize the users. Identity Governance presents the users with the landing page.
If the option is set to False, after logging out, users should always close the browser to ensure that their sessions end. Otherwise, the application redirects the users to the login window and the authentication service reauthorizes the users’ sessions.
Using a SAML 2.0 identity provider (IDP) with OSP can provide SSO for multiple applications, such as applications beyond Identity Governance and Identity Manager.
When a browser-based component requests that OSP provide an OAuth2 token to the component, OSP first contacts the SAML IDP to authenticate the user. If the user is not yet authenticated with the IDP, the IDP requires the user to enter credentials. The IDP then responds to OSP that the user is authenticated and the OAuth2 token is issued. If the user is already authenticated with the IDP, the IDP skips the request for the user’s credentials.
When the user logs out using a browser-based component, the component first informs OSP of the logout request. OSP then informs the SAML IDP of the logout request. In most cases, this results in the browser displaying the "logged out" page for the IDP. For more information, see Section 10.3, Using SAML Authentications from Access Manager to Provide Single Sign-On to Identity Governance through the OSP.
For OSP or Access Manager and SSO to function, you must install OSP or install and configure Access Manager. Next, specify the URLs for client access to each component, the URL that redirects validation requests to OSP or Access Manager, and the settings for the Identity Vault. You can provide this information during installation or afterward with the Identity Governance Configuration utility or the Roles Based Provisioning Module (RBPM) configuration utility if you integrate with Identity Manager. You can also specify the settings for your Kerberos ticket server or SAML IDP. For more information, see Section 10.0, Configuring Authentication Options for Identity Governance.
Identity Governance can use the OSP authentication service, which supports the OAuth2 specification. With OSP, you can provide SSO access among Identity Governance and other applications, such as Identity Manager Home and Provisioning Dashboard. All requests to OSP use the HTTP or HTTPS protocols.
IMPORTANT:Identity Governance always uses an authentication service as the login mechanism, even in a non-SSO environment.
Identity Governance can use the Access Manager authentication service, which supports several authentication methods. For a list of the authentication methods, see the Access Manager documentation. With Access Manager, you can provide SSO access among Identity Governance and other applications, such as Identity Manager Home and Provisioning Dashboard. All requests to Access Manager use the HTTP or HTTPS protocols.
IMPORTANT:Identity Governance always uses an authentication service as the login mechanism, even in a non-SSO environment.
Identity Governance can use Access Manager to connect with OSP as the authentication service. With Access Manager, you can provide SSO access among Identity Governance and other applications in your environment that use Access Manager for authentication. For more information, see Configuring Single Sign-On to Specific Applications
in the NetIQ Access Manager 5.0 Administration Guide.
IMPORTANT:Identity Governance always uses an authentication service as the login mechanism, even in a non-SSO environment.