Authenticating to the Administrative User Interface |
---|
Authentication abstraction is only supported for self-service authentication and is not supported by the administration user interface. All administrators will be required to authenticate natively to the “Identity System”. Depending on your selected LDAP Directory at installation, a different attribute is used for the administrative username.
The table outlines which attribute is used for each type of LDAP.
LDAP Type |
Attribute used to authenticate |
---|---|
LDAP v3 (openLDAP, 389, RHDS, etc) |
uid |
Active Directory |
sAMAccountName |
Additional Master Admins
It is good to note that while the LDAP account configured at installation time is considered the master administrator for the installed Fischer instance; other master administrators can be defined. The difference between the two is the master account from the installation is not an actual identity within Fischer. All subsequent master administrators are required to have an Identity within Fischer. This may change the attribute used for authentication depending on your global authentication settings for Primary and Secondary Username to use for native authentication to Fischer. This is discussed in the General Authentication Guide.
Fire call Access |
---|
During the installation of the product, you were also asked to provide a schema administrator, which contains administrative privileges to manage Fischer’s database schema. If your “Identity System” is ever unavailable, you can use your Fischer schema database administrator to authenticate to the administrative user interface. This should be considered to be an internal set of credentials and only used in fire call situations where accessing the administrative user interface is not possible due to “Identity System” unavailability. Note that the database account does not have the full permissions and will see limited functionality. This fire call account is useful if the Identity System goes down primarily for troubleshooting purposes. The database admin account abilities are defined below.
The database account will have 3 visible tabs:
Within the context of the “Systems” tab, the database account will be able to perform the following tasks:
- Add new Connected Systems
- Modify existing Connected Systems
- Delete existing Connected Systems
The functionality available from the “Server” tab includes:
- Viewing the high availability configuration and status
- Viewing the logs
The functionality available from the “Configuration” tab includes:
- Viewing / Editing the Global Configuration Options (for the master org)
- Viewing / Modifying the User Authentication Configuration which can help IGA Administrators to modify the authentication stores to help users gain access if the Identity System will be down for a while.