Installationsschlüssel
Der Installationsschlüssel ist ein Token, das verwendet wird, um SSO-Verbindungen zum Orchestrator für integrierte Anwendungen zuzulassen.
- Melden Sie sich beim Management-Portal als Systemadministrator an.
- Wählen Sie auf der Seite Konten und Gruppen die Registerkarte Authentifizierungseinstellungen aus.
Der aktuelle Installationsschlüssel wird angezeigt und Sie können auf das Symbol Kopieren klicken, um ihn in Ihre Zwischenablage zu kopieren:
- (Optional) Um einen neuen Installationsschlüssel zu generieren, klicken Sie auf Neuen generieren .
Oben rechts wird eine Erfolgsmeldung angezeigt, die angibt, dass ein neuer Schlüssel generiert wurde.
Externe Anbieter
Mit dem Orchestrator können Sie einen externen Identitätsanbieter konfigurieren, um zu steuern, wie sich Ihre Benutzer anmelden. Die folgende Tabelle bietet eine Übersicht über die verschiedenen verfügbaren externen Anbieter auf Hostebene.
Folgen Sie den Anweisungen für den externen Anbieter, den Sie verwenden möchten, wie unten angegeben:
Neuinstallation versus Upgrade
Die Anweisungen in der folgenden Tabelle gelten für eine Neuinstallation oder wenn Sie einen der externen Anbieter zum ersten Mal konfigurieren.
Wenn Sie den Orchestrator aktualisiert haben und bereits einen oder mehrere der unten aufgeführten externen Anbieter verwenden, wird die Konfiguration migriert, aber Sie müssen möglicherweise einige Aufgaben zur Neukonfiguration durchführen. Befolgen Sie in diesem Fall stattdessen die Anweisungen unter Neukonfigurieren der Authentifizierung nach der Aktualisierung.
| External Provider Integration | Authentication | Directory Search | User Provisioning |
|---|---|---|---|
| Active Directory and Windows Authentication | Users can use SSO with Windows Authentication using the Kerberos protocol | Administrators can search for users from the Active Directory | Users must be assigned a role in the Orchestrator tenant. Active Directory users and groups can be assigned a role via directory search. |
| Azure Active Directory | Users can use SSO with Azure AD using the OpenID Connect protocol | Not supported | Users must be manually provisioned into the Orchestrator tenant with an email address matching their Azure AD account. |
| Users can use SSO with Google using the OpenID Connect protocol | Not supported | Users must be manually provisioned into the Orchestrator tenant with an email address matching their Google account. | |
| SAML 2.0 | Users can use SSO with any Identity Provider that supports SAML | Not supported | Users must be manually provisioned into the Orchestrator tenant with a username matching their SAML account. |
Unterschiede zwischen der Integration von Azure AD auf Host- und Organisationsebene
Der externe Identitätsanbieter auf Hostebene „Azure AD“ aktiviert nur SSO-Funktionen. Die Azure AD-Integration auf Organisationsebene ermöglicht SSO, Verzeichnissuche und automatische Benutzerbereitstellung.
Allowing or restricting basic authentication
Basic authentication refers to signing in with the username and password of a local account.
If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.
Configuration levels and inheritance
This option can be configured:
- at the host level, as described below.
When set at the host level, the setting applies to all organizations and all their accounts, except if the basic authentication setting at the organization or account level was not explicitly set differently. - for system administrator accounts, as described below.
Even when all organizations are restricted from using basic authentication, you can allow system administrators only to bypass this restriction. - at the organization level, as described in Configuring authentication and security.
If set at the organization level, the organization-level setting overrides the host-level setting for only that organization. The setting for an organization applies to all accounts that belong to that organization, except accounts for which basic authentication is set differently at the account level. - at the account level, as described in Adding accounts.
If set at the account level, the account-level setting overrides the host-level and organization-level basic authentication setting for only that account.
Setting basic authentication at the host level
This setting is only available if an external provider integration is enabled at the host level.
When set at the host level, the setting applies to all organizations and all their accounts. Set it according to the preference or recommendation across your company.
For exceptions, basic authentication can also be set at the organization or account level where you want this setting to apply differently.
To allow or restrict basic authentication for all organizations and all accounts:
- Melden Sie sich beim Management-Portal als Systemadministrator an.
- Go to Accounts & Groups and select the Authentication Settings tab.
- Under External Providers, click the Disable basic authentication for the organizations toggle to restrict or allow sign in using basic authentication:
- If off (left toggle position, gray toggle), basic authentication is allowed.
- If on (right toggle position, blue toggle), basic authentication is restricted. While restricted, the Allow basic authentication for the host administrators toggle is available.
- If you restricted basic authentication, use the Allow basic authentication for the host administrators toggle to choose if you want to allow basic authentications for system administrators, as an exception:
- If off (left toggle position, gray toggle), basic authentication is not allowed for system administrators either.
- If on (right toggle position, blue toggle), even though basic authentication is not allowed, as an exception, it is allowed for system administrator accounts only.
- At the bottom-right of the External Providers section, click Save to apply your changes.
Recovering from lock out
When basic authentication is disabled, it is possible to get locked out if you lose access to your directory account.
To recover from this situation, go to https://<FQDN>/host/orchestrator_/account/hostlogin and log in using your basic authentication credentials.
Sicherheit
The settings you specify here are inherited by all organizations in your installation as default, but organization administrators can overwrite these settings as needed at the level of the individual organization.
To configure security options for your Orchestrator installation, go to Accounts & Groups > Authentication Settings and, in the Security section, edit the following options as needed.
Passwortkomplexität
Das Bearbeiten der Einstellungen für die Kennwortkomplexität wirkt sich nicht auf vorhandene Kennwörter aus.
| Field | Description |
|---|---|
| Special characters | Select to force users to include at least one special character in their password. By default, this checkbox is not selected. |
| Lowercase characters | Select to force users to include at least one lowercase character in their password. By default, this checkbox is selected. |
| Uppercase characters | Select to force users to include at least one uppercase character in their password. By default, this checkbox is not selected. |
| Digits | Select to force users to include at least one digit in their password. By default, this checkbox is selected. |
| Minimum password length | Specify the minimum number of characters a password should contain. By default, it is 8. The length must be set between 1 and 256 characters. |
| Days before password expiration | Specify the number of days for which the password is available. After this period, the password expires and needs to be changed. The minimum accepted value is 0 (the password never expires), and the maximum is 1000 days. |
| Number of times a password can be reused | The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10. |
| Change password on the first login | If set to Required, users that log in for the first time must change their password before being allowed to access Orchestrator. If set to Not required, users can log in and continue to use the admin-defined password until it expires. |
Kontosperrung
| Field | Description |
|---|---|
| Enabled or Disabled toggle | If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature. |
| Account lockout duration | The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout. The default value is 5 minutes. The minimum accepted value is 0 (no lockout duration), and the maximum is 2592000 (1 month). |
| Consecutive login attempts before lockout | The number of failed login attempts allowed before the account is locked. The default value is 10 attempts. You can set a value between 2 and 10. |
Vor etwa einem Monat aktualisiert