Quest Identity Broker (QIB) enables users to associate the credentials they use with third-party identity providers, such as your organization's Identity Provider or Microsoft Azure Active Directory. This association makes it possible to use a single sign on to access the Administrator Console or the User Console.
To use QIB to access the Administrator Console or User Console, users must enter the hostname of the K1000 appliance in the browser address field, then click Login with Single Sign On under the login credentials on the login page.
You can use Quest Identity Broker (QIB) to enable users to log in to the Administrator Console and User Console using credentials from third-party identity providers, such as your organization's Identity Provider and Microsoft Azure™ Active Directory.
QIB can be enabled for a single organization only. If the Organization component is enabled on your appliance, you can enable QIB for the default organization only. To use single sign on with multiple organizations, use Active Directory authentication. See Configure Active Directory as the single sign on method.
1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the K1000 Administrator Console, http://K1000_hostname/admin, then click Settings. |
◦ |
If the Organization component is enabled on the appliance, log in to the K1000 System Administration Console, http://K1000_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings. |
2. |
In the Single Sign On section of the Security Settings page, select Quest Identity Broker, then provide the following information: |
The URL associated with your K1000 appliance. This URL is created automatically during appliance configuration. To enable QIB, contact Quest Support and provide this URL to obtain the Relying Party Identifier for your appliance.
| |||
A unique identifier provided by Quest Support to enable QIB. This identifier determines which identity provider, such as your organization's Identity Provider or Microsoft Azure Active Directory, is used for authentication. You must provide your Web Server Assertion Consuming Service URL to Quest Support to receive this identifier. | |||
Users requesting single sign on access are automatically granted access to the K1000 User Console if they are authenticated by the third-party identity provider. Accounts for these users are created automatically on the K1000 appliance. | |||
Administrators must approve access requests before users can access the K1000 Administrator Console or User Console. When users attempt to sign on to the K1000 using third-party credentials, the K1000 creates approval requests. When administrators log in to the Administrator Console, a notification stating that approval requests are pending appears on the information bar at the top of the Dashboard page. When administrators approve requests, user accounts are created on the K1000 appliance and users can access the K1000 Administrator Console or User Console. |
3. |
The certificate used to verify communications with the identity provider. |
4. |
Quest Identity Broker (QIB) user approval requests are created when users who do not have K1000 account credentials attempt to log in to the K1000 Administrator Console or User Console using identity providers, such as your organization's Identity Provider and Microsoft Azure Active Directory.
• |
NOTE: When administrators log in to the Administrator Console or User Console, a message appears in the information bar at the top of the page if QIB approval requests are pending. |
1. |
a. |
Log in to the K1000 Administrator Console, http://K1000_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
b. |
2. |
a. |
In the Identity column, click the linked name of a request to show the Approval Request Detail page. |
Create an account on the K1000 for the user. When the account is created, the user can use single sign on to access the User Console only. If you want to grant access to the Administrator Console, you need to edit the user's permissions on the User Detail page. | |||
Create an account on the K1000 for the user and open the User Detail page for editing. This enables you to modify user access permissions for the K1000 User Console and Administrator Console as needed. | |||
Map the approval request to an existing user account. When you select this option, you need to choose the account you want to map to in the drop-down list. When you approve the request, the QIB request information is added to the User Detail page of the selected account. |
c. |
Click Approve. The request is approved, and an account is created for the user on the K1000. If the Organization component is enabled on your appliance, the account is created in the default organization. |
a. |
b. |
◦ |
To reject one or more requests from the Approval Request page, select the check boxes next to the request, then select Choose Action > Reject. |
◦ |
In the Identity column on the Approval Request page, click the linked name of a request to show the Approval Request Detail page, then click Reject. |
When Quest Identity Brokeris enabled as the single sign on method, users can access the Administrator Console or User Console using credentials from identity providers, such as your organization's Identity Provider and Microsoft Azure Active Directory.
1. |
2. |
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy