Web Portal in an Untrusted Domain

Using v 8.1.1. I have my One Identity install in one domain and all my users have AD accounts in another (synced) domain and there is no trust between them. I was thinking of putting the Web Portal in the untrusted domain where all the users are so that the users can Authenticate to the Web Portal with their credentials from that domain. (Just putting the untrusted user domain in the Authentication Domains config parameter doesn't work). I think this may work but one requirement that is likely to cause problem is that the users need to be in the SQL Role basegroup. Since the domains are untrusted, the web portal users cannot be put into this role. This got me thinking how the oauth authenticator would work then when the accounts aren't in the domain either so how can they be in the basegroup role? Will putting the web portal in a different domain for authentication purposes work?

  • I am only using one domain but I am using OAuth in my lab. I am using Open Am by ForgeRock as my Identity Provider. I create an account on ForgeRock and then take the user's ID and populate the custom property 09 on the person. I use that for my search column. When I log in to the web portal using the OAuth authentication module I get presented with ForgeRock's authentication page, I then log in using my ForgeRock account and after authenticating I am into the Identity Manager web portal. In this example, I am not using any domain account. I am not sure if this type of method would work or not for you. I know that you can use LDAP with Open AM. I think as long as you have a property that you can use that would also match a populated column on the employee record would work.