Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.9 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Enabling email notifications

For users to receive email notifications, there are a few things you must configure properly.

To enable email notifications

  1. Users must set up their email address correctly.
    1. Local users:
      1. The Authorizer Administrator or User Administrator sets this up in the user's Contact Information. For more information, see Adding a user.

        -OR-

      2. Users set this up in their My Account settings. For more information, see User information and log out (desktop client).
    2. Directory users must have their email set in the Active Directory or LDAP domain.
  2. The Appliance Administrator must configure the SMTP server. For more information, see Email.

TIP: You can setup email subscriptions to any email event type through the API: https://<Appliance IP>/service/core/swagger/ui/index#/EventSubscribers. For more information, see Using the API.

Modifying an email template

Safeguard for Privileged Passwords provides default email templates for most events, such as when a password change fails or an access request is denied. However, you can customize individual email templates, for example to provide notification when emergency access is granted .

Each template corresponds to a single event type; the event triggers an email notification that uses the template.

To modify an email template

  1. Open the email template for editing. Navigate to Administrative Tools | Settings | External Integration | Email | Email Templates.
  2. In the Email Template dialog:
    1. Event: The event is selected when adding a new template. For more information, see Enabling email notifications.

    2. Subject: Edit the subject line for the email message.

      As you type, click  Insert Event Property Macro to insert predefined text into the subject line. For example, you may create the following subject line:

      Approval is required for {{Requester}}'s request

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note at the end of this topic.)

      Limit: 1024 characters

    3. Reply to: Enter the email address of the person to reply to concerning this notification.

      Limit: 512 characters

    4. Body: Enter the body of the message.

      As you type, click  Insert Event Property Macro to insert predefined text into the body. For example, you may create the following body for an email template:

      {{Requester}} has requested the password for {{AccountName}} on {{AssetName}}

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note below.)

      Limit: 16384 characters

    5. Preview Email: Select this link to display the Preview Email dialog so you can see how your email message will look.

NOTE: Each event type supports specific macros that are appropriate for that type of event. You can enter the macro into the text of the subject line or body using keywords surrounded by double braces rather than inserting the macro. However, Safeguard for Privileged Passwords ignores macros that are not supported by the event type. Unsupported macros appear blank in the email preview.

Identity and Authentication

Safeguard for Privileged Passwords allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, OpenLDAP 2.4, any SAML 2.0 federated service, or Radius.

To be managed, a directory asset must be added as both an asset and as an identity provider. When adding the identity provider, if the account name matches an account name already linked to an identity provider, the provider is automatically assigned.For more information, see Accounts.

Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication. The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 157: Identity and Authentication: Properties
Property Description
Name

The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.

NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling.

Type

Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.

  • Active Directory
  • LDAP
  • External Federation
  • Radius (use as a secondary authentication provider)
  • Radius as Primary (use as a primary authentication provider)
  • FIDO2

Description

Enter any descriptive information to use for administrative purposes.

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 158: Identity and Authentication: Toolbar
Option Description
Add

Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers.

Delete Selected

Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.

Refresh

Update the list of identity and authentication providers.

Edit

Modify the selected identity or authentication provider.

Sync Now

Run the directory addition and deletion synchronization process on demand. In addition, it runs through the discovery, if there are discovery rules and configurations set up.

Download

Download a copy of Safeguard for Privileged Passwords's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.

Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling.

NOTE: It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 159: Allowable local identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified login name and password will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

Certificate: The specified certificate thumbprint will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

FIDO2

Using Active Directory as the identity provider

Table 160: Allowable Active Directory identity provider combinations

Primary authentication

Secondary

authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

Starling

Radius

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

FIDO2

Using LDAP as the identity provider

Table 161: Allowable LDAP identity provider combinations

Primary authentication

Secondary

authentication

LDAP: The specified username attribute will be used for authentication.

None

Starling

Radius

Active Directory

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

Radius : The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

FIDO2

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating