The following sections describe Password Manager components and third-party applications.
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Upgrading Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Extending AD LDS Schema
Instance Initialization
Installing Self-Service, New Self-Service (Preview), and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
FailSafe support in Password Manager
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
TeleSign
SQL Server Database and SQL Server Reporting Services
Quick Connect Sync Engine
Defender
Password Manager Secure Token Server
RADIUS Two-Factor Authentication
Redistributable Secret Management Service
Location sensitive authentication
Working with Power BI
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Siteson Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Management Policy Overview
Password Policy Overview
reCAPTCHA Overview
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Data Replication
Phone-Based Authentication Service Overview
Configuring Management Policy
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
General Settings
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Overview of Built-in Self-Service Activities
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with an external provider
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in AD LDS
Change Password in AD LDS
Reset Password in AD LDS and Connected Systems
Change Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Enforce Update of Profile
Overview of Built-in Helpdesk Activities
User Enforcement Rules
Authentication Activities
Authentication Methods
Authenticate with Q&A Profile
Authenticate via Phone
Authenticate with Defender
Authenticate with RADIUS Two-Factor Authentication
Action Activities
Reset Password in AD LDS
Reset Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Assign Passcode
Unlock Q&A Profile
Enforce Update of Q&A Profile
Restart Workflow if Error Occurs
Notification Activities
General Settings Overview
Search and Logon Options
Password Policies
Configuring Search and Security Options for the Self-Service Site
Configuring Search Options for the Helpdesk Site
Configuring Security Settings
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
Update RADIUS server status
User Status Statistics Task
Clear Old Records from Reporting Database
Web Interface Customization
Instance Reinitialization
Realm Instances
AD LDS Instance Connections
Using Connections to AD LDS Instances
Specifying Access Account for AD LDS Instance Connections
Changing Access Account for AD LDS Instance Connections
Removing Connection to AD LDS Instance
Extensibility Features
RADIUS Two-Factor Authentication
Password Manager components and third-party applications
Unregistering users from Password Manager
Bulk Force Password Reset
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
About Password Policies
Creating a Password Policy
Managing Password Policy Scope
Configuring Password Policy Rules
Enable S2FA for Administrators and Enable S2FA for HelpDesk Users
Reporting
Password Compliance
Password Age Rule
Length Rule
Complexity Rule
Required Characters Rule
Disallowed Characters Rule
Sequence Rule
User Properties Rule
Symmetry Rule
Custom Rule
Deleting a Password Policy
Reporting and User Action History Overview
Appendix A: Accounts Used in Password Manager for AD LDS
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Password Manager Service Account
Application Pool Identity
Access Account for Application Directory Partition Connection
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager for AD LDS
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of Password Policies List
Customization of Password Strength Meter
Appendix D: Feature imparities between the legacy and the new Self-Service Sites
Glossary
Password Manager components and third-party applications
Password Manager Secure Token Server
General Settings > Password Manager components and third-party applications > Password Manager Secure Token Server
Password Manager Secure Token Server (STS) is installed with Password Manager version 5.10.0. You can configure STS to use internal or external providers with optional Multi-Factor Authentication (MFA).
This feature can only be used on the new PM Self-Service Site to authenticate users in a workflow. It is installed as a service called Password Manager Secure Token Server (STS). It has a configuration and user login interface.
How to use Password Manager STS features
To use the Password Manager STS feature, drag "Authenticate with external provider" activity into any workflow.
-
If you have not set up Secure Token Server connection or did not have valid providers configured in authentication providers, you cannot use this activity.
-
If you set up at least one provider, you can start using it.
-
If you set up more than one, you can select a provider for each activity used in workflows.
Authenticate with external provider on Self Service site
When authenticate with external provider is the current activity in a workflow, the user is presented with a login form, where they need to provide the credentials for the configured authentication provider. If the configured provider is using MFA, the user will be prompted for the next step.
This login interface uses the browser's language. The supported languages are the following:
-
Argentinean (ar)
-
Chinese (zh)
-
Dutch (nl)
-
English (en)
-
French (fr)
-
German (de)
-
Italian (it)
-
Japanese (ja)
-
Korean (ko)
-
Russian (ru)
-
Spanish (es)
Password Manger STS account restrictions
By default, the Password Manager STS account is set to be the same account as the Password Manager Service Account by the Password Manager installer. The account requires read rights on domain.
Using STS features in a Password Manager realm
The Password Manager STS settings are stored separately from other Password Manager settings in a file on each server. That file will be encrypted using the service user’s DPAPI key by default, or a specified certificate and can be replicated to other servers in a realm. For the replication to work the Password Manager STS instances should use the same ports.
Using Certificate to protect STS configuration
A trusted X.509 certificate with a private key needs to be installed on each server in the LocalMachine’s certificate store. The provided Rsts.exe.config XML configuration file (\One Identity\Password Manager\Service\SecureTokenServer\) will need to be modified on each machine running a PasswordManager STS instance. An example of the XML configuration file is as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="rstsConfigSource" type="Rsts.Config.RstsConfigSource, Rsts"/>
</configSections>
<rstsConfigSource xmlns="urn:Rsts.Config">
<source type="FileConfigProvider">
<fileConfigProvider fileName="rstsConfig.bin">
<protection type="RsaDataProtection">
<rsaDataProtection certificateStore="LocalMachine" certificateLookupType="FindByThumbprint" certificateLookupValue="b23655f8ac0b81c5b00bac0bc0a15e7e1d2b78be"/>
</protection>
</fileConfigProvider>
</source>
</rstsConfigSource>
</configuration>
The thumbprint of the certificate used to encrypt the Password Manager STS settings file is set in the rsaDataProtection element’s certificateLookupValue attribute. Change the value of the certificateLookupValue attribute to match the used certificate’s thumbprint. In case of swapping to certificate encryption, copy the protection element and its child nodes and replace the existing protection element in the masterConfigProvider and slaveConfigProvider node.
NOTE: This configuration will be used after the restart of Password Manager Secure Token Server service.
NOTE: The specified certificate must be valid, trusted and it must exist in the Local Computer’s certificate store. It must have a private key. Access to the private key must be granted to the service account that is running the Password Manager Secure Token Server Windows Service. The private key must be an RSA key, of any length. A certificate with an ECC key is not supported.
|
|
CAUTION: The current rstsConfig.bin will be unusable. For master (or single) instances of STS, reconfiguration has to take place from start. In case of slave instances, if the replication process works correctly, no reconfiguration is needed. |
Pre-configuration steps after swapping between encryption methods on master (or single) instance
Pre-configuration takes place on the PMAdmin site General Settings > Secure Token Server page. Password Manager will check if a reset happened, then try to configure the basic options needed for STS to work properly. If the configuration is successful, no modal should show up. After a page refresh, STS is useable again.
If Password Manager STS settings are not replicated automatically
To replicate the Password Manager STS settings manually, copy the rstsConfig.bin file from the server where you configured Password Manager STS to all other servers. After you copy the file, you must restart the Password Manager STS Windows Service.
NOTE: You can find rstsConfig.bin in <installdir>/One Identity/Password Manager/Service/SecureTokenServer/.
NOTE: This process needs to be repeated every time Password Manager STS settings are modified.
NOTE: : For this copy-paste process, the encryption method of the Password Manager STS has to be set to certification based encryption before configuration. See: Using Certificate to protect STS configuration.
Configuring Password Manager Secure Token Server
General Settings > Password Manager components and third-party applications > Configuring Password Manager Secure Token Server
Before the first visit of STS settings, you need to have a binding for your Password Manager site in IIS with the same port that is present in the <Password Manager installation folder>\One Identity\Password Manager\Service\QPM.Service.Host.exe.config under the StsHttpsPort key. By default 20000 is used.
To start using Password Manager STS,
-
Open the IIS manager and create an HTTPS binding with this port for Password Manager sites.
-
On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.
-
To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password. The default password is admin.
CAUTION: For security reasons, you must change the password immediately after you have logged in to the configuration interface the first time.
To change the password, go to Server settings > Administration Password.
To configure the port used by Password Manager STS,
-
On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.
-
To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.
-
Navigate to Server Settings > Listening Ports.
-
In the HTTPS Port field, enter the port that is the same as the HTTPS port of the website binding in IIS.
-
In the SSL Certificate section, select the certificate that is the same as the HTTPS certificate of the website binding in IIS.
-
To save your settings, click Save.
-
Refresh the page.
-
Follow the instructions in the Secure Token Server error popup window.
-
Enter your modified port number in the text field. To create or modify a firewall rule, select Create firewall rules for the port automatically.
-
To save your settings, click Save.
-
Open the Registry Editor and modify the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PasswordManagerSTS@ImagePath key value. At the end of the string, change the value of https-port to the modified port number.
-
Modify the port number of the HTTPS binding in IIS for your Password Manager site.
-
Restart the Password Manager service and the Password Manager STS service.
To set authentication providers,
-
On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.
-
To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.
-
Navigate to Authentication Providers, then click Add Authentication Provider, or select an existing one to edit by clicking on its name.
-
In the Display Name field, enter the name of the current provider. It is only displayed on the administration site.
-
Follow the instructions of this page to specify the Directory Type, the Connection Information and the Authentication Schemes for the current authentication provider.
-
Follow the instructions of this page to specify the Two Factor Authentication Settings for the current authentication provider. Your options are the following:
To validate and save your settings, click Finish.
To configure STS Server Settings,
-
On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.
-
To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.
-
Navigate to Server Settings.
-
You can edit the Issuer Name that will be used by the STS server to identify itself to relying party applications.
-
You can change the Administration Password for STS settings. Note: Every time you change this password, you need to revisit General Settings > Secure Token Server page and provide the new password in the popup window.
-
You can edit general STS server wide settings in General Settings.
-
You can set the HTTPS port that the STS service will use to accept incoming requests from relying party applications in Listening Ports. Also, choose an available SSL certificate to be used for HTTPS requests.
NOTE: Every time you change the port and/or the certificate, you need to revisit General Settings > Secure Token Server page and follow the instructions on the popup window.
-
You do not need to specify any login page image under Login Page Images, it will not be displayed.
-
If you have an authentication provider which uses OneLogin you can set a proxy server in Proxy Settings to be used with OneLogin communication.
|
|
NOTE: To be able to use STS features, you do not need to create an application in Applications of the Secure Token Server Home page for Password Manager. |
Provider-specific informations: Duo
In the Duo admin interface you need to create a Web SDK type application to connect with Password Manager STS.
Unregistering users from Password Manager
Using the unregister feature, users registered to the Password Manager can be removed. Note that the user is removed only from the Password Manager and not Active Directory.
To unregister a user from the Password Manager
- On the home page of the Administration site, click General Settings | Unregister Users.
-
On the Unregister Users page:
- If you want to unregister individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
- If you want to select a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
- If you want to select the entire organization unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Add.
-
Click Unregister User to unregister the users.