On the Authentication tab, specify the authentication settings for the user. An authentication provider can be the same or different as the user's identity provider.
Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication.
Property | Description |
---|---|
Authentication Provider |
Indicates how this user is to authenticate to Safeguard for Privileged Passwords. The options are:
|
If Certificate provider: Certificate, Certificate Thumbprint (SHA-1) |
If adding a Certificate user, enter the unique hash value (40 hexadecimal characters) of the certificate. You can copy and paste the Thumbprint value directly from the certificate, including the spaces. |
If external federation provider: Email Address or Name Claim |
If adding an external federation user account, enter the email address or name claim that will be returned from the STS of an authenticated user. A case-insensitive comparison will be performed on the value when the user is logging in. NOTE: You must configure or ensure that the STS includes either the email address claim or name claim. Safeguard for Privileged Passwords will first look for the email address claim in the claims token. If that claim does not exist, it will use the name claim. You must create the user account in Safeguard for Privileged Passwords according to what claim is returned by your STS, with precedence given to the email address claim. |
If local or Radius as Primary provider: Login name |
If using Local or Radius as Primary for authentication, this is the user's login name. This defaults to the value entered on the Identity tab, Username field. If using directory authentication, the login name is auto-populated. |
Set Password button (editing an existing Local provider) |
If you are editing an existing user for a Local provider, you may click Set Password to change a user's password. This button is not available when creating a new user or editing a user account from an external identity provider like Microsoft Active Directory. |
Password (adding a Local provider) |
If adding a Local user, enter a password for the user. You must comply with the password requirements specified in the dialog. For more information, see Local Password Rule. |
Require Certificate Authentication (Active Directory provider if provider is MS AD) |
Select this check box to require that the user logs into Safeguard for Privileged Passwords using their domain issued user certificate or SmartCard. This option is only available when the Authentication Provider is a Microsoft Active Directory. |
Password Never Expires |
Select this check box to set a password that does not expire. |
User must change password at next login |
This check box is only available when using Local for authentication. When selected, this check box requires the user to change their password during their next login. |
Require Secondary Authentication |
Select this check box to require that this user logs in to Safeguard for Privileged Passwords with two-factor authentication. For more information, see Requiring secondary authentication log in. Then choose the Secondary Authentication Provider for this user. Use valid combinations of identity and authentication providers. For more information, see Identity and Authentication. |
Login Name (for secondary authentication; not used for FIDO2) |
A best practice is to have the users log in to validate the correct user is set up. |
Use alternate mobile phone number (if Starling Two-Factor Authentication) |
When Starling Two-Factor Authentication is selected, this option is available to enter an alternate Mobile phone number. The Number on file is the mobile phone number specified on the user's Identity tab. NOTE: The Approval Anywhere and one-touch approval features require a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user. |