This document describes how you can use the services of One Identity Starling 2FA to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (SPS).
One Identity Safeguard for Privileged Sessions:
One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
SPS acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. SPS can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from SPS's local Credential Store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with Starling 2FA (or another Multi-Factor Authentication (MFA) provider), SPS directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.
 
Integrating Starling 2FA with SPS:
SPS can interact with your Starling 2FA account and can automatically request strong Multi-Factor Authentication for your privileged users who are accessing the servers and services protected by SPS. When used together with Starling 2FA, SPS prompts the user for a second factor authentication, and upon successful authentication, it permits the user to access the information system.
The integration adds an additional security layer to the gateway authentication performed on SPS. If the Starling 2FA App is installed on the user's device (smartphone, notebook, smartwatch, and so on), the user can generate a One-Time Password (OTP) using the device. This will be used for the authentication to the One Identity platform. The one-time password is changed after 60 seconds.
 
Meet compliance requirements
ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, (for example, Multi-Factor Authentication (MFA) for accessing production systems, and the logging of all administrative sessions). In addition to other requirements, using SPS and Starling 2FA helps you comply with the following requirements:
- 
PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using MFA. 
- 
PART 500.12 Multi-Factor Authentication: Covered entities are required to apply MFA for: 
- 
Each individual accessing the covered entity’s internal systems. 
- 
Authorized access to database servers that allow access to nonpublic information. 
- 
Third parties accessing nonpublic information. 
 
- 
NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements MFA for network access to privileged accounts. 
  
    
In order to successfully connect SPS with RADIUS server, you need the following components.
In Starling 2FA:
- 
A valid Starling 2FA subscription that permits multi-factor authentication. 
- 
Your users must be enrolled in Starling 2FA and their access must be activated, or you must use auto-provisioning to enroll your users. To create a new user account, log on to Starling, navigate to the Users tab and click Add. 
- 
The users must install the Starling 2FA Mobile app. 
- 
NOTE: Version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin works only if you have joined your SPS deployment to Starling. If you want use version 2.2.0 and later of the One Identity Starling Two-Factor Authentication plugin, complete the "Starling integration" in the Administration Guide procedure before upgrading the plugin. 
 
 
In SPS:
- 
A copy of the SPS Starling 2FA Multi-Factor Authentication plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the Starling 2FA multi-factor authentication service. 
- 
SPS must be able to access the Internet (at least the API services). Since Starling 2FA is a cloud-based service provider, SPS must be able to access its web services to authorize the user. 
- 
Depending on the method you use to authenticate your users, your users might need Internet access on their cellphones. 
- 
TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows: 
- 
For the minimum TLS version, select TLS version 1.2. 
- 
For the maximum TLS version, select TLS version 1.3. 
 For more information, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide. 
- 
SPS supports AA plugins in the MSSQL, RDP, SSH, and Telnet protocols. 
- 
In RDP, using an AA plugin together with Network Level Authentication in a Connection Policy has the same limitations as using Network Level Authentication without domain membership.  
- 
In RDP, using an AA plugin requires TLS-encrypted RDP connections. For details, see "Enabling TLS-encryption for RDP connections" in the Administration Guide.  
 
Availability and support of the plugin
The SPS Starling 2FA Multi-Factor Authentication plugin is available for download as-is, free of charge to every SPS customer from the Starling Two-Factor Authentication plugin for SPS page. In case you need any customizations or additional features, contact our Support Team.
|  
 | Caution: Using custom plugins in SPS is recommended only if you are familiar with both Python and SPS. Product support applies only to SPS: that is, until the entry point of the Python code and passing the specified arguments to the Python code. One Identity is not responsible for the quality, resource requirements, or any bugs in the Python code, nor any crashes, service outages, or any other damage caused by the improper use of this feature, unless explicitly stated in a contract with One Identity. If you want to create a custom plugin, contact our Support Team for details and instructions. | 
  
    
Detailed overview of SPS interworking with Starling 2FA 
 
The following figure illustrates how SPS and Starling 2FA interwork with each other.
Figure 1: SPS interworking with Starling 2FA
 
 
If SPS is integrated with Starling 2FA, the interaction of the two products consists of the following steps:
- 
Connect to a protected server. 
- 
SPS performs gateway authentication. SPS receives the connection request and authenticates you. SPS can authenticate you to a number of external user directories (for example: LDAP, Microsoft Active Directory, or RADIUS). This is the first factor of authentication. 
- 
SPS checks if you are exempt from multi-factor authentication. You can configure SPS using whitelists and blacklists to selectively require multi-factor authentication (for example, to create break-glass access for specific users). 
- 
If multi-factor authentication is not required, you can access the protected server, while SPS records your activities. The procedure ends here. 
- 
If multi-factor authentication is required, SPS continues the procedure with the next step. 
 For details on creating exemption lists, see [WHITELIST]. 
- 
Configure the Starling 2FA plugin to map the gateway usernames to the Starling 2FA external identity. The gateway usernames are different from the external Starling 2FA identities. You must configure the SPS Starling 2FA plugin to map the gateway usernames to the external Starling 2FA identities. The external identity is the Starling ID. To obtain the Starling ID: 
- 
Download the Starling 2FA mobile application from the platform-specific (Apple or Android) application store. 
- 
Configure the mobile application. 
- 
Once the mobile application is integrated with Starling, open the Settings of the mobile application. 
- 
From the MY ACCOUNT tab, copy the Starling 2FA ID. 
 To map the gateway username to the external identity, query an LDAP or Microsoft Active Directory server, or if applicable, append a domain name to the gateway username. For details, see [USERMAPPING]. 
- 
SPS performs outband authentication on Starling 2FA. If gateway authentication is successful, SPS connects the Starling 2FA server to check which authentication factors are available for you. After that, SPS requests the second authentication factor from you. 
- 
For OTP-like authentication factors, SPS requests the OTP from you, and sends it to the Starling 2FA server for verification. 
- 
For the Starling 2FA push notification factor, SPS asks the Starling 2FA server to check if you successfully authenticated on the Starling 2FA server. 
 
- 
If multi-factor authentication is successful, you can connect to the protected server, while SPS records your activities. Optionally, SPS can retrieve credentials from a local or external Credential Store or password vault, and perform authentication on the server with credentials that are not known to you. 
- 
If you open a new session within a short period, you can do so without having to perform multi-factor authentication again. After this configurable grace period expires, you must perform multi-factor authentication to open the next session. For details, see [authentication_cache]. 
 
    
This section contains the notable features of this plugin.
- 
This plugin supports auto-provisioning of Starling 2FA IDs. This means that if the email address and phone number of the user is stored in LDAP or Active Directory, the plugin can automatically enable Starling 2FA for that user. When using auto-provisioning, mapping the gateway usernames to the external Starling 2FA identity is not required. For details on configuring auto-provisioning, see [starling_auto_provision]. 
- 
To map the gateway usernames to the external Starling 2FA identities if the gateway usernames are different from the Starling 2FA usernames, configure the [USERMAPPING] section of the plugin. 
- 
The [WHITELIST] section allows configuring authentication whitelists and blacklists for example to create break-glass access for specific users to allow them to bypass Starling 2FA authentication. 
- 
The [authentication_cache] section contains the settings that determine how soon after performing a Starling 2FA authentication must the user repeat the authentication when opening a new session.  
- 
The [connection_limit by=client_ip_gateway_user] section contains the options related to limiting parallel sessions.