Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Passwords 7.0 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings Reasons
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 63: Allowable local identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified login name and password or SSH key will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Certificate: The specified certificate thumbprint will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Active Directory as the identity provider

Table 64: Allowable Active Directory identity provider combinations

Primary authentication

Secondary

authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

OneLogin MFA

Radius

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using LDAP as the identity provider

Table 65: Allowable LDAP identity provider combinations

Primary authentication

Secondary

authentication

LDAP: The specified username attribute will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius : The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Starling as the identity provider

Table 66: Allowable Starling identity provider combinations

Primary authentication

Secondary

authentication

Starling

None

Adding identity and authentication providers

It is the responsibility of the Appliance Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of an Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

  1. Go to Identity and Authentication:
    • web client: Navigate to Safeguard Access | Identity and Authentication.
  2. Click Add.
  3. Click the provider:

Asset Management

In the web client, expand the Asset Management section in the left navigation pane.

The following pages are available. See each section for a description of the functions available.

Topics:

Account Automation

Also available as a pane on the Home page, the Asset Management | Account Automation page allows Asset Administrators to view information regarding accounts that are failing or succeeding different types of tasks. This page includes both automated and manual tasks in the results. Clicking one of the tasks on the view displays additional information.

Account Automation: Types

Information on the following account automation tasks is displayed by default. Click the button to customize the tasks that are displayed.

  • Password Check Failures: Displays a list of accounts where password check tasks failed.
  • Password Change Failures: Displays a list of accounts where password change tasks failed.
  • SSH Key Check Failures: Displays a list of accounts where SSH key check tasks failed.
  • SSH Key Change Failures: Displays a list of accounts where SSH key change tasks failed.
  • SSH Key Discovery Failures: Displays a list of accounts where SSH key discovery tasks failed.
  • SSH Key Revoke Failures: Displays a list of accounts where SSH key Revoke tasks failed.
  • Suspend Account Failures: Displays a list of accounts where suspend tasks failed.
  • Restore Account Failures: Displays a list of accounts where restore tasks failed.
  • Password Check Successes: Displays a list of accounts where password check tasks succeeded in the past 24-hours.
  • Password Change Successes: Displays a list of accounts where password change tasks succeeded in the past 24-hours.
  • SSH Key Check Successes: Displays a list of accounts where SSH key check tasks succeeded in the past 24-hours.
  • SSH Key Change Successes: Displays a list of accounts where SSH key change tasks succeeded in the past 24-hours.
  • SSH Key Discovery Successes: Displays a list of accounts where SSH key discovery tasks succeeded in the past 24-hours.
  • SSH Key Revoke Successes: Displays a list of accounts where SSH key Revoke tasks succeeded in the past 24-hours.
Account Automation: Toolbar

After selecting a task to view additional information, use the toolbar at the top of the details grid to perform the following tasks.

  • View Details: After selecting a task from the table, click this button to view additional information on the task.
  • Re-Run Task: Available for failed tasks only, select to rerun the selected task.
  • Export: Select to create a .csv or .json file of the currently displayed account automation grid and save it to a location of your choice. For more information, see Exporting data.
  • Refresh: Select to refresh the data displayed in the table.
  • Columns: Select to display a list of columns that can be displayed in the grid. Select the check box for data to be included in the grid. Clear the check box for data to be excluded from the grid.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione