Chatta subito con l'assistenza
Chat con il supporto

Password Manager 5.11.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable S2FA for Administrators & Enable S2FA for HelpDesk Users Reporting Password Manager Integration Appendixes Glossary

Working with RADIUS servers

You can create two RADIUS servers to authenticate users on the Self-Service site and Helpdesk site through RADIUS Two-Factor authentication.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager. For more information on creating and configuring a RADIUS server, see RADIUS Two-Factor Authentication.

To swap RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Interchange RADIUS servers to swap the priority of the RADIUS servers between primary and secondary priority.

To modify RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click the modify icon to modify the properties and attributes of RADIUS servers.

    NOTE: The status of the RADIUS server is periodically scanned every 5 minutes.

To disable RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Disable to disable a RADIUS server.

  3. A message is displayed to confirm, click Disable.

    The server is disabled.

    NOTE:

    • On disabling a RADIUS server, the other RADIUS server by default becomes the primary server.

    • You can enable a server that was disabled earlier.

To delete RADIUS servers

  1. On the home page of the Administration site, click General Settings | RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed along with the primary and secondary servers.

  2. Click Delete permanently delete the RADIUS server.

  3. A message is displayed to confirm, click Delete.

    The server is Deleted.

During a workflow execution, the ping to the RADUIS server to check the status of the RADIUS server is temporarily interrupted. The status check continues after the authentication process in the workflow is completed successfully.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Password Manager components and third-party applications

The following sections describe Password Manager components and third-party applications.

Password Manager Secure Token Server

Password Manager Secure Token Server (STS) is installed with Password Manager version 5.10.0. You can configure STS to use internal or external providers with optional Multi-Factor Authentication (MFA).

You can use this feature on the new PM Self-Service Site to authenticate users in a workflow, or to authenticate admin and helpdesk users. This feature is installed as a service called Password Manager Secure Token Service (STS). It has a configuration and user login interface.

How to use Password Manager STS features

To use the Password Manager STS feature, drag "Authenticate with external provider" activity into any workflow.

  • If you have not set up Secure Token Server connection or did not have valid providers configured in authentication providers, you cannot use this activity.

  • If you set up at least one provider, you can start using it.

  • If you set up more than one, you can select a provider for each activity used in workflows.

Authenticate with external provider on Self Service site

When authenticate with external provider is the current activity in a workflow, the user is presented with a login form, where they need to provide the credentials for the configured authentication provider. If the configured provider is using MFA, the user will be prompted for the next step.

This login interface uses the browser's language. The supported languages are the following:

  • Argentinean (ar)

  • Chinese (zh)

  • Dutch (nl)

  • English (en)

  • French (fr)

  • German (de)

  • Italian (it)

  • Japanese (ja)

  • Korean (ko)

  • Russian (ru)

  • Spanish (es)

Password Manger STS account restrictions

By default, the Password Manager STS account is set to be the same account as the Password Manager Service Account by the Password Manager installer. The account requires read rights on domain.

Using STS features in a Password Manager realm

The Password Manager STS settings are stored separately from other Password Manager settings in a file on each server. That file will be encrypted using the service user’s DPAPI key by default, or a specified certificate and can be replicated to other servers in a realm. For the replication to work the Password Manager STS instances should use the same ports.

Using Certificate to protect STS configuration

A trusted X.509 certificate with a private key needs to be installed on each server in the LocalMachine’s certificate store. The provided Rsts.exe.config XML configuration file (\One Identity\Password Manager\Service\SecureTokenServer\) will need to be modified on each machine running a PasswordManager STS instance. An example of the XML configuration file is as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="rstsConfigSource" type="Rsts.Config.RstsConfigSource, Rsts"/>
  </configSections>
  <rstsConfigSource xmlns="urn:Rsts.Config"> 
   <source type="FileConfigProvider">
      <fileConfigProvider fileName="rstsConfig.bin">
        <protection type="RsaDataProtection">
          <rsaDataProtection certificateStore="LocalMachine" certificateLookupType="FindByThumbprint" certificateLookupValue="b23655f8ac0b81c5b00bac0bc0a15e7e1d2b78be"/>
        </protection>
      </fileConfigProvider>
    </source>
  </rstsConfigSource>
</configuration>

The thumbprint of the certificate used to encrypt the Password Manager STS settings file is set in the rsaDataProtection element’s certificateLookupValue attribute. Change the value of the certificateLookupValue attribute to match the used certificate’s thumbprint. In case of swapping to certificate encryption, copy the protection element and its child nodes and replace the existing protection element in the masterConfigProvider and slaveConfigProvider node.

NOTE: This configuration will be used after the restart of Password Manager Secure Token Server service.

NOTE: The specified certificate must be valid, trusted and it must exist in the Local Computer’s certificate store. It must have a private key. Access to the private key must be granted to the service account that is running the Password Manager Secure Token Server Windows Service. The private key must be an RSA key, of any length. A certificate with an ECC key is not supported.

CAUTION: The current rstsConfig.bin will be unusable. For master (or single) instances of STS, reconfiguration has to take place from start. In case of slave instances, if the replication process works correctly, no reconfiguration is needed.

Pre-configuration steps after swapping between encryption methods on master (or single) instance

Pre-configuration takes place on the PMAdmin site General Settings > Secure Token Server page. Password Manager will check if a reset happened, then try to configure the basic options needed for STS to work properly. If the configuration is successful, no modal should show up. After a page refresh, STS is useable again.

If Password Manager STS settings are not replicated automatically

To replicate the Password Manager STS settings manually, copy the rstsConfig.bin file from the server where you configured Password Manager STS to all other servers. After you copy the file, you must restart the Password Manager STS Windows Service.

NOTE: You can find rstsConfig.bin in <installdir>/One Identity/Password Manager/Service/SecureTokenServer/.

NOTE: This process needs to be repeated every time Password Manager STS settings are modified.

NOTE: : For this copy-paste process, the encryption method of the Password Manager STS has to be set to certification based encryption before configuration. See: Using Certificate to protect STS configuration.

Configuring Password Manager Secure Token Server

Before the first visit of STS settings, you need to have a binding for your Password Manager site in IIS with the same port that is present in the <Password Manager installation folder>\One Identity\Password Manager\Service\QPM.Service.Host.exe.config under the StsHttpsPort key. By default 20000 is used.

To start using Password Manager STS,

  1. Open the IIS manager and create an HTTPS binding with this port for Password Manager sites.

  2. On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.

  3. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password. The default password is admin.

    CAUTION: For security reasons, you must change the password immediately after you have logged in to the configuration interface the first time.

    To change the password, go to Server settings > Administration Password.

To configure the port used by Password Manager STS,

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.

  3. Navigate to Server Settings > Listening Ports.

  4. In the HTTPS Port field, enter the port that is the same as the HTTPS port of the website binding in IIS.

  5. In the SSL Certificate section, select the certificate that is the same as the HTTPS certificate of the website binding in IIS.

  6. To save your settings, click Save.

  7. Refresh the page.

  8. Follow the instructions in the Secure Token Server error popup window.

  9. Enter your modified port number in the text field. To create or modify a firewall rule, select Create firewall rules for the port automatically.

  10. To save your settings, click Save.

  11. Open the Registry Editor and modify the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PasswordManagerSTS@ImagePath key value. At the end of the string, change the value of https-port to the modified port number.

  12. Modify the port number of the HTTPS binding in IIS for your Password Manager site.

  13. Restart the Password Manager service and the Password Manager STS service.

To set authentication providers,

  1. On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.

  3. Navigate to Authentication Providers, then click Add Authentication Provider, or select an existing one to edit by clicking on its name.

  4. In the Display Name field, enter the name of the current provider. It is only displayed on the administration site.

  5. Follow the instructions of this page to specify the Directory Type, the Connection Information and the Authentication Schemes for the current authentication provider.

  6. Follow the instructions of this page to specify the Two Factor Authentication Settings for the current authentication provider. Your options are the following:

    • None

    • OneLogin MFA

    • RADIUS

    • FIDO2/WebAuthn

    • Duo Web iFrame

    To validate and save your settings, click Finish.

To configure STS Server Settings,

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password.

  3. Navigate to Server Settings.

  4. You can edit the Issuer Name that will be used by the STS server to identify itself to relying party applications.

  5. You can change the Administration Password for STS settings. Note: Every time you change this password, you need to revisit General Settings > Secure Token Server page and provide the new password in the popup window.

  6. You can edit general STS server wide settings in General Settings.

  7. You can set the HTTPS port that the STS service will use to accept incoming requests from relying party applications in Listening Ports. Also, choose an available SSL certificate to be used for HTTPS requests.

    NOTE: Every time you change the port and/or the certificate, you need to revisit General Settings > Secure Token Server page and follow the instructions on the popup window.

  8. You do not need to specify any login page image under Login Page Images, it will not be displayed.

  9. If you have an authentication provider which uses OneLogin you can set a proxy server in Proxy Settings to be used with OneLogin communication.

NOTE: To be able to use STS features, you do not need to create an application in Applications of the Secure Token Server Home page for Password Manager.

Provider-specific informations: Duo

In the Duo admin interface you need to create a Web SDK type application to connect with Password Manager STS.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione