SQL Server Database and SQL Server Reporting Services
Using a SQL database and SQL Server Reporting Services you can manage reports that allow you to analyze how the application is used.
The available out-of-the-box reports help you track user registration activity, Helpdesk tasks, user statuses, and so on.
For more information, see Reporting and User Action History Overview.
One Identity Quick Connect Sync Engine
One Identity Quick Connect Sync Engine is a One Identity product that provides unified identity and access management. Integrating Password Manager with Quick Connect Sync Engine allows you to enable users and Helpdesk operators to manage their passwords across different connected data sources.
To use Quick Connect Sync Engine, configure Change password in Active Directory and connected systems or Reset password in Active Directory and connected systems activities.
To communicate with Quick Connect Sync Engine, Password Manager uses Transmission Control Protocol (TCP).
For more information, see Reset Password in Active Directory and Connected Systems.
Defender
Defender is a One Identity product that provides two-factor authentication. Defender uses one-time passwords generated by special hardware or software tokens. If Password Manager is integrated with Defender, users can use one-time passwords to authenticate themselves on the Self-Service site.
To use Defender with Password Manager, install the Defender Client SDK on the server on which Password Manager Service is installed.
For more information, see Authenticate with Defender.
Password Manager Secure Token Server (STS) is installed with Password Manager version 5.10.0. You can configure STS to use internal or external providers with optional Multi-Factor Authentication (MFA).
You can use this feature on the new PM Self-Service Site to authenticate users in a workflow, or to authenticate admin and helpdesk users. This feature is installed as a service called Password Manager Secure Token Service (STS). It has a configuration and user login interface.
How to use Password Manager STS features
To use the Password Manager STS feature, drag "Authenticate with external provider" activity into any workflow.
-
If you have not set up Secure Token Server connection or did not have valid providers configured in authentication providers, you cannot use this activity.
-
If you set up at least one provider, you can start using it.
-
If you set up more than one, you can select a provider for each activity used in workflows.
Authenticate with external provider on Self Service site
When authenticate with external provider is the current activity in a workflow, the user is presented with a login form, where they need to provide the credentials for the configured authentication provider. If the configured provider is using MFA, the user will be prompted for the next step.
This login interface uses the browser's language. The supported languages are the following:
-
Argentinean (ar)
-
Chinese (zh)
-
Dutch (nl)
-
English (en)
-
French (fr)
-
German (de)
-
Italian (it)
-
Japanese (ja)
-
Korean (ko)
-
Russian (ru)
-
Spanish (es)
Password Manger STS account restrictions
By default, the Password Manager STS account is set to be the same account as the Password Manager Service Account by the Password Manager installer. The account requires read rights on domain.
Using STS features in a Password Manager realm
The Password Manager STS settings are stored separately from other Password Manager settings in a file on each server. That file will be encrypted using the service user’s DPAPI key by default, or a specified certificate and can be replicated to other servers in a realm. For the replication to work the Password Manager STS instances should use the same ports.
Using Certificate to protect STS configuration
A trusted X.509 certificate with a private key needs to be installed on each server in the LocalMachine’s certificate store. The provided Rsts.exe.config XML configuration file (\One Identity\Password Manager\Service\SecureTokenServer\) will need to be modified on each machine running a PasswordManager STS instance. An example of the XML configuration file is as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="rstsConfigSource" type="Rsts.Config.RstsConfigSource, Rsts"/>
</configSections>
<rstsConfigSource xmlns="urn:Rsts.Config">
<source type="FileConfigProvider">
<fileConfigProvider fileName="rstsConfig.bin">
<protection type="RsaDataProtection">
<rsaDataProtection certificateStore="LocalMachine" certificateLookupType="FindByThumbprint" certificateLookupValue="b23655f8ac0b81c5b00bac0bc0a15e7e1d2b78be"/>
</protection>
</fileConfigProvider>
</source>
</rstsConfigSource>
</configuration>
The thumbprint of the certificate used to encrypt the Password Manager STS settings file is set in the rsaDataProtection element’s certificateLookupValue attribute. Change the value of the certificateLookupValue attribute to match the used certificate’s thumbprint. In case of swapping to certificate encryption, copy the protection element and its child nodes and replace the existing protection element in the masterConfigProvider and slaveConfigProvider node.
NOTE: This configuration will be used after the restart of Password Manager Secure Token Server service.
NOTE: The specified certificate must be valid, trusted and it must exist in the Local Computer’s certificate store. It must have a private key. Access to the private key must be granted to the service account that is running the Password Manager Secure Token Server Windows Service. The private key must be an RSA key, of any length. A certificate with an ECC key is not supported.
|
CAUTION: The current rstsConfig.bin will be unusable. For master (or single) instances of STS, reconfiguration has to take place from start. In case of slave instances, if the replication process works correctly, no reconfiguration is needed. |
Pre-configuration steps after swapping between encryption methods on master (or single) instance
Pre-configuration takes place on the PMAdmin site General Settings > Secure Token Server page. Password Manager will check if a reset happened, then try to configure the basic options needed for STS to work properly. If the configuration is successful, no modal should show up. After a page refresh, STS is useable again.
If Password Manager STS settings are not replicated automatically
To replicate the Password Manager STS settings manually, copy the rstsConfig.bin file from the server where you configured Password Manager STS to all other servers. After you copy the file, you must restart the Password Manager STS Windows Service.
NOTE: You can find rstsConfig.bin in <installdir>/One Identity/Password Manager/Service/SecureTokenServer/.
NOTE: This process needs to be repeated every time Password Manager STS settings are modified.