Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Starling

Safeguard for Privileged Passwords can join with the cloud platform One Identity Starling. By joining with One Identity Starling, Safeguard for Privileged Passwords customers can take advantage of companion features from multiple Starling services. In addition, once Safeguard for Privileged Passwords has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling. For more information, see the following sections:

Join Starling

In order to use the Safeguard for Privileged Passwords features associated with Starling services, you must join Safeguard for Privileged Passwords to Starling. It is the responsibility of the Appliance Administrator to join One Identity Safeguard for Privileged Passwords to Starling.

For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.

Prerequisites

See the Starling Release Notes for currently supported platforms.

In order to use the companion features from Starling services, first configure the following:

  • Register a Starling organization. For more information on Starling, see the One Identity Starling User Guide.

    IMPORTANT: Not all Starling services are available to organizations in both the United States and European Union data centers. Check the documentation for the Starling services to see if there are any data center restrictions.

  • If your company requires the use of a proxy to access the internet, you must configure the web proxy to be used. For more information on configuring a web proxy to be used by Safeguard for Privileged Passwords for outbound web requests to integrated services, see Networking.
  • To use the Cloud Assistant feature, you must subscribe to the Starling Cloud Assistant feature and configure the channel(s) that will be used.
Join Safeguard for Privileged Passwords with Starling

NOTE: You must be an Organization Admin for the Starling organization in order to join Safeguard for Privileged Passwords with Starling.

  1. Go to Starling:
    • web client: Navigate to External Integration > Starling.
  2. Notice that this pane also includes the following links, which provide assistance with Starling:
    • Visit us online to learn more displays the Starling login page where you can create a new Starling account.
    • Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
  3. Click Join to Starling and follow the prompts to complete the process.

    The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.
  4. After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords client and the Starling pane will now show Joined to Starling. For information on the features that are now available, see After joining Starling. For information on unjoining from Starling, see Unjoin Starling.

    IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.

After joining Starling

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled:

Feature using Starling Connect
  • Starling Connect Registered Connectors

    This feature integrates your Starling connectors with Safeguard for Privileged Passwords. This allows for the accounts stored in the connectors to be discovered and controlled by Safeguard for Privileged Passwords through the use of partitions which allow for rotating passwords to provide additional security for them. For more information, see Registered Connectors.

Feature using Starling Cloud Assistant
  • Cloud Assistant

    The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the Safeguard for Privileged Passwords web application.

    The Cloud Assistant feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling.. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

    IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.

Feature using Connect for Safeguard Assets
  • Connect for Safeguard Assets

    Within Starling, a Connect for Safeguard Assets service is available. Once added, this service allows for assets not connected to your corporate network to use the check and change passwords functionality of Safeguard for Privileged Passwords. For more information, see the Connect for Safeguard Assets User Guide available as part of the Safeguard for Privileged Passwords documentation.

    IMPORTANT: Regardless of the version of Safeguard for Privileged Passwords you are using, the Connect for Safeguard Assets User Guide associated with the latest version of Safeguard for Privileged Passwords should always be used when configuring a new agent. This is available from the Safeguard for Privileged Passwords documentation site.

Starling as an identity provider

Once Safeguard for Privileged Passwords has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. This is indicated by the Realm(s) section under Starling. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling.

Using Starling as an identity provider

  1. Join Safeguard for Privileged Passwords with Starling. For more information, see Join Starling.

  2. Enable a Microsoft Azure Active Directory tenant in your Starling organization (multiple Microsoft Azure Active Directory tenants can be added to Starling, but they will be available and treated as a single tenant when used by Safeguard). This is done via the Directories settings page in Starling. For more information, see the Starling User Guide.

  3. In order for Safeguard users to authenticate against Starling, a Relying Party Trust Application must be created in Starling via the Applications settings page. For more information, see the Starling User Guide.

    To create the application in Starling, you will need to Download Safeguard Federation Metadata from Identity and Authentication.

    NOTE: You cannot use the Add OpenID Connect Application with Safeguard for Privileged Passwords.

  4. You will need to enter one or more values in the Realm(s) section to associate with the new Starling authentication provider. This will then allow users logging in to Safeguard to select External Federation and use Starling for their authentication.

  5. When the Require User to Always Authenticate check box is selected, the user will always be required to enter their credentials on the external provider, regardless of whether they are already logged in.

Adding new users and groups to Safeguard that come from Starling follows the same process as with other directory based identity providers (such as, Active Directory and LDAP) and the user information will be periodically synchronized from Starling.

IMPORTANT: You may need to restart the client in order for Starling to appear as an available identity provider.

Unjoin Starling

It is the responsibility of the Appliance Administrator to unjoin One Identity Safeguard for Privileged Passwords from Starling.

For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.

To unjoin Safeguard for Privileged Passwords from Starling

  1. Go to Starling:
    • web client: Navigate to External Integration > Starling.
  2. Click Unjoin Starling.

    IMPORTANT: If there is an issue with the connection to Starling, a warning message will appear on the page and you will instead see a Force Unjoin button.

  3. Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Cloud Assistant, Starling identity providers, and integrated connectors are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account can rejoin Safeguard for Privileged Passwords to Starling at any time.

    IMPORTANT: If you attempt to unjoin from Starling while there are still Safeguard users or groups that use the Starling provider for identity and authentication, you will get an error. You must manually delete any users or groups first before unjoining from Starling.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione