Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Sessions 6.0 LTS - DEPRECATED Duo Multi-Factor Authentication - Tutorial

Introduction

NOTE:

This tutorial describes the deprecated version of the plugin.

To upgrade your deprecated plugin for One Identity Safeguard for Privileged Sessions 6.0, see Upgrading plugins for One Identity Safeguard for Privileged Sessions version 6.0.

This document describes how you can use the services of Duo to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (SPS).

One Identity Safeguard for Privileged Sessions:

One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. SPS can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from SPS's local credential store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with Duo (or another multi-factor authentication provider), SPS directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.

Integrating Duo with SPS:

SPS can interact with your Duo account and can automatically request strong multi-factor authentication for your privileged users who are accessing the servers and services protected by PSM. When used together with Duo, SPS directs all connections to the Duo tool, and upon successful authentication, it permits the user to access the information system.

The integration adds an additional security layer to the gateway authentication performed on SPS. If the Duo Mobile app is installed on the user's device (smartphone, notebook, smartwatch, and so on), the user can generate a one-time password on the device. This will be used for the authentication to the One Identity platform. This way, the device turns into a two-factor authentication token for the user. The one-time password is changed after every authentication and is generated using dynamic keys.

Meet compliance requirements

ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, for example, multi-factor authentication (MFA) for accessing production systems, and the logging of all administrative sessions. In addition to other requirements, using SPS and Duo helps you comply with the following requirements:

  • PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using multi-factor authentication.

  • PART 500.12 Multi-Factor Authentication: Covered entities are required to apply multi-factor authentication for:

    • Each individual accessing the covered entity’s internal systems.

    • Authorized access to database servers that allow access to nonpublic information.

    • Third parties accessing nonpublic information.

  • NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements multi-factor authentication for network access to privileged accounts.

How SPS and Duo MFA work together

Figure 1: How SPS and Duo work together

  1. A user attempts to log in to a protected server.

  2. Gateway authentication on SPS

    SPS receives the connection request and authenticates the user. SPS can authenticate the user to a number of external user directories, for example, LDAP, Microsoft Active Directory, or RADIUS. This authentication is the first factor.

  3. Outband authentication on Duo

    If gateway authentication is successful, SPS connects the Duo server to check which authentication factors are available for the user. Then SPS requests the second authentication factor from the user.

    • For OTP-like authentication factors, SPS requests the one-time password (OTP) from the user, and sends it to the Duo server for verification.

    • For the Duo push notification factor, SPS asks the Duo server to check if the user successfully authenticated on the Duo server.

  4. If multi-factor authentication is successful, the user can start working, while SPS records the user's activities. (Optionally, SPS can retrieve credentials from a local or external credential store or password vault, and perform authentication on the server with credentials that are not known to the user.)

Technical requirements

In order to successfully connect SPS with Duo, you need the following components.

In Duo:
  • A valid Duo subscription that permits multi-factor authentication.

  • Your users must be enrolled in Duo and their access must be activated.

  • The users must install the Duo Mobile app.

In SPS:
  • A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F1.

  • A copy of the SPS Duo plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the Duo multi-factor authentication service.

  • SPS must be able to access the Internet (at least the API services). Since Duo is a cloud-based service provider, SPS must be able to access its web services to authorize the user.

    The connection also requires the ikey, skey, and host parameters:

    1. Log on to the Duo Admin Panel interface and navigate to Applications.

    2. Click Protect an Application and locate Web SDK in the applications list.

    3. Click Protect this Application to get your integration key (ikey), secret key, (skey), and API hostname (host). For details, see Getting Started with Duo Security.

  • Depending on the factor you use to authenticate your users, your users might need Internet access on their cellphones.

Availability and support of the plugin

The SPS Duo plugin is available as-is, free of charge to every SPS customer from the Plugin Page. In case you need any customizations or additional features, contact our Professional Services Team.

You can use the plugin on SPS 5 F5 and later. If you need to use the plugin on SPS 5 LTS, contact our Professional Services Team.

How SPS and Duo work together in detail

Figure 2: How SPS and Duo work together

  1. A user attempts to log in to a protected server.

  2. Gateway authentication on SPS

    SPS receives the connection request and authenticates the user. SPS can authenticate the user to a number of external user directories, for example, LDAP, Microsoft Active Directory, or RADIUS. This authentication is the first factor.

  3. Check if the user is exempt from multi-factor authentication

    You can configure SPS using whitelists and blacklists to selectively require multi-factor authentication for your users, for example, to create break-glass access for specific users.

    • If multi-factor authentication is not required, the user can start working, while SPS records the user's activities. The procedure ends here.

    • If multi-factor authentication is required, SPS continues the procedure with the next step.

    For details on creating exemption lists, see whitelist.

  4. Determining the Duo username

    If the gateway usernames are different from the Duo usernames, you must configure the SPS Duo plugin to map the gateway usernames to the Duo usernames. The mapping can be as simple as appending a domain name to the gateway username, or you can query an LDAP or Microsoft Active Directory server. For details, see Mapping SPS usernames to Duo identities.

  5. Outband authentication on Duo

    If gateway authentication is successful, SPS connects the Duo server to check which authentication factors are available for the user. Then SPS requests the second authentication factor from the user.

    • For OTP-like authentication factors, SPS requests the OTP from the user, and sends it to the Duo server for verification.

    • For the Duo push notification factor, SPS asks the Duo server to check if the user successfully authenticated on the Duo server.

  6. If multi-factor authentication is successful, the user can start working, while SPS records the user's activities. (Optionally, SPS can retrieve credentials from a local or external credential store or password vault, and perform authentication on the server with credentials that are not known to the user.)

  7. If the user opens a new session within a short period, they can do so without having to perform multi-factor authentication again. After this configurable grace period expires, the user must perform multi-factor authentication to open the next session. For details, see [cache].

Strumenti self-service
Knowledge Base
Notifiche e avvisi
Supporto prodotti
Download di software
Documentazione tecnica
Forum utente
Esercitazioni video
Feed RSS
Contatti
Richiedi assistenza sulle licenze
Supporto tecnico
Visualizza tutto
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione