The [whitelist source=user_list] section allows whitelisting users based on a User List policy configured in SPS (Policies > User Lists). To enable this whitelist, configure one of the use cases below.
NOTE: The user names are compared to the User List in a case-sensitive manner.
Declaration
[whitelist source=user_list]
name=<name-of-user-list-policy>
For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.
name
Type: |
string |
Required: |
no |
Default: |
N/A |
Description: The name of a User List policy containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users (for example, to create break-glass access for specific users).
Use case #1: Allow no user except certain users
To allow specific users to connect without providing YubiKey credentials, the User List policy should have the following settings:
- Set Allow to No user and list the users in the Except list.
- Then type the name of this User List policy as the value of the name parameter.
Use case #2: Allow all users except certain users
To enforce YubiKey authentication for selected users, the User List policy should have the following settings:
- Set Allow to All users and list the users in the Except list.
- Then type the name of this User List policy as the value of the name parameter.
The [whitelist source=ldap_server_group] section allows whitelisting users based on LDAP Server group membership. To enable this whitelist, configure one of the use cases below.
NOTE: The user names and groups are compared in LDAP in a case-insensitive manner.
Declaration
[whitelist source=ldap_server_group]
allow=<no_user-or-all_users>
except=<group-1>,<group-2>
allow
Type: |
string (all_users | no_users) |
Required: |
no |
Default: |
N/A |
Description: This parameter defines whether to allow all users or no user to connect without providing YubiKey credentials. Used together with the except parameter, you can define specific LDAP/AD group(s) that are exempt from this rule.
except
Type: |
string |
Required: |
no |
Default: |
N/A |
Description: This parameter defines those specific LDAP/AD group(s) that are exempt from the rule defined by the allow parameter.
Use case #1: Allow no user except members of specific group(s)
To allow members of specific LDAP/AD group(s) to connect without providing YubiKey credentials, type the names of these LDAP/AD groups as values of the except parameter and set the allow parameter to no_user:
[whitelist source=ldap_server_group]
allow=<no_user>
except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
Use case #2: Allow all users except members of specific group(s)
To enforce YubiKey authentication only on members of specific LDAP/AD group(s), type the names of these LDAP/AD groups as values of the except parameter and set the allow parameter to all_users:
[whitelist source=ldap_server_group]
allow=<all_users>
except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
By default, SPS assumes that the external YubiKey identity of the user is the same as the gateway username (that is, the username the user used to authenticate on SPS during the gateway authentication). If there was no gateway authentication, then the server username is used for authentication.
The gateway usernames are different from the external YubiKey identities, you must configure the SPS YubiKey plugin to map the gateway usernames to the external YubiKey identities.
The external identity is the YubiKey Public ID, which is 12 lowercase letters.
You can use the following methods:
The Explicit method has priority over the LDAP server method.
If you have configured neither the append_domain parameter nor any of the [USERMAPPING] sections, SPS assumes that the external YubiKey identity of the user is the same as the gateway username.
To map the gateway user name to an external YubiKey identity, configure the following name-value pairs.
Declaration
[usermapping source=explicit]
<example-user-1>=<ID-1>
<example-user-2>=<ID-2>
<exampleuser>
Type: |
string |
Required: |
no |
Default: |
N/A |
Description: To map the gateway user name to an external YubiKey identity, configure the name-value pairs in the following way:
NOTE: Use this option only if there are not only a few users, or for testing purposes. If there are too many users, it can cause performance issues.