The Appliance Administrator can:
- Configure the appliance to send event notifications to various external systems.
- Integrate with an external ticketing system or track generic ticket numbers.
- Configure both external and secondary authentication service providers.
However, it is the Security Policy Administrator's responsibility to configure the Approval Anywhere feature.
Go to External Integration:
web client: Navigate to
External Integration.
desktop client: Navigate to Administrative Tools | Settings | External Integration.
Table 166: External Integration settings
Application to Application desktop client |
Where you configure application registrations to use the Application to Application service, which allows third-party applications to retrieve credentials from Safeguard for Privileged Passwords. |
Approval Anywhere |
Where you define the Safeguard for Privileged Passwords users who are authorized to use Approval Anywhere to approve access requests. |
Email |
Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur. |
Email Templates |
Where you configure Safeguard for Privileged Passwords email templates. |
Identity and Authentication |
Where you configure the identity providers and authentication providers to use when logging into Safeguard for Privileged Passwords.
Web client: Safeguard Access | Identity and Authentication |
SNMP |
Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur. |
Starling |
Where you join Safeguard for Privileged Passwords to Starling to take advantage of other Starling services, such as Starling Two-Factor Authentication (2FA). |
Syslog |
Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event. |
Syslog Events
web client
|
Where, using an existing syslog server, you create a subscriber and assign events. |
Ticketing systems |
Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system. |
Trusted Servers, CORS, and Redirects |
Where you can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. |
desktop client only
In order for third-party applications to use the Application to Application service to integrate with the Safeguard for Privileged Passwords vault, you must first register the application in Safeguard for Privileged Passwords. This can be done using the Administrative Tools | Settings | External Integration | Application to Application pane described below. Once the application is registered, you can enable or disable the service. For more information, see Enable or disable A2A and audit log stream .
The Application to Application pane displays a list of previously registered third-party applications. From this page, the Security Policy Administrator can add new application registrations, and modify or remove existing registrations. The Application to Application pane displays the following details about application registrations.
Table 167: Application to Application: Properties
Name |
The name assigned to the application's registration. |
Certificate User |
The name of the certificate user associated with the registered application.
NOTE: If there is no certificate user listed for an application registration, contact your Security Policy Administrator to add one. The Application to Application service on the third-party application will not work with the Safeguard for Privileged Passwords vault until a certificate user has been specified. |
Enable/Disable
Toggle on
Toggle off
|
Indicates whether the application registration is enabled. The toggle appears blue with the switch to the right when the service is enabled, and gray with the switch to the left when the service is disabled. Click the toggle to enable or disable an application registration.
NOTE: When an application registration is disabled, Application to Application access is disabled for that third-party application until the registration is enabled again. |
Description |
Information about the application's registration. |
Use these toolbar buttons to manage application registrations.
Table 168: Application to Application: Toolbar
Add
|
Add an application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration. |
Delete Selected
|
Remove the selected application registration from Safeguard for Privileged Passwords. For more information, see Deleting an application registration. |
Refresh
|
Update the list of application registrations. |
Edit
|
Modify the selected application registration. |
API Keys
|
Display the API keys that were generated for Access Request Broker or Credential Retrieval. An API key can then be copied and used in the third-party application to authenticate with Safeguard for Privileged Passwords.
NOTE: For credential retrieval, the registration process generates an API key for each managed account. However, for access request broker, the registration process generates a single API key for all users or user groups that are added. |
desktop client only
Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:
- Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
- Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.
Credential retrieval
A credential retrieval request using the Application to Application service allows the third-party application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.
For example, say you have an automated system that performs a routine system diagnostic on various services in the data center every 24 hours. In order for the automated system to perform the diagnostics, it must first authenticate to the target server. Since all of the credentials for the target servers are stored in the Safeguard for Privileged Passwords vault, the automated system retrieves the credentials for a specified system by calling the Application to Application service.
Access request broker
An access request broker request using the Application to Application service allows the application to create an access request on behalf of another user.
For example, say you have a ticketing system and one of the types of tickets that can be created is to request access to a specific asset. The ticketing system can be integrated with Safeguard for Privileged Passwords through the Application to Application service to create an access request on behalf of the user that entered the ticket into the system. Once the request is created, it follows the normal access request workflow in Safeguard for Privileged Passwords and the user who entered the ticket will be notified when access is granted.
In order for a third-party application to perform one of tasks provided by the Application to Application service, the application must first be registered with Safeguard for Privileged Passwords. This registration will be associated with a certificate user and authentication to the Application to Application service will be done using the certificate and an API key. The registered application will not be allowed to authenticate to Safeguard for Privileged Passwords other than for the purpose specified. The properties associated with an application registration are:
The Application to Application service is disabled by default and must be enabled before any credential retrievals or access request broker functions can be performed. An Appliance Administrator can use the desktop client or Safeguard for Privileged Passwords API to enable the service.
Using the desktop client:
- Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service.
- Click the Application to Application Enabled toggle to enable the service (
toggle on).
Using the API, use the following URL:
https://appliance/service/appliance/v2/A2AService/Enable
In addition, you can check the current state of the service using this same desktop client page or using the following URL:
https://appliance/service/appliance/v2/A2AService/Status
Related Topics
Setting up Application to Application
Making a request using the Application to Application service
desktop client only
In order to use Application to Application integration with Safeguard for Privileged Passwords, you must perform the following tasks:
Step 1: Prepare third-party application for integration with Safeguard for Privileged Passwords.
Step 2: Appliance Administrator enables Application to Application service in Safeguard for Privileged Passwords.
Using the desktop client, navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service and click the Application to Application Enabled toggle to
toggle on.
-OR-
Use the following URL: https://appliance/service/appliance/v2/A2AService/Enable
Step 3: Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords. For more information, see Adding an asset and Adding an account
Step 4: User Administrator adds certificate users to Safeguard for Privileged Passwords. For more information, see Adding a user.
Step 5: Security Policy Administrator adds application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration.
Step 6: Get the API key and copy/paste it into the third-party application in order to make requests from the third-party application. For more information, see Making a request using the Application to Application service.