One Identity Safeguard for Privileged Passwords 7.0.1 LTS

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 63: Allowable local identity provider combinations
Primary authentication	Secondary authentication
Local: The specified login name and password or SSH key will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Certificate: The specified certificate thumbprint will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using Active Directory as the identity provider

Table 64: Allowable Active Directory identity provider combinations
Primary authentication	Secondary authentication
Active Directory: The samAccountName or X509 certificate will be used for authentication. NOTE: The user must authenticate against the domain from which their account exists.	None OneLogin MFA Radius LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using LDAP as the identity provider

Table 65: Allowable LDAP identity provider combinations
Primary authentication	Secondary authentication
LDAP: The specified username attribute will be used for authentication.	None OneLogin MFA Radius Active Directory FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius : The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using Starling as the identity provider

Table 66: Allowable Starling identity provider combinations
Primary authentication	Secondary authentication
Starling	None

It is the responsibility of the Appliance Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of an Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

Go to Identity and Authentication:
- web client: Navigate to Safeguard Access > Identity and Authentication.
Click Add.
Click the provider:
- Active Directory: See Active Directory and LDAP settings.
- LDAP: See Active Directory and LDAP settings.
- External Federation: See External Federation settings.
- Radius: See Radius settings.
- FIDO2: See FIDO2 settings.
- OneLogin MFA: See OneLogin MFA settings.

Active Directory and LDAP settings

Table 67: Active Directory and LDAP: General tab properties
Property	Description
Product	The product name.
Forest Root Domain Name	Forest Root Domain Name.
Name	Unique name.
Service Account Domain Name (for Active Directory)	Enter the fully qualified Active Directory domain name, such as example.com. Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE. The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.
Network Address (for LDAP)	Enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.
Service Account Name (for Active Directory)	Enter an account for Safeguard for Privileged Passwords to use for management tasks. If the account name matches an account name already linked to an identity provider, the provider is automatically assigned. If you want the password to be available for release, click Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request. Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords. Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object that represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify. For more information, see About service accounts.
Service Account Distinguished Name (for LDAP)	Enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com
Service Account Password	Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.
Description	Enter information about this external identity provider.
Connect	Click Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication.
Available Domains for Identity and Authentication (for Active Directory)	All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. Clearing the forest root domain will have undesired results when managing directory users and groups. For more information, see Adding a directory user group.
Advanced	Open to reveal the following synchronization settings:
Port (for LDAP)	Enter port 389 used for communication with the LDAP directory.
Use SSL Encryption	Select whether or not to use SSL when connecting to the LDAP server. You must have a valid SSL certificate and have the SSL's issuer certificate be trusted by Safeguard for Privileged Passwords. For more information, see Trusted CA Certificates.
Domain Controllers	For Active Directory, instead of having Safeguard for Privileged Passwords automatically find domain controllers from a DNS and CLDAP ping, you can specify domain controllers.
Sync additions every	Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647
Sync deletions every	Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647

Table 68: Active Directory and LDAP: Attributes tab (defaults)
Safeguard for Privileged Passwords attribute	Directory attribute
Users
Object Class	Browse to select a class definition that defines the valid attributes for the user object class. Default: user for Active Directory, inetOrgPerson for LDAP
User Name	sAMAccountName for Active Directory, cn for LDAP
Password	userPassword for LDAP
First Name	givenName
Last Name	sn
Work Phone	telephoneNumber
Mobile Phone	mobile
Email	mail
Description	description
External Federation Authentication	The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS). For both Active Directory and LDAP 2.4, this will default to the "mail" attribute. This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication. For more information, see Adding a directory user group.
Radius Authentication	The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication. For Active Directory, this will default to using the samAccountName attribute. For LDAP 2.4, this will default to using the cn attribute. NOTE: This is only used when processing members of a directory user group in which the group has been configured to use Radius as either the primary or secondary authentication provider. For more information, see Adding a directory user group.
Managed Objects	The directory attribute used when automatically associating existing managed Accounts to users of a directory user group as linked accounts. Defaults: For Active Directory, this defaults to managedObjects. However, you may want to use the directReports attribute based on where you have the information stored in Active Directory. For LDAP 2.4, this defaults to the seeAlso attribute. When choosing an attribute, it must exist on the user itself and contain one or more Distinguished Name values of other directory user objects. For example, you would not want to use the owner attribute in LDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an owns attribute to exist on the user such as the default seeAlso attribute. For more information, see Adding a directory user group.
Groups
Object Class	Browse to select a class definition that defines the valid attributes for the group object class. Default: group for Active Directory, groupOfNames for LDAP
Name	sAMAccountName for Active Directory, cn for LDAP
Member	member
Description	description

External Federation settings

Radius settings

FIDO2 settings

OneLogin MFA settings

One Identity Safeguard for Privileged Passwords 7.0.1 LTS - Administration Guide

Authentication provider combinations

Using Local as the identity provider

Using Active Directory as the identity provider

Using LDAP as the identity provider

Using Starling as the identity provider

Adding identity and authentication providers

Attributes tab

Appliance Management Settings

Asset Management

Topics:

製品を選択してください:

サービス向上のために、「Purpose of your Chat（チャットの目的）」を記入してください。

お客様の不具合に推奨されるソリューション

One Identity Safeguard for Privileged Passwords 7.0.1 LTS - Administration Guide

Authentication provider combinations

Using Local as the identity provider

Using Active Directory as the identity provider

Using LDAP as the identity provider

Using Starling as the identity provider

Adding identity and authentication providers

Attributes tab

Appliance Management Settings

Asset Management

Topics: