Administrator access to your Starling account.
Make sure that you have all the required components listed in Technical requirements.
The users you want to authenticate with SPS must have an activated account in Starling. For details on managing your user accounts, see Managing user accounts in the Starling documentation.
For details on configuring the required methods for two-factor authentication, see Customizing user authentication in the Star documentation.
Navigate to Admin > API > Tokens, click Create Token, and save it.
Your Starling API token.
|
Caution:
According to the current Starling policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired. |
Administrator access to SPS.
Make sure that you have all the required components listed in Technical requirements.
To configure SPS to use Starling multi-factor authentication
SPS customers can download the official plugin from GitHub.
Upload the plugin to SPS. For details, see "Using a custom Authentication and Authorization plugin to authenticate on the target hosts" in the Administration Guide.
The plugin includes a default configuration file, which is an ini-style configuration file with sections and name=value pairs. You can edit it on the Policies > AA Plugin Configurations page of the SPS web interface.
Configure the usermapping settings if needed. SPS must find out which Starling user belongs to the username of the authenticated connection. For that, it can query your LDAP/Microsoft Active Directory server. For details, see Mapping SPS usernames to Starling identities.
Configure other parameters of your plugin as needed for your environment. For details, see SPS Starling plugin parameter reference.
Configure a Connection policy on SPS. In the AA plugin field of the Connection policy, select the SPS Starling plugin you configured in the previous step, then start a session to test it. For details on how a user can perform multi-factor authentication, see Perform multi-factor authentication with the SPS Starling plugin in terminal connections and Perform multi-factor authentication with the SPS Starling plugin in Remote Desktop connections.
|
Caution:
According to the current Starling policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired. |
This section describes the available options of the SPS Starling plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name] dirname=%(dir)s/mydirectory dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[starling] api_key=$ api_url=https://api.2fa.cloud.oneidentity.com timeout=60 rest_poll_interval=1 [auth] prompt=Press Enter for push notification or type one-time password: disable_echo=no [connection_limit by=client_ip_gateway_user] limit=0 [authentication_cache] hard_timeout=90 soft_timeout=15 reuse_limit=0 ######[WHITELIST]###### [whitelist source=user_list] name=<name-of-user-list-policy> [whitelist source=ldap_server_group] allow=no_user except=<group-1>,<group-2> ######[USERMAPPING]###### [usermapping source=explicit] <user-name-1>=<id-1> <user-name-2>=<id-2> [usermapping source=ldap_server] user_attribute=description [username_transform] append_domain=<domain-without-@-character> [ldap_server] name=<name-of-LDAP-server-policy> [credential_store] name=<name-of-credential-store-policy-that-hosts-sensitive-data> [logging] log_level=info [https_proxy] server=<proxy-server-name-or-ip> port=3128 [question_1] key=<name-of-name-value-pair> prompt=<the-question-itself-in-text> disable_echo=No [question_2]...
This section contains the options related to your Starling account.
If you are using a Starling 2FA plugin, (that is, you have uploaded it to Basic Settings > Plugins and then configured it at Policies > AA Plugin Configurations) and the SPS node is joined to One Identity Starling, you do not have to specify api_key and api_url in the Starling 2FA plugin configuration. This configuration method is more secure.
[starling] # Do NOT use api_key in production ; api_key=<Subscription-Key> ; api_url=https://api.2fa.cloud.oneidentity.com timeout=60 rest_poll_interval=1
Type: | string |
Required: | no | yes for testing purposes if SPS is not joined to One Identity Starling |
Default: | N/A |
|
Caution:
This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production. For details, see "Store sensitive plugin data securely". Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment. |
Description: Your Subscription Key. Log on to your One Identity Starling account. Navigate to Dashboard and click Subscription Key. SPS uses this to communicate with the Starling server. For details on using a local Credential Store to host this data, read Store sensitive plugin data securely.
|
Caution:
According to the current Starling policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired. |
Type: | string |
Required: | yes |
Default: | N/A |
Description: The URL where the One Identity Starling server can be accessed. Usually you can use the default value:
api_url=https://api.2fa.cloud.oneidentity.com
To override the access URL for the Starling API, change the value.
Type: | integer [seconds] |
Required: | no |
Default: | 60 |
Description: How long an HTTP request can take during communication with the Starling server.
Type: | integer [seconds] |
Required: | no |
Default: | 1 |
Description: How often the plugin checks the Starling server to see if the push notification was successful.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center