Chat now with support
지원 담당자와 채팅

One Identity Safeguard for Privileged Sessions 6.2.0 - Starling Two-Factor Authentication - Overview

[USERMAPPING]

By default, SPS assumes that the RADIUS server username of the user is the same as the gateway username (that is, the username the user used to authenticate on SPS during the gateway authentication). To identify the users, SPS uses the username (login) field in RADIUS server, which is an email address.

If the gateway usernames are different from the RADIUS server usernames, you must configure the SPS RADIUS plugin to map the gateway usernames to the RADIUS server usernames. You can use the following methods:

  • Explicit mapping: [usermapping source=explicit]

  • LDAP server mapping: [usermapping source=ldap]

    To look up the Starling 2FA username of the user from an LDAP/Active Directory database, configure the [usermapping source=ldap_server] section of the SPS Starling 2FA plugin. Typically, the SPS plugin queries the email address corresponding to the username from your LDAP or Active Directory database.

    If the Starling 2FA service requires the use of domain name in the external Starling 2FA identity, configure the append_domain parameter in the [username_transform] section. In this case, SPS automatically appends the @ character and the value of this option to the username from the session, and uses the resulting username on the Starling 2FA server to authenticate the user. For example, if the domain is set to append_domain: example.com and the username is Example.User, the SPS plugin will look for the user Example.User@example.com on the Starling 2FA server.

    If you configure both the append_domain parameter in the [username_transform] section and the [usermapping source=ldap_server] section of the SPS Starling 2FA plugin, SPS appends the @ character and the value of the append_domain parameter to the value retrieved from the LDAP database.

The Explicit method has priority over the LDAP server method.

If you have configured neither the append_domain parameter nor any of the [USERMAPPING] sections, SPS assumes that the RADIUS username of the user is the same as the gateway username.

관련 문서