Join Starling
In order to use the SPP features associated with Starling services, you must join SPP to Starling. It is the responsibility of the Appliance Administrator to join One Identity Safeguard for Privileged Passwords to Starling.
For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.
Prerequisites
See the Starling Release Notes for currently supported platforms.
In order to use the companion features from Starling services, first configure the following:
Join SPP with Starling
NOTE: You must be an Organization Admin for the Starling organization in order to join SPP with Starling.
- Go to Starling:
- web client: Navigate to External Integration > Starling.
- Notice that this pane also includes the following links, which provide assistance with Starling:
- Visit us online to learn more displays the Starling login page where you can create a new Starling account.
- Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
- Click Join to Starling and follow the prompts to complete the process.
The following additional information may be required:
- If you do not have an existing session with Starling, you will be prompted to authenticate.
- If your Starling account belongs to multiple organizations, you will be prompted to select which organization SPP will be joined with.
-
After the join has successfully completed, you will be returned to the SPP client and the Starling pane will now show Joined to Starling. For information on the features that are now available, see After joining Starling. For information on unjoining from Starling, see Unjoin Starling.
IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.
After joining Starling
Once SPP is joined to Starling, the following SPP features are enabled:
Feature using Starling Connect
-
Starling Connect Registered Connectors
This feature integrates your Starling connectors with SPP. This allows for the accounts stored in the connectors to be discovered and controlled by SPP through the use of partitions which allow for rotating passwords to provide additional security for them. For more information, see Registered Connectors
Feature using Starling Cloud Assistant
-
Cloud Assistant
The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the SPP web application.
The Cloud Assistant feature is enabled when you join SPP to Starling. For more information, see Starling. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.
IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.
Feature using Connect for Safeguard Assets
-
Connect for Safeguard Assets
Within Starling, a Connect for Safeguard Assets service is available. Once added, this service allows for assets not connected to your corporate network to use the check and change passwords functionality of SPP. For more information, see the Connect for Safeguard Assets User Guide available as part of the SPP documentation.
IMPORTANT: Regardless of the version of SPP you are using, the Connect for Safeguard Assets User Guide associated with the latest version of SPP should always be used when configuring a new agent. This is available from the SPP documentation site.
Starling as an identity provider
Once SPP has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. This is indicated by the Realm(s) section under Starling. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling.
Using Starling as an identity provider
-
Join SPP with Starling. For more information, see Join Starling.
-
Enable a Microsoft Azure Active Directory tenant in your Starling organization (multiple Microsoft Azure Active Directory tenants can be added to Starling, but they will be available and treated as a single tenant when used by Safeguard). This is done via the Directories settings page in Starling. For more information, see the Starling User Guide.
-
In order for Safeguard users to authenticate against Starling, a Relying Party Trust Application must be created in Starling via the Applications settings page. For more information, see the Starling User Guide.
To create the application in Starling, you will need to Download Safeguard Federation Metadata from Identity and Authentication
NOTE: You cannot use the Add OpenID Connect Application with SPP.
-
You will need to enter one or more values in the Realm(s) section to associate with the new Starling authentication provider. This will then allow users logging in to Safeguard to select External Federation and use Starling for their authentication.
-
When the Require User to Always Authenticate check box is selected, the user will always be required to enter their credentials on the external provider, regardless of whether they are already logged in.
Adding new users and groups to Safeguard that come from Starling follows the same process as with other directory based identity providers (such as, Active Directory and LDAP) and the user information will be periodically synchronized from Starling.
IMPORTANT: You may need to restart the client in order for Starling to appear as an available identity provider.
Unjoin Starling
It is the responsibility of the Appliance Administrator to unjoin One Identity Safeguard for Privileged Passwords from Starling.
For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.
To unjoin SPP from Starling
- Go to Starling:
- web client: Navigate to External Integration > Starling.
-
Click Unjoin Starling.
IMPORTANT: If there is an issue with the connection to Starling, a warning message will appear on the page and you will instead see a Force Unjoin button.
-
SPP will no longer be joined to Starling, which means that Cloud Assistant, Starling identity providers, and integrated connectors are also disabled in SPP. A Starling Organization Admin account can rejoin SPP to Starling at any time.
IMPORTANT: If you attempt to unjoin from Starling while there are still Safeguard users or groups that use the Starling provider for identity and authentication, you will get an error. You must manually delete any users or groups first before unjoining from Starling.
Syslog
SPP allows you to define one or more syslog servers to be used for logging SPP event messages. Appliance Administrators can specify to send different types of messages to different syslog servers. You may configure a connection to a syslog server to use TLS encryption, with or without a client authentication certificate. For more information, see Syslog Client Certificate.
To define and manage the syslog servers, go to Syslog:
- web client: Navigate to External Integration > Syslog.
The Syslog pane displays the following about each syslog server defined.
Table 54: Syslog server: Properties
Name |
The name of the syslog server |
Network Address |
The IP address or FQDN of the syslog server |
Port |
The port number for syslog server |
Protocol |
The network protocols and syslog header type |
TCP Framing |
When using syslog with the TCP protocol, since the connection is stream based both the client and server need to be configured to process the data using the same delimiter. See RFC 6587 section 3.4.1 and 3.4.2 for more details. By default, SPP will use octet counting, as is recommended by RFC 6587. However, some syslog servers do not support octet counting. If that is the case, use this setting to configure SPP to use the delimiter that is supported by your syslog server. |
Use TLS Encryption |
If selected, provides encrypted communication with the syslog server instead of plain text over TCP |
Use Client Certificate |
If selected, the syslog server requires clients to authenticate |
Verify Server Certificate |
If selected, the syslog server certificate messages will only be sent if SPP is able to verify the authenticity of the syslog server TLS certificate |
Use these toolbar buttons to manage the syslog server configurations