One Identity Safeguard for Privileged Sessions 6.0.4 - inWebo Multi-Factor Authentication

Table of Contents

Introduction Technical requirements How SPS and inWebo work together in detail Notable features Configure your inWebo account for SPS Configure SPS to use inWebo multi-factor authentication SPS inWebo plugin parameter reference

[inwebo] [auth] [connection_limit by=client_ip_gateway_user] [authentication_cache] [WHITELIST]

[whitelist source=user_list] [whitelist source=ldap_server_group]

[USERMAPPING]

[usermapping source=explicit] [usermapping source=ldap_server]

[username_transform] [ldap_server] [credential_store] [logging] [https_proxy] [question_1]

Store sensitive plugin data securely Perform multi-factor authentication with the SPS inWebo plugin in terminal connections Perform multi-factor authentication with the SPS inWebo plugin in Remote Desktop connections

[whitelist source=user_list]

SPS inWebo plugin parameter reference > [WHITELIST] > [whitelist source=user_list]

The [whitelist source=user_list] section allows whitelisting users based on a User List policy configured in SPS (Policies > User Lists). To enable this whitelist, configure one of the use cases below.

NOTE:

The user names are compared to the User List in a case-sensitive manner.

Declaration

[whitelist source=user_list]
name=<name-of-user-list-policy>

For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.

name

Type:	string
Required:	no
Default:	N/A

Description: The name of a User List policy containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users (for example, to create break-glass access for specific users).

Use case #1: Allow no user except certain users

To allow specific users to connect without providing inWebo credentials, the User List policy should have the following settings:

Set Allow to No user and list the users in the Except list.
Then type the name of this User List policy as the value of the name parameter.

Use case #2: Allow all users except certain users

To enforce inWebo authentication for selected users, the User List policy should have the following settings:

Set Allow to All users and list the users in the Except list.
Then type the name of this User List policy as the value of the name parameter.

[whitelist source=ldap_server_group]

SPS inWebo plugin parameter reference > [WHITELIST] > [whitelist source=ldap_server_group]

The [whitelist source=ldap_server_group] section allows whitelisting users based on LDAP Server group membership. To enable this whitelist, configure one of the use cases below.

NOTE:

The user names and groups are compared in LDAP in a case-insensitive manner.

Declaration

[whitelist source=ldap_server_group]
allow=<no_user-or-all_users>
except=<group-1>,<group-2>

allow

Type:	string (all_users \| no_users)
Required:	no
Default:	N/A

Description: This parameter defines whether to allow all users or no user to connect without providing inWebo credentials. Used together with the except parameter, you can define specific LDAP/AD group(s) that are exempt from this rule.

except

Type:	string
Required:	no
Default:	N/A

Description: This parameter defines those specific LDAP/AD group(s) that are exempt from the rule defined by the allow parameter.

Use case #1: Allow no user except members of specific group(s)

To allow members of specific LDAP/AD group(s) to connect without providing inWebo credentials, type the names of these LDAP/AD groups as values of the except parameter and set the allow parameter to no_user:

[whitelist source=ldap_server_group]
allow=<no_user>
except=<group-1>,<group-2>

You must configure the name of the LDAP Server policy in the [ldap_server] section.

Use case #2: Allow all users except members of specific group(s)

To enforce inWebo authentication only on members of specific LDAP/AD group(s), type the names of these LDAP/AD groups as values of the except parameter and set the allow parameter to all_users:

[whitelist source=ldap_server_group]
allow=<all_users>
except=<group-1>,<group-2>

You must configure the name of the LDAP Server policy in the [ldap_server] section.

[USERMAPPING]

SPS inWebo plugin parameter reference > [USERMAPPING]

By default, SPS assumes that the RADIUS server username of the user is the same as the gateway username (that is, the username the user used to authenticate on SPS during the gateway authentication). To identify the users, SPS uses the username (login) field in RADIUS server, which is an email address.

If the gateway usernames are different from the RADIUS server usernames, you must configure the SPS RADIUS plugin to map the gateway usernames to the RADIUS server usernames. You can use the following methods:

Explicit mapping: [usermapping source=explicit]
LDAP server mapping: [usermapping source=ldap]

To look up the inWebo username of the user from an LDAP/Active Directory database, configure the [usermapping source=ldap_server] section of the SPS inWebo plugin. Typically, the SPS plugin queries the email address corresponding to the username from your LDAP or Active Directory database.

If the inWebo service requires the use of domain name in the external inWebo identity, configure the append_domain parameter in the [username_transform] section. In this case, SPS automatically appends the @ character and the value of this option to the username from the session, and uses the resulting username on the inWebo server to authenticate the user. For example, if the domain is set to append_domain: example.com and the username is Example.User, the SPS plugin will look for the user Example.User@example.com on the inWebo server.

If you configure both the append_domain parameter in the [username_transform] section and the [usermapping source=ldap_server] section of the SPS inWebo plugin, SPS appends the @ character and the value of the append_domain parameter to the value retrieved from the LDAP database.

The Explicit method has priority over the LDAP server method.

If you have configured neither the append_domain parameter nor any of the [USERMAPPING] sections, SPS assumes that the RADIUS username of the user is the same as the gateway username.

[usermapping source=explicit]

SPS inWebo plugin parameter reference > [USERMAPPING] > [usermapping source=explicit]

To map the gateway user name to an external inWebo identity, configure the following name-value pairs.

Declaration

[usermapping source=explicit]
<example-user-1>=<ID-1>
<example-user-2>=<ID-2>

<exampleuser>

Type:	string
Required:	no
Default:	N/A

Description: To map the gateway user name to an external inWebo identity, configure the name-value pairs in the following way:

Type the gateway user name instead of <example-user-1>.
Type the external inWebo ID instead of <ID-1>.

NOTE:

Use this option only if there are not only a few users, or for testing purposes. If there are too many users, it can cause performance issues.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Sessions 6.0.4 - inWebo Multi-Factor Authentication - Tutorial

[whitelist source=user_list]

Declaration

name

Use case #1: Allow no user except certain users

Use case #2: Allow all users except certain users

[whitelist source=ldap_server_group]

Declaration

allow

except

Use case #1: Allow no user except members of specific group(s)

Use case #2: Allow all users except members of specific group(s)

[USERMAPPING]

[usermapping source=explicit]

Declaration

<exampleuser>