Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.0.4 - DEPRECATED inWebo Multi-Factor Authentication - Tutorial

Mapping SPS usernames to inWebo identities

By default, SPS assumes that the inWebo username of the user is the same as the gateway username (that is, the username the user used to authenticate on SPS during the gateway authentication). To identify the users, SPS uses the username (login) field in inWebo, which is an email address.

If the gateway usernames are different from the inWebo usernames, you must configure the SPS inWebo plugin to map the gateway usernames to the inWebo usernames. You can use the following methods:

  • To simply append a string to the gateway username, configure the append_domain parameter. In this case, SPS automatically appends the @ character and the value of this option to the username from the session, and uses the resulting username on the inWebo server to authenticate the user. For example, if the domain is set as append_domain: example.com and the username is Example.User, the SPS plugin will look for the user Example.User@example.com on the inWebo server.

  • To look up the inWebo username of the user from an LDAP/Active Directory database, configure the [ldap] section of the SPS inWebo plugin. Typically, the SPS plugin queries the email address corresponding to the username from your LDAP or Active Directory database. For details on LDAP parameters, see [ldap].

  • If you configure both the append_domain parameter and the [ldap] section of the SPS inWebo plugin, SPS appends the @ character and the value of the append_domain parameter to the value retrieved from the LDAP database.

  • If you have configured neither the Domain parameter nor the [ldap] section, SPS assumes that the inWebo username of the user is the same as the gateway username.

Bypassing inWebo authentication

Having to perform multi-factor authentication to a remote server every time the user opens a session can be tedious and inconvenient for the users, and can impact their productivity. SPS offers the following methods to solve this problem:

  • In SPS, the Connection policy determines the type of authentication required to access a server. If you do not need multi-factor authentication for accessing specific servers, configure your Connection policies accordingly.

  • If the user opens a new session within a short period, they can do so without having to perform multi-factor authentication. After this configurable grace period expires, the user must perform multi-factor authentication to open the next session. For details, see [cache].

  • You can configure SPS using whitelists and blacklists to selectively require multi-factor authentication for your users, for example, to create break-glass access for specific users. For details on creating exemption lists, see whitelist.

Configure your inWebo account for SPS

Prerequisites:
  • Administrator access to your inWebo account.

  • Make sure that you have all the required components listed in Technical requirements.

  1. Add users to your inWebo account.

    The users you want to authenticate with SPS must have an activated account in inWebo. For details on adding or importing your users, see Start provisioning your users on our platform in the inWebo documentation.

  2. Enable Multi-factor Authentication (MFA) for your organization.

    Optionally, you can create a Multi-factor Policy in inWebo to enable MFA only for the group of users who you want to authenticate with SPS.

    For details, see 2-Step Multi-Factor Authentication using a Push request to a Smartphone in the inWebo documentation.

  3. Create an API token.

    Navigate to Admin > API > Tokens, click Create Token, and save it.

Configure SPS to use inWebo multi-factor authentication

Prerequisites:
  • Your inWebo API token.

    Caution:

    According to the current inWebo policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired.

  • Administrator access to SPS.

  • Make sure that you have all the required components listed in Technical requirements.

To configure SPS to use inWebo multi-factor authentication

  1. Download the SPS inWebo plugin

    SPS customers can download the official plugin from GitHub.

  2. Upload the plugin to SPS

    Upload the plugin to SPS. For details, see "Using a custom Authentication and Authorization plugin to authenticate on the target hosts" in the Administration Guide.

  3. Configure the plugin on SPS

    The plugin includes a default configuration file, which is an ini-style configuration file with sections and name=value pairs. You can edit it on the Policies > AA Plugin Configurations page of the SPS web interface.

    1. Configure the usermapping settings if needed. SPS must find out which inWebo user belongs to the username of the authenticated connection. For that, it can query your LDAP/Microsoft Active Directory server. For details, see Mapping SPS usernames to inWebo identities.

    2. Configure other parameters of your plugin as needed for your environment. For details, see SPS inWebo plugin parameter reference.

  4. Configure a Connection policy and test it

    Configure a Connection policy on SPS. In the AA plugin field of the Connection policy, select the SPS inWebo plugin you configured in the previous step, then start a session to test it. For details on how a user can perform multi-factor authentication, see Perform multi-factor authentication with the SPS inWebo plugin in terminal connections and Perform multi-factor authentication with the SPS inWebo plugin in Remote Desktop connections.

    Caution:

    According to the current inWebo policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating