Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.8 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Adding identity and authentication providers

It is the responsibility of the Asset Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of a User Administrator or Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

  1. Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication.
  2. Click Add.
  3. Click the provider:
    Active Directory and LDAP settings

    Use the General tab to add the required service account information. The following table lists the properties and designates the properties for Active Directory or LDAP only, if applicable.

    Table 162: Active Directory and LDAP: General tab properties
    Property Description
    Service Account Domain Name (for Active Directory)

    Enter the fully qualified Active Directory domain name, such as example.com.

    Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE.

    The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.

    Network Address

    (for OpenLDAP)

    Enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.

    Service Account Name (for Active Directory)

    Enter an account for Safeguard for Privileged Passwords to use for management tasks. If the account name matches an account name already linked to an identity provider, the provider is automatically assigned.

    When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request.

    Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords.

    Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object that represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify.

    For more information, see About service accounts.

    Service Account Distinguished Name (for OpenLDAP)

    Enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com

    Service Account Password

    Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.

    Description

    Enter information about this external identity provider.

    Connect

    Click Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication.

    Advanced Open to reveal the following synchronization settings:

    Available Domains for Identity and Authentication (for Active Directory)

    All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. Clearing the forest root domain will have undesired results when managing directory users and groups. For more information, see Adding a directory user group.

    Port (for LDAP)

    Enter port 389 used for communication with the LDAP directory.

    Use SSL Encryption

    Not supported.

    Verify SSL Certificate

    Not supported.

    Sync additions every

    Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

    Default: 15 minutes

    Range: Between 1 and 2147483647

    Sync deletions every

    Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

    Default: 15 minutes

    Range: Between 1 and 2147483647

Attributes tab

On the Attributes tab, synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes. The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.

There are multiple valid schema mappings supported and you can modify its configuration, as needed. For example, the LDAP dialog, Attributes tab may display the Username as the cn <Display Name> or the uid <Username> based on your directory configuration.

To map the Safeguard for Privileged Passwords properties to different directory attributes

  1. Browse to select one or more object classes for the users, computers, and groups categories, as applicable.

    NOTE: You can use or remove the default object class.

  2. If you do not want to use the default property, begin typing in the property box. Safeguard for Privileged Passwords' auto-complete feature immediately displays a list of attributes to choose. Safeguard for Privileged Passwords only allows you to select attributes that are valid for the object classes you have selected for users, groups, and computers.
  3. Once you have set all the properties, click Apply.

The following table list the default directory attributes.

Table 163: Active Directory and LDAP: Attributes tab (defaults)
Safeguard for Privileged Passwords attribute Directory attribute

 

Users

 

Object Class

Browse to select a class definition that defines the valid attributes for the user object class.

Default: user for Active Directory, inetOrgPerson for LDAP

 

User Name

sAMAccountName for Active Directory, cn for LDAP

 

Password

userPassword for LDAP

 

First Name

givenName

 

Last Name

sn

 

Work Phone

telephoneNumber

 

Mobile Phone

mobile

 

Email

mail

 

Description

description

 

External Federation Authentication

The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS).

For both Active Directory and OpenLDAP 2.4, this will default to the "mail" attribute.

This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication.

For more information, see Adding a directory user group.

 

Radius Authentication

The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication.

For Active Directory, this will default to using the samAccountName attribute. For OpenLDAP 2.4, this will default to using the cn attribute.

NOTE: This is only used when processing members of a directory user group in which the group has been configured to use Radius as either the primary or secondary authentication provider.

For more information, see Adding a directory user group.

 

Managed Objects

The directory attribute used when automatically associating existing managed Accounts to users of a directory user group as linked accounts.

Defaults:

  • For Active Directory, this defaults to managedObjects. However, you may want to use the directReports attribute based on where you have the information stored in Active Directory.
  • For OpenLDAP 2.4, this defaults to the seeAlso attribute.

When choosing an attribute, it must exist on the user itself and contain one or more Distinguished Name values of other directory user objects. For example, you would not want to use the owner attribute in OpenLDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an owns attribute to exist on the user such as the default seeAlso attribute.

For more information, see Adding a directory user group.

 

Groups

 

 

Object Class

Browse to select a class definition that defines the valid attributes for the group object class.

Default: group for Active Directory, groupOfNames for LDAP

 

Name

sAMAccountName for Active Directory, cn for LDAP

 

Member

member

 

Description

description

 

External Federation settings

One Identity Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.

NOTE: Additional two-factor authentication can be assigned to the associated Safeguard for Privileged Passwords user account to force the user to authenticate again after being redirected back from the external STS.

To use external federation, you must first download the federation metadata XML for your STS and save it to a file. For example, for Microsoft's AD FS, you can download the federation metadata XML from:

https://<adfs server>/FederationMetadata/2007-06/FederationMetadata.xml.

To add external federation:

  1. In the External Federation dialog, supply the following information:
    1. Name: The unique name assigned to the external federation service provider. The name is for administrative purposes only and will not be seen by the end users.

    2. Realm: The unique realm value (typically a DNS suffix, like contoso.com) that matches the email addresses of users that will use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery.

    3. Federation Metadata File: Click Browse to select the STS federation metadata xml file.
    4. Description: Enter any text. The text is seen only here and used for administrative purposes.
  2. Click Download Safeguard for Privileged Passwords Metadata File: You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited. Also see: How do I create a relying party trust for the STS.
Radius settings

Create and configure a Radius server for use as either a primary authentication provider or secondary authentication provider. To use a Radius server for both primary and secondary authentication, you will need to create two authentication providers. The steps to create Radius as a primary provider or secondary provider follow:

  1. In the Radius dialog, supply the following information:
    1. Name: The unique display name. When creating the Radius provider for primary authentication, this name value will be displayed in the drop-down list on the login page.

    2. Type: Choose As Primary Authentication or As Secondary Authentication.

    3. Server Address: Enter a network DNS name or the IP address used to connect to the server over the network.
    4. Secondary Server Address: (Optional) Enter a network DNS name or the IP address for an additional or redundant server.
    5. Shared Secret: Enter the server's secret key. Click to show the server's secret key.
    6. Port: Enter the port number that the Radius server uses to listen for authentication requests. The default is port 1812.
    7. Timeout: Specify how long to wait before a Radius authentication request times out. The default is 20 seconds.
    8. PreAuthenticate for Challenge/Response: If selected, an Access-Request call containing only the User-Name is sent to the Radius server prior to the user's authentication attempt. This is done to inform the Radius server of the user's identity so it can possibly begin the authentication process by starting a challenge/response cycle. This may be required to seed the user's state data. In addition, the Radius server's response may include a login message that is to be displayed, which is specific to that user.

      If the Radius server is not configured to respond with an Access-Challenge, then this will cause the log in to fail and the user will be unable to proceed. This setting is only applicable when using Radius as a secondary authentication provider. The setting has no effect if enabled on a primary authentication provider.

    9. Always Mask User Input: If selected, the text box that the user enters their one-time password, or other challenge required by the Radius server, will always be a password style text box in which the user's input is masked and appears as a series of dots, not as clear text. This may be desired when the challenge is not only a one-time password, but also contains the user's PIN. This will prevent any passer-by from seeing the private information. Note, however, that when this setting is enabled, it will also override the Prompt attribute of the Radius server's Access-Challenge response, such that the user's input will always be masked.
    10. Description: Enter any text. The text is seen only here and used for administrative purposes.
  2. Click OK.

FIDO2 settings

Create and configure FIDO2 for use as a secondary authentication provider.

  1. In the FIDO2 dialog, provide the following settings:
    1. Name: The unique name assigned to the provider. The name is for administrative purposes only and will not be seen by the end users.
    2. Domain Suffix: This must be a DNS name that identifies the appliance. Typically, this will be the DNS name used to access Safeguard. It cannot be an IP address. The value is a a domain string identifying the WebAuthn Relying Party for which the registration or authentication ceremony is performed.

      A public key credential can only be used for authentication with the same entity (identified by this value) it was registered with. However, this value can be a registerable domain suffix of what appears in the user’s browser when registering. For example, you could enter contoso.com to register against a server at https://www.contoso.com or https://node1.contoso.com. Later, you can use the same authenticator security key to authenticate at either of the locations.

    3. Description: Enter any text. The text is seen only here and used for administrative purposes.
  2. Click OK.

SNMP

Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. One Identity Safeguard for Privileged Passwords allows you to configure SNMP subscriptions for sending SNMP traps to your SNMP console when certain events occur.

Navigate to Administrative Tools | Settings | External Integration | SNMP. The SNMP pane displays the following about the SNMP subscribers defined.

Table 164: SNMP: Properties
Property Description
Network Address The IP address or FQDN of the primary SNMP network server
Port The UDP port number for SNMP traps
Version The SNMP version being used
Community The SNMP community string being used by the SNMP subscriber
Description The description of the SNMP subscriber
# of Events The number of events selected to be sent to the SNMP console

Use these toolbar buttons to manage the SNMP subscriptions.

Table 165: SNMP: Toolbar
Option Description
New Add a new SNMP subscription. For more information, see Configuring SNMP subscriptions.
Delete Selected

Remove the selected SNMP subscription.

Refresh Update the list of SNMP subscriptions.
Edit Modify the selected SNMP subscription.
Copy Clone the selected SNMP subscription.

Configuring SNMP subscriptions

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur.

NOTE: To download Safeguard for Privileged Passwords MIB-module definitions from your appliance, enter the following URL into your web browser; no authentication is required:

https://<Appliance IP address>/docs/mib/SAFEGUARD-MIB.mib

To configure SNMP subscriptions

  1. Navigate to Administrative Tools | Settings | External Integration | SNMP.
  2. Click New to open the SNMP subscription configuration dialog.
  3. Provide the following information:
    Network Address

    Enter the IP address or FQDN of the primary SNMP network server.

    Limit: 255 characters

    UDP Port

    Enter the UDP port number for SNMP traps.

    Default: 162

    Description

    Enter the description of the SNMP subscriber.

    Limit: 255 characters

    Events

    Browse to select one or more SNMP event types.

    Use the Clear icon to remove an individual event from this list or right-click and select Remove All to clear all events from the list.

    NOTE: The SNMP pane displays the number of events that you select, not the names of the events.

    Version

    Choose the SNMP version: Version 1 or Version 2

    Default: Version 2

    Community

    Enter the SNMP community string, such as public.

    The SNMP community string is like a user ID or password that allows access to a device's statistics, such as a router. A PRTG Network Monitor sends the community string along with all SNMP requests. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.

Verifying SNMP configuration

Use the Send Test Event link located under the SNMP table on the Settings | External Integration | SNMP pane.

To validate your setup

  1. When configuring your SNMP subscription, on the SNMP dialog, add the test event to your event subscription.
  2. Return to the SNMP settings pane:
    1. Select the SNMP configuration from the table.
    2. Select Send Test Event. Safeguard for Privileged Passwords sends a test event notification to your SNMP console.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating