Having to perform multi-factor authentication to a remote server every time the user opens a session can be tedious and inconvenient for the users, and can impact their productivity. SPS offers the following methods to solve this problem:
In SPS, the Connection policy determines the type of authentication required to access a server. If you do not need multi-factor authentication for accessing specific servers, configure your Connection policies accordingly.
If the user opens a new session within a short period, they can do so without having to perform multi-factor authentication. After this configurable grace period expires, the user must perform multi-factor authentication to open the next session. For details, see [authentication_cache].
The [whitelist source=user_list] and [whitelist source=ldap_server_group] sections allow configuring authentication whitelists and blacklists based on a User List policy or an LDAP Server policy. These two sections are independent, therefore any of the two can be configured and, for example, can create break-glass access for specific users to allow them to bypass
The [whitelist source=user_list] section allows whitelisting users based on a User List policy configured in SPS (Policies > User Lists). To enable this whitelist, configure one of the use cases below.
NOTE: The user names are compared to the User List in a case-sensitive manner.
For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.
Type: | string |
Required: | no |
Default: | N/A |
Description: The name of a User List policy containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users (for example, to create break-glass access for specific users).
To allow specific users to connect without providing
To enforce
The [whitelist source=ldap_server_group] section allows whitelisting users based on LDAP Server group membership. To enable this whitelist, configure one of the use cases below.
NOTE: The user names and groups are compared in LDAP in a case-insensitive manner.
[whitelist source=ldap_server_group] allow=<no_user-or-all_users> except=<group-1>,<group-2>
Type: | string (all_users | no_users) |
Required: | no |
Default: | N/A |
Description: This parameter defines whether to allow all users or no user to connect without providing
Type: | string |
Required: | no |
Default: | N/A |
Description: This parameter defines those specific LDAP/AD group(s) that are exempt from the rule defined by the allow parameter.
To allow members of specific LDAP/AD group(s) to connect without providing
[whitelist source=ldap_server_group] allow=<no_user> except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
To enforce
[whitelist source=ldap_server_group] allow=<all_users> except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
By default, SPS assumes that the external
The external identity is the Starling ID, which is a number.
You can use the following methods:
Explicit mapping: [usermapping source=explicit]
LDAP server mapping: [usermapping source=ldap]
To look up the external
The Explicit method has priority over the LDAP server method.
If you have configured neither the append_domain parameter nor any of the [USERMAPPING] sections, SPS assumes that the external
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center