Safeguard for Privileged Passwords can join with the cloud platform One Identity Starling. By joining with One Identity Starling, Safeguard for Privileged Passwords customers can take advantage of companion features from Starling services; such as Starling Two-Factor Authentication . For more information, see Join Starling.
Introduction
System requirements and versions
Desktop client system requirements
Web client system requirements
Web management console system requirements
Supported platforms
License: hardware, virtual, expiration
Long Term Support (LTS) and Feature Releases
Using API and PowerShell tools
Using the virtual appliance and web management console
Cloud deployment considerations
Setting up Safeguard for Privileged Passwords for the first time
Step 1: Create the Authorizer Administrator
Step 2: Authorizer Administrator creates administrators
Step 3: Appliance Administrator configures the appliance
Step 4: User Administrator adds users
Step 5: Asset Administrator adds managed systems
Step 6: Security Policy Administrator adds access request policies
Using the web client
Home
My Requests (web client)
Approvals (web client)
Reviews (web client)
Favorites (web client)
Settings, version, and desktop Windows client (web client)
Change password (web client)
FIDO2 keys (web client)
Log out (web client)
Getting started with the desktop client
Using the desktop client
Settings (desktop client)
User information and log out
Desktop client favorite request
Desktop client navigation pane
Search box
Privileged access requests
Home
Dashboard
Activity Center
Applying search criteria
Saving search criteria
Generating an activity audit log report
Scheduling an activity audit log report
Editing or deleting a saved search or scheduled report
Viewing event details
Auditing request workflow
Filtering report results
Sorting report results
Reports
Administrative Tools
Configuring alerts
Password release request workflow
Toolbox
Accounts
Requesting a password release
Approving a password release request
Reviewing a completed password release request
Session request workflow
General tab (account)
Access Request Policies tab (account)
Account Groups tab (account)
Dependent Assets (account)
Check and Change Log tab (account)
History tab (account)
Managing accounts
Account Groups
General tab (account group)
Accounts tab (account group)
Access Request Policies tab (account group)
History tab (account group)
Managing account groups
Assets
Adding an account group
Adding a dynamic account group
General tab (add dynamic account group)
Account Rules tab (add dynamic account group)
Summary tab (add dynamic account group)
Adding one or more accounts to an account group
Adding accounts to an access request policy
Modifying an account group
Deleting an account group
General tab (asset)
Accounts tab (asset)
Account Dependencies tab (asset)
Access Request Policies tab (asset)
Asset Groups tab (asset)
Discovered Services tab (asset)
History tab (asset)
Managing assets
Asset Groups
Adding an asset
General tab (add asset)
Management tab (add asset)
Account Discovery tab (add asset)
Connection tab (add asset)
Checking an asset's connectivity
Assigning an asset to a partition
Assigning a profile to an asset
Manually adding a tag to an asset
Adding an account to an asset
Adding account dependencies
Adding an asset to asset groups
Modifying an asset
Deleting an asset
Importing objects
Downloading a public SSH key
About service accounts
About Test Connection
SSH Key
Directory Account
Local System Account
Password (local service account)
Access Key
None
Attributes tab (add asset)
General tab (asset group)
Assets tab (asset group)
Access Request Policies tab (asset group)
History tab (asset group)
Managing asset groups
Discovery
Asset Discovery
Entitlements
Asset Discovery job workflow
Adding an Asset Discovery job
Asset Discovery Results
Account Discovery
General tab (asset discovery)
Information tab (asset discovery)
Rules tab (asset discovery)
Editing an Asset Discovery job
Deleting an Asset Discovery job
Add Condition (asset discovery)
Edit Connection Template (asset discovery)
Add Asset Profile (asset discovery)
Schedule tab (asset discovery)
Summary tab (asset discovery)
Account Discovery job workflow
Adding an Account Discovery job
Editing an Account Discovery job
Deleting an Account Discovery job
Account Discovery Results
Discovered Accounts
Service Discovery Results
Discovered Services
General tab
Users tab
Access Request Policies tab
History tab
Managing entitlements
Partitions
Adding an entitlement
Creating an access request policy
General tab
Scope tab
Requester tab
Approver tab
Reviewer tab
Access Config tab
Session Settings tab
Time Restrictions tab
Emergency tab
Adding users or user groups to an entitlement
Deleting an access request policy
Modifying an access request policy
Copying an access request policy
Viewing and editing policy details
Modifying an entitlement
Deleting an entitlement
About partition profiles
General tab (partitions)
Assets tab (partitions)
Accounts tab (partitions)
Profiles tab (partitions)
History tab (partitions)
Managing partitions
Settings
Access Request settings
Appliance settings
Users
Appliance Diagnostics
Appliance Information
Enable or Disable Services
Factory Reset from the desktop client
Licensing
Lights Out Management (BMC)
Network Diagnostics
Networking
Operating system licensing
Support Bundle
Time
Updates
Asset Management settings
Backup and Retention settings
Certificate settings
About certificates
Audit Log Signing Certificate
Certificate Signing Request
SSL Certificates
Cluster settings
External Integration settings
Installing an SSL certificate
Creating a Certificate Signing Request (CSR)
Assigning a certificate to appliances
Trusted Certificates
Application to Application
Messaging settings
Profile settings
Safeguard Access settings
About Application to Application functionality
Setting up Application to Application
Adding an application registration
Deleting an application registration
Regenerating an API key
Making a request using the Application to Application service
Approval Anywhere
Email
Identity and Authentication
SNMP
Starling
Syslog
Ticketing system
General tab (user)
User Groups tab (user)
Partitions tab (user)
Entitlements tab (user)
Linked Accounts tab (user)
History (user)
Managing users
User Groups
Adding a user
Identity tab (add user)
Authentication tab (add user)
Location tab (add user)
Permissions tab (add user)
Requiring secondary authentication log in
Adding a user to user groups
Assigning a user to partitions
Adding a user to entitlements
Linking a directory account to a user
Modifying a user
Enabling or disabling a user
Deleting a user
Importing objects
Setting a local user's password
Unlocking a user's account
General tab (user groups)
Users tab (user groups)
Entitlements tab (user groups)
History tab (user groups)
Managing user groups
Disaster recovery and clusters
Enrolling replicas into a cluster
Unjoining replicas from a cluster
Maintaining and diagnosing cluster members
Administrator permissions
About Offline Workflow Mode
Failing over to a replica by promoting it to be the new primary
Activating a read-only appliance
Diagnosing a cluster member
Patching cluster members
Using a backup to restore a clustered appliance
Resetting a cluster that has lost consensus
Performing a factory reset
Unlocking a locked cluster
Troubleshooting tips
Appliance Administrator permissions
Asset Administrator permissions
Auditor permissions
Authorizer Administrator permissions
Help Desk Administrator permissions
Operations Administrator permissions
Security Policy Administrator permissions
User Administrator permissions
Preparing systems for management
Preparing ACF - Mainframe systems
Preparing Amazon Web Services platforms
Preparing Cisco devices
Preparing Dell iDRAC devices
Preparing VMware ESXi hosts
Preparing Fortinet FortiOS devices
Preparing F5 Big-IP devices
Preparing HP iLO servers
Preparing HP iLO MP (Management Processors)
Preparing IBM i (AS/400) systems
Preparing JunOS Juniper Networks systems
Preparing MongoDB
Preparing MySQL servers
Preparing Oracle databases
Preparing PAN-OS (Palo Alto) networks
Preparing PostgreSQL
Preparing RACF mainframe systems
Preparing SAP HANA
Preparing SAP Netweaver Application Servers
Preparing Sybase (Adaptive Server Enterprise) servers
Preparing SonicOS devices
Preparing SonicWALL SMA or CMS appliances
Preparing SQL Servers
Preparing Top Secret mainframe systems
Preparing Unix-based systems
Preparing Windows systems
Preparing Windows SSH systems
Troubleshooting
Anti-CSRF (cross-site request forgery) token error
Connectivity failures
Frequently asked questions
Change password fails
Incorrect authentication credentials
Missing or incorrect SSH host key
No cipher supported error
Service account has insufficient privileges
Cannot connect to remote machine through SSH or RDP
Cannot delete account
Cannot play session message
Domain user denied access to Safeguard for Privileged Passwords
LCD status messages
My Mac keychain password was lost
Password fails for Unix host
Password is pending review
Password is pending a reset
Profile did not run
Recovery Kiosk (Serial Kiosk)
Appliance information (Recovery Kiosk)
Power options
Admin password reset
Factory reset from the Recovery Kiosk
Support bundle
Replica not adding
System services did not update or restart after password change
Test Connection failures
Test Connection failures on archive server
Certificate issue
Cipher support
Domain controller issue
Networking issue
Windows WMI connection failure
Timeout errors causing operations to fail
User locked out
User not notified
How do I audit transaction activity
How do I configure external federation authentication
Appendix A: Safeguard ports
Appendix B: SPP 2.7 or later migration guidance
Appendix C: SPP and SPS join guidance
Appendix D: Regular Expressions
SPP glossary
How do I add an external federation provider trust
How do I create a relying party trust for the STS
How do I add an external federation user account
How do I manage accounts on unsupported platforms
How do I modify the appliance configuration settings
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
How do I set up telnet and TN3270/TN5250 session access requests
How do I set the appliance system time
How do Safeguard for Privileged Passwords database servers use SSL
What are the access request states
What do I do when an appliance goes into quarantine
When does the rules engine run for dynamic grouping and tagging
Verifying syslog server configuration
Why did the password change during an open request
Starling
Join Starling
In order to use Starling 2FA with Safeguard for Privileged Passwords's Approval Anywhere feature or as a secondary authentication provider, you must join Safeguard for Privileged Passwords to Starling. It is the responsibility of the Appliance Administrator to join One Identity Safeguard for Privileged Passwords to Starling.
NOTE: In version 2.1 and earlier, you had to specify a Starling API key in order to use Approval Anywhere and Starling Two-Factor Authentication (2FA) as a secondary authentication provider. This is no longer necessary when you join Safeguard for Privileged Passwords to Starling. If you previously configured these features, once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process.
For additional information and documentation regarding the Starling Cloud platform and Starling Two-Factor Authentication, see Starling Two-Factor Authentication - Technical Documentation.
Prerequisites
See the Starling Release Notes for currently supported platforms.
In order to use the companion features from Starling services, first configure the following:
- Register a Starling organization. For more information on Starling, see the One Identity Starling User Guide.
-
Download the Starling 2FA app on your mobile phone to use the Approval Anywhere feature.
- If your company requires the use of a proxy to access the internet, you must configure the web proxy to be used. For more information on configuring a web proxy to be used by Safeguard for Privileged Passwords for outbound web requests to integrated services, see Networking.
Join Safeguard for Privileged Passwords with Starling
NOTE: You must be an Organization Admin for the Starling organization in order to join Safeguard for Privileged Passwords with Starling.
- Navigate to Administrative Tools | Settings| External Integration | Starling. This pane also includes the following links, which provide assistance with Starling:
- Visit us online to learn more displays the Starling login page where you can create a new Starling account.
- Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
-
Click Join to Starling.
NOTE: The following additional information may be required:
- If you do not have an existing session with Starling, you will be prompted to authenticate.
- If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.
After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords desktop client and the Starling settings pane will now show Joined to Starling. Once Starling is joined, you can configure users to require secondary authentication using Starling. For more information, see Authentication tab (add user).
To unjoin Safeguard for Privileged Passwords from Starling
- In Settings, select External Integration | Starling.
-
Click Unjoin Starling.
Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Approval Anywhere and two-factor authentication as a secondary authentication provider are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account can rejoin Safeguard for Privileged Passwords to Starling at any time.
After the join
Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled and can be implemented using Starling Two-Factor Authentication:
-
Secondary authentication
Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.
A Starling 2FA authentication provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging into Safeguard for Privileged Passwords. For more information, see Configuring user for Starling Two-Factor Authentication when logging in to Safeguard.
-
Approval Anywhere
The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.
Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere. For more information, see Adding authorized user for Approval Anywhere.
Syslog
Safeguard for Privileged Passwords allows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Using this feature, Appliance Administrators can specify to send different types of messages to different syslog servers.
Navigate to Administrative Tools | Settings | External Integration | Syslog. The Syslog pane displays the following about each syslog server defined.
| Property | Description |
|---|---|
| Network Address | The IP address or FQDN of the syslog server |
| Port | The UDP port number for syslog server |
| Facility | The type of program being used to create syslog messages |
| Description | The description of the syslog server configuration |
| # of Events | The number of events selected to be logged to the syslog server |
Use these toolbar buttons to manage the syslog server configurations
| Option | Description |
|---|---|
 New |
Add a new syslog server configuration. For more information, see Configuring a syslog server. |
 Delete Selected |
Remove the selected syslog server configuration from Safeguard for Privileged Passwords. |
 Refresh |
Update the list of syslog server configurations. |
 Edit |
Modify the selected syslog server configuration. |
 Copy |
Clone the selected syslog server configuration. |
Configuring a syslog server
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server.
To configure a syslog server
- Navigate to Administrative Tools | Settings | External Integration | Syslog.
- Click
New to display the Syslog dialog.
-
In the Syslog dialog, enter the following:
-
Network Address: Enter the IP address or FQDN of the syslog server.
Limit: 255 characters
-
UDP Port: Enter the UDP port number for the syslog server.
Default: 514
Range: between 1 and 32767
-
Description: Enter a description for the syslog server configuration.
Limit: 255 characters
-
Events: Click Browse to select the events to be included in the syslog.
On the Event selection dialog, select the events to be included, then click OK.
-
Facility: Choose the type of program to be used to log syslog messages.
Default: User-level messages
-
- Click OK to save your selection and add the syslog server configuration.