Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.4 - Upgrade Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Upgrade Windows components Configure Active Directory Configure Unix agent components Upgrade client components manually Getting started with Safeguard Authentication Services Troubleshooting

Joining Safeguard Authentication Services with Starling

Joining Safeguard Authentication Services to Starling allows you to use features from Starling Two-Factor Authentication.

To join Safeguard Authentication Services with Starling

  1. From the Control Center, navigate to Preferences | Starling Two-Factor Authentication.
  2. In the Join to Starling and enable Two-Factor Authentication pane, click Starling Join Settings
  3. On the Starling Two-Factor Authentication dialog, use the Product TIMs drop-down to select a valid Safeguard Authentication Services license.

    NOTE: The other fields on this dialog are read-only and contain the following information after you successfully join to Starling:

    • Product Name: Displays Safeguard Authentication Services.
    • Product Instance: Displays the unique identifier for Starling.
  4. Click Join to Starling.

    NOTE: The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard Authentication Services will be joined with.

    After the join has successfully completed, you will be returned to the Safeguard Authentication Services Control Center and the Join to Starling and enable Two-Factor Authentication pane will display the following:

    • Product Instance: Displays the unique identifier for Starling. You can click the Copy button to the right of this field to copy the product instance identifier to your desktop.
    • Starling Join State: Displays either Joined or Unjoined.

Configuring Starling to use a proxy server

The Starling Proxy Settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard Authentication Services uses the configured proxy server for outbound web requests to Starling.

NOTE: One Identity recommends you use an automatic configuration script (proxy PAC file). To specify a previously configured PAC file, select the Use automatic configuration script check box and enter the address of the proxy.pac file.

To configure Starling to use a proxy server

  1. From the Control Center, navigate to Preferences | Starling Two-Factor Authentication.
  2. In the Starling Proxy Configuration pane, click Starling Proxy Settings.
  3. On the Starling Proxy Configuration dialog, enter the following information about the proxy server to be used:

    To specify a previously configured PAC file (recommended):

    • Use automatic configuration script: Select this check box.
    • Address: Enter the address of the proxy.pac file.

    To use username/password to specify the proxy server:

    • Address: Enter the URL for the proxy server.
    • Port: Enter the port number to be used.
    • Username: Enter the user name of a service account that is to be used to access the proxy server.
    • Password: Enter the password associated with the user name specified. The password will be displayed in clear text.

  4. Click OK to save your selections.

Starling Attributes: Configure LDAP attributes for use with push notifications

You can specify the user mobile number and user email address attributes to be used by the Starling push notifications.

Modifications to the Starling schema attributes configuration are global and apply to all Safeguard Authentication Services clients in the forest. For users configured to use Starling, this could cause user logins to fail.

To configure custom LDAP attributes for use with Starling push notifications

  1. From the Control Center, navigate to the Starling Attributes in one of the following two ways:
    • Preferences | Starling Two-Factor Authentication and click the Starling Attributes link.
    • Preferences | Schema Attributes
  2. Click the Unix Attributes link in the upper right to display the Customize Schema Attributes dialog.
  3. Enter the LDAP display name for one or both of the Starling attributes used by the Starling push notifications:

    • User Mobile Number
    • User Email Address
  4. Click OK.
  5. Click Yes to confirm that you want to modify the Starling schema attributes configuration.
  6. Back on the Starling Two-Factor Authentication preference pane, the Starling attributes to be used are displayed.

Logging in with Starling Two-Factor Authentication

Once Starling Two-Factor Authentication is enabled (that is, Safeguard Authentication Services is joined to Starling and users are authorized to use Starling Two-Factor Authentication), anytime an authorized user attempts to log in to an integrated Unix-based host, they will see an additional login screen informing them that an additional authentication step is required.

The default prompt contains the following:

Enter a token or select one of the following options:

  1. Starling Push
  2. Phone call
  3. Send an SMS

Token or option (1-3) [1]: <Token or option number>

This default prompt can be modified in vas.conf.

vas.conf example:

[STARLING] OPTIONS

The behavior of QAS Starling can be modified by using the following options in the [starling] section.

[starling]

prompt = <boolean>

prompt = <message-text>

Default value: "Enter a token or select one of the following options:\n\n 1. Starling Push\n 2. Phone

call\n 3. Send an SMS\n \nToken or option (1-3)[1]: "

This is the message that is initially displayed during a Starling authentication.

This prompt can span multiple lines, line separation is specified by adding \n to the prompt string.

NOTE: Changing the prompt will not change what is accepted as input.

[starling]

prompt = "Enter 1 for a push request, 2 for a phone call, 3 for a txt, or enter a token.\n "

NOTE: In order to display the prompts, the application must be able to handle pam conversations, such as sshd(keyboard-interactive). If the application can not handle pam conversations, such as sshd(password), a push authentication is sent instead of a prompt.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating