Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.0.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 63: Allowable local identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified login name and password or SSH key will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Certificate: The specified certificate thumbprint will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Active Directory as the identity provider

Table 64: Allowable Active Directory identity provider combinations

Primary authentication

Secondary

authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

OneLogin MFA

Radius

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using LDAP as the identity provider

Table 65: Allowable LDAP identity provider combinations

Primary authentication

Secondary

authentication

LDAP: The specified username attribute will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius : The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Starling as the identity provider

Table 66: Allowable Starling identity provider combinations

Primary authentication

Secondary

authentication

Starling

None

Adding identity and authentication providers

It is the responsibility of the Appliance Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of an Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

  1. Go to Identity and Authentication:
    • web client: Navigate to Safeguard Access > Identity and Authentication.
  2. Click Add.
  3. Click the provider:

Appliance Management Settings

In the web client, Appliance Management has a settings page used to manage the maximum number of platform task retries.

  • Navigate to Appliance Management > Settings to manage the setting listed below.
    Table 69: Security Policy Setting
    Setting Description

    Maximum Platform Task Retries

    Set the maximum number of platform retries.

  • Asset Management

    In the web client, expand the Asset Management section in the left navigation pane.

    The following pages are available. See each section for a description of the functions available.

    Topics:
    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating