Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.0.4.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

After joining Starling

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled:

Feature using Starling Connect
  • Starling Connect Registered Connectors

    This feature integrates your Starling connectors with Safeguard for Privileged Passwords. This allows for the accounts stored in the connectors to be discovered and controlled by Safeguard for Privileged Passwords through the use of partitions which allow for rotating passwords to provide additional security for them. For more information, see Registered Connectors.

Feature using Starling Cloud Assistant
  • Cloud Assistant

    The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the Safeguard for Privileged Passwords web application.

    The Cloud Assistant feature is enabled when you join Safeguard for Privileged Passwords to Starling. For more information, see Starling. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

    IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.

Starling as an identity provider

Once Safeguard for Privileged Passwords has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. This is indicated by the Realm(s) section under Starling. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling.

Using Starling as an identity provider

  1. Join Safeguard for Privileged Passwords with Starling. For more information, see Join Starling.

  2. Enable a Microsoft Azure Active Directory tenant in your Starling organization (multiple Microsoft Azure Active Directory tenants can be added to Starling, but they will be available and treated as a single tenant when used by Safeguard). This is done via the Directories settings page in Starling. For more information, see the Starling User Guide.

  3. In order for Safeguard users to authenticate against Starling, a Relying Party Trust Application must be created in Starling via the Applications settings page. For more information, see the Starling User Guide.

    To create the application in Starling, you will need to Download Safeguard Federation Metadata from Identity and Authentication

    NOTE: You cannot use the Add OpenID Connect Application with Safeguard for Privileged Passwords.

  4. You will need to enter one or more values in the Realm(s) section to associate with the new Starling authentication provider. This will then allow users logging in to Safeguard to select External Federation and use Starling for their authentication.

  5. When the Require User to Always Authenticate check box is selected, the user will always be required to enter their credentials on the external provider, regardless of whether they are already logged in.

Adding new users and groups to Safeguard that come from Starling follows the same process as with other directory based identity providers (such as, Active Directory and LDAP) and the user information will be periodically synchronized from Starling.

IMPORTANT: You may need to restart the client in order for Starling to appear as an available identity provider.

Unjoin Starling

It is the responsibility of the Appliance Administrator to unjoin Safeguard for Privileged Passwords from Starling.

For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.

To unjoin Safeguard for Privileged Passwords from Starling

  1. Go to Starling:
    • web client: Navigate to External Integration > Starling.
  2. Click Unjoin Starling.
  3. Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Cloud Assistant, Starling identity providers, and integrated connectors are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account can rejoin Safeguard for Privileged Passwords to Starling at any time.

    IMPORTANT: If you attempt to unjoin from Starling while there are still Safeguard users or groups that use the Starling provider for identity and authentication, you will get an error. You must manually delete any users or groups first before unjoining from Starling.

Syslog

Safeguard for Privileged Passwords allows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Appliance Administrators can specify to send different types of messages to different syslog servers. You may configure a connection to a syslog server to use TLS encryption, with or without a client authentication certificate. For more information, see Syslog Client Certificate.

To define and manage the syslog servers, go to Syslog:

  • web client: Navigate to External Integration > Syslog.

The Syslog pane displays the following about each syslog server defined.

Table 54: Syslog server: Properties
Property Description

Name

The name of the syslog server

Network Address The IP address or FQDN of the syslog server
Port The port number for syslog server

Protocol

The network protocols and syslog header type

TCP Framing

When using syslog with the TCP protocol, since the connection is stream based both the client and server need to be configured to process the data using the same delimiter. See RFC 6587 section 3.4.1 and 3.4.2 for more details. By default, Safeguard for Privileged Passwords will use octet counting, as is recommended by RFC 6587. However, some syslog servers do not support octet counting. If that is the case, use this setting to configure Safeguard for Privileged Passwords to use the delimiter that is supported by your syslog server.

Use TLS Encryption

If selected, provides encrypted communication with the syslog server instead of plain text over TCP

Use Client Certificate

If selected, the syslog server requires clients to authenticate

Verify Server Certificate

If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate

Use these toolbar buttons to manage the syslog server configurations

Table 55: Syslog server: Toolbar
Option Description
Add Add a new syslog server configuration. For more information, see Configuring and verifying a syslog server.
Remove

Remove the selected syslog server configuration from Safeguard for Privileged Passwords.

If you attempt to remove a syslog server in use, you will see a message like: <syslog server> will be removed. Select Yes or No.

A second Force Delete message like this may display: There are dependencies on this syslog server: This object is referenced by ServiceDebug. Do you want to force delete this server? Select Force Delete or Cancel. If you select Force Delete, the dependent setting (such as an event subscriber or debug logging) will be deleted as well.

Edit Modify the selected syslog server configuration.
Copy Syslog Template Clone the selected syslog server configuration.
Refresh Update the list of syslog server configurations.

Configuring and verifying a syslog server

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server. The steps below cover configuration.

Other considerations:

To configure a syslog server

  1. Go to Syslog:
    • web client: Navigate to External Integration > Syslog.
  2. Click Add to display the Syslog Serverdialog.
  3. In the Syslog Server dialog, enter the following:

    1. Name: Enter a descriptive name for the syslog server.

    2. Network Address: Enter the IP address or FQDN of the syslog server. Limit: 255 characters
    3. Port: Enter the port number for the syslog server. Default: 514 and range: between 1 and 32767

    4. Protocol: Select the network protocol and syslog header type:

      • UDP (RFC 3164): Sends messages over UDP using the syslog header format specified in RFC 3164.

      • UDP (RFC 5424): Sends messages over UDP using the syslog header format specified in RFC 5424.
      • TCP (RCF 5424): Sends messages over TCP using the syslog header format specified in RFC 5424. TCP is required for TLS options.
    5. If you selected a Protocol of TCP (RCF 5424), additional selections can be made to set the TCP framing and configure Safeguard for Privileged Passwords to use Transport Layer Security (TLS). This provides encrypted communication with the syslog server instead of plain text over TCP.
      • Select the TCP Framing. By default, Octet Counting will be selected. Possible options are:

        • Octet Counting: The default and recommended framing. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.1. With octet counting, there is no chance of a message containing a character that may otherwise be intended to be used as a delimiter.

        • LF: Use a line feed character (LF 0x0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

        • CR: Use a carriage return character (CR 0x0D) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

        • CRLF: Use both carriage return and line feed characters (CRLF 0x0D0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

        • NUL: Use a NUL character (0x00) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.

      • Select Use TLS Encrypton.

      • Verify Syslog Server Certificate: If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate. If Safeguard for Privileged Passwords cannot resolve the syslog server TLS certificate to a trusted root, the message will not be sent.
      • Use Client Certificate: Select this option if the syslog server requires clients to authenticate. You should also set the syslog client certificate appropriately. For more information, see Creating a syslog client Certificate Signing Request.
  4. Click OK to save your selection and add the syslog server configuration.
  5. You can verify the syslog server. See the next section.

To verify a syslog server

  1. Navigate to External Integration > Syslog Event.

  2. Click Send Test Event. For more information, see Syslog Events.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating