Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.0.4.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Local Login Control

It is the responsibility of the Appliance Administrator to initially set up user login controls such as the number of failed sign-in attempts before locking out an account.

To configure the login controls

  1. Go to Local Login Control:
    • web client: Navigate to Safeguard Access > Local Login Control.
  1. Provide the following information. Some settings are for local users only, such as Lockout Window. Other settings are for all user types, such as the Token Lifetime.
    Token Lifetime

    Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords.

    Range: 10 minutes to 28,800 minutes (20 days)

    Default: 1,440 minutes (one day)

    Web Client Inactivity Timeout

    Set the maximum time to allow from the user's last request to the server before the user is automatically logged out. The default is 15 minutes. The minimum value is five minutes and the maximum value is 2,880 minutes (two days) if the Token Lifetime is increased to match the value. If the Token Lifetime is not increased, the token will expire before the Web Client Inactivity Timeout.

    When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes.

    Lockout Duration

    Set the number of minutes a locked out account remains locked.

    Range: One to 9,999 minutes; A setting of 9,999 requires an administrator to manually unlock the account.

    Default: 15 minutes

    Lockout Threshold

    Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account.

    If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met.

    Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins. The default is five consecutive failures. Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

    Lockout Window

    Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts.

    Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts.

    Default: 10 minutes

    Deactivate After

    Set the number of days to wait before automatically disabling an inactive user account.

    If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account.

    NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account.

    Range: 14 to 365 days

    Default: 365 days

    Minimum Password Age

    Set the number of days a user must wait before changing their password.

    Range: 0 to 14 days

    Default: Zero

    Maximum Password Age

    Set the number of days users can use their current password before they must change it.

    Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire.

    Default: 42 days

    Password Age Reminder

    Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire.

    Range: 0 to 30 days

    Default: 14 days

    Password History

    Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in, first-out basis.

    NOTE: Administrators are not restricted by the password history setting.

    Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords.

    Default: Five stored passwords

    Inform User of Locked Account

    Select this check box to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that their access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a local user's account.

    Default: Not set

    Inform User of Deactivated Account

    Select this check box to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that their access has been denied.

    NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems.

    A user with a disabled account cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled their account. For more information, see Activating or deactivating a user account.

    Default: Not set

    Inform User of Bad Password

    Select this check box to inform users when the password is bad.

    Default: Not set

    Inform User of Expired Password

    Select this check box to inform users when the password is expired.

    Default: Not set

    Inform User of Invalid Token

    Select this check box to inform users when the token is invalid.

    Default: Not set

    Enable Secure Token Service Login Timeout

    Select this check box to set a 15 minute expiration time for session based cookies.

    Session based cookies are used during login. Typically, a session based cookie does not expire and is deleted by the browser/user-agent when closed. This setting, when enabled, will cause the session-based cookies to have a 15 minute expiration time, enforced by the server. This adds security and can prevent some replay attacks. End users must complete the login process within this time frame, including any multi-factor authentication.

Local Password Rule

Password rules define the complexity requirements for user authentication to Safeguard for Privileged Passwords. You can create rules governing the type of password a user can create, such as:

  • Set the allowable password length in a range from 3 to 225 characters.
  • Set first characters type and last character type.
  • Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols along with the minimum amounts of each.
  • Identify excluded uppercase letters, lowercase letters, numbers, and symbols.
  • Identify if consecutive letters, numbers, and/or symbols can be repeated sequentially and, if allowed, set the maximum repetitions allowed.

NOTE: These rules only apply to local users; they do not affect users accessing Safeguard for Privileged Passwords from an external provider such as Microsoft Active Directory. The password rules are listed in the Set password dialog. For more information, see Setting a local user's password.

Modifying user password requirements

It is the responsibility of the Appliance Administrator to configure the user password rules.

To configure user password rules

  1. Go to password rules:
    • web client: Navigate to Safeguard Access > Local Password Rule.
  2. Check the current password requirements displayed in the Rule Summary.
  3. Set the password rule requirements.

    • Password Length: Set a range for the password allowable length from three to 255 characters. The default is 8 to 64 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have two uppercase letters, two lowercase letters, and two numeric characters, the minimum Password Length must be six. Note that a diacritical letter is one character.

    • First Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Last Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Repeated Characters: Choose one of the following:
      • Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
      • No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
      • No repeated characters: All letters, numbers, or symbols can only be used once in the password.
    • Allow Uppercase: Select to allow uppercase (capital) letters.

      • Require a Minimum of Uppercase Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at zero.
      • Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Maximum Allowed Characters value of one or more.
      • Exclude these Uppercase Characters: Enter any uppercase characters you want to exclude from the password. This field is case-sensitive.
    • Allow Lowercase: Select to allow lowercase (small) letters.
      • Require a Minimum of Lowercase Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at zero.
      • Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Maximum Allowed Characters value of one or more.
      • Excluded these Lowercase Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
    • Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Maximum Allowed Characters.

      For example, if you set the Max Allowed at 2 then you can not have more than two alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has three alphabet characters in a row.

    • Allow Numeric Character (0-9): Select to allow numeric characters in the password.
      •  Require a Minimum of Numeric Characters: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at zero.
      • Limit Consecutively Repeated Numeric Characters: Select the check box to limit the number of consecutively repeated numeric characters. You must enter a Maximum Allowed Characters value of one or more.
      • Exclude these Numeric Characters: Enter any numeric characters you want to exclude from the password. This field is case sensitive.
    • Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /

      • Require a Minimum of Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at zero.
      • Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Maximum Allowed Characters value of one or more.
      • Set the following:
        • Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
        • Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
  4. Click Test Rule to check the rules set.
  5. When the rules are complete, click Apply.

Identity and Authentication

Safeguard for Privileged Passwords allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, LDAP 2.4, any SAML 2.0 federated service, or Radius.

Go to Identity and Authentication:

  • web client: Navigate to Appliance Management > Safeguard Access > Identity and Authentication.

The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 62: Identity and Authentication: Properties
Property Description
Name

The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.

Type

Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.

  • Active Directory
  • LDAP
  • External Federation
  • Radius (use as a secondary authentication provider)
  • Radius as Primary (use as a primary authentication provider)
  • FIDO2
  • OneLogin MFA

Description

Enter any descriptive information to use for administrative purposes.

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 63: Identity and Authentication: Toolbar
Option Description
Add

Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers.

Remove

Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.

Edit

Modify the selected identity or authentication provider.

Syncronize Now

Run the directory addition (incremental) synchronization process for directory users (identity providers) and directory user groups. All changes except for deletions are synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task.

The directory deletion and addition (full) synchronization process must be run from the API (IdentityProviders/Synchronize).

Download Safeguard Federation Metadata

Download a copy of Safeguard for Privileged Passwords's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.

Refresh

Update the list of identity and authentication providers.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating