One Identity Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different Identity Provider STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.
|
NOTE: Additional two-factor authentication can be assigned to the associated Safeguard for Privileged Passwords user account to force the user to authenticate again after being redirected back from the external STS. |
To use external federation, you must first download the federation metadata XML for your STS and save it to a file. For example, for Microsoft's AD FS, you can download the federation metadata XML from:
https://<adfs server>/FederationMetadata/2007-06/FederationMetadata.xml.
It is the responsibility of the Appliance Administrator to configure the external federation service providers in Safeguard for Privileged Passwords.
To add an external federation service provider
Name: Enter a unique display name for the external federation service provider. The name is used for administrative purposes only and will not be seen by end users.
Limit: 100 characters
Required
Realm: Enter a unique realm value, typically a DNS suffix, like contoso.com, that matches the email addresses of users intended to use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery.
Wildcards are not allowed.
Limit: 255 characters
Required
|
NOTE: The federation metadata XML files typically contain a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure that it has not been edited. |
The process for creating the relying party trust in your STS will differ between applications and services. However, as stated earlier, you can download a copy of Safeguard for Privileged Passwords's federation metadata by clicking the link when you entered the STS information in Safeguard for Privileged Passwords. You can also download the Safeguard for Privileged Passwords federation metadata at any time using one of the following methods:
If the STS does not support importing federation metadata, but instead requires you to manually input values, you will typically need an App ID and Login or Redirect URL. Both of these values can be copied from the Safeguard for Privileged Passwords federation metadata XML file you downloaded.
The Login or Redirect URL will come from the Location attribute of the <AssertionConsumerService> element within the <SPSSODescriptor> element.
|
NOTE: Only the HTTP-POST binding is supported for this end point. |
You must then configure or ensure that the STS returns the authenticated user's email address as a SAML attribute claim. The email address must appear in either the standard SAML email address claim or name claim:
|
NOTE: Any other attributes or claims will be ignored. |
The SAML Response or Assertion must be signed, but not encrypted. When the signing certificate used by your STS expires, you must update the metadata in Safeguard for Privileged Passwords by uploading a new copy of your STS's metadata file. Safeguard for Privileged Passwords will not automatically attempt to refresh the metadata.
|
NOTE: Your STS's metadata can contain more than one signing certificate to allow for a grace period between an expiring certificate and a new one. |
For further details regarding specific STS servers, see the following knowledge base articles on the One Identity support site:
It is the responsibility of either the Authorizer Administrator or the User Administrator to add an associated external federation Safeguard for Privileged Passwords user.
|
NOTE: You must add external federation service providers to Safeguard for Privileged Passwords before you can add external federation user accounts. |
|
NOTE: No user information, such as first name, last name, phone number, email address, is ever imported from the STS claims token. You must enter that information manually when creating the user in Safeguard for Privileged Passwords if you need it. |
To add an external federation user account
Email Address or Name Claim: Enter the email address or name claim that will be returned from the STS of an authenticated user.
|
NOTE: A case-insensitive comparison will be performed on the value when the user is logging in. |
|
NOTE: You must configure or ensure that the STS includes either the email address claim or name claim. Safeguard for Privileged Passwords will first look for the email address claim in the claims token. If that claim does not exist, it will use the name claim. You must create the user account in Safeguard for Privileged Passwords according to what claim is returned by your STS, with precedence given to the email address claim. |
Require Secondary Authentication: If secondary authentication is required, select this check box.
© 2019 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy