The Starling Identity Analytics & Risk Intelligence service collects and evaluates information from data sources, such as Safeguard for Privileged Passwords, to provide you with valuable insights into your users and entitlements. When integrated with Safeguard for Privileged Passwords, Starling Identity Analytics & Risk Intelligence allows you to identify Safeguard for Privileged Passwords users and entitlements that are classified as high risk and view the rules and details attributing to that classification.
In order to use Safeguard for Privileged Passwords as a data source module in Starling Identity Analytics & Risk Intelligence, you must first add a user to Safeguard for Privileged Passwords, with the following properties:
Once this Safeguard for Privileged Passwords user is defined, you will enter this user's credentials and Safeguard for Privileged Passwords connection information when adding a new data source module in the Starling Identity Analytics & Risk Intelligence service. For more information on configuring a new data source module and the classification rules used to identify high risk users and entitlements, see the One Identity Starling Identity Analytics & Risk Intelligence User Guide.
In order to use Application to Application integration with Safeguard for Privileged Passwords, you must perform the following tasks:
Step 1: Prepare third-party application for integration with Safeguard for Privileged Passwords.
Step 2: Appliance administrator enables Application to Application service in Safeguard for Privileged Passwords.
Using the desktop client, navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service and click the Application to Application Enabled toggle.
-OR-
Use the following URL: https://appliance/service/appliance/v2/A2AService/Enable
Step 3: Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords.
For more information, see Adding an asset and Adding an account
Step 4: User Administrator adds certificate users to Safeguard for Privileged Passwords.
For more information, see Adding a user.
Step 5: Security Policy Administrator adds application registration to Safeguard for Privileged Passwords.
For more information, see Adding an application registration.
Step 6: Get the API key and copy/paste it into the third-party application in order to make requests from the third-party application.
For more information, see How do I make a request using the Application to Application service.
Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:
A third-party application authenticates with Safeguard for Privileged Passwords using an API key and a client certificate, rather than the bearer token normally used to authenticate Safeguard for Privileged Passwords API requests. To make a request, you must first retrieve the API key for the application from Safeguard for Privileged Passwords using an authorized user account (that is, using bearer token authentication), and install the correct certificate on the host that will be making the request. The certificate must be installed in the certificate store of the authorized certificate user that will make the request.
To make a "credential retrieval" request from the third-party application
Retrieve the relevant API key for the application from Safeguard for Privileged Passwords. You can retrieve the API key using the desktop client or API.
Using the desktop client:
Using the Safeguard for Privileged Passwords API:
Use the following URL to retrieve the details of the registered application from the Safeguard for Privileged Passwords API. The Id property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.
https://<Appliance IP>/service/core/V2/A2ARegistrations?filter=AppName%20eq%20%22<ApplicationName>%22
Use the Id property in the response retrieved for the application registration to retrieve the API key for the selected account from the Safeguard for Privileged Passwords API:
https://<Appliance IP>/service/core/V2/A2ARegistrations/<Id>/RetrievableAccounts?filter=AccountName%20eq%20%22<account name>%22%20and%20SystemName%20eq%20%22<system name>%22&fields=ApiKey
Create the application request, authenticating with the retrieved API key and the certificate thumbprint.
To retrieve a credential, use the following request:
This URL returns a string response.
To make an "access request broker" request from the third-party application
Retrieve the relevant API key for the application from Safeguard for Privileged Passwords. You can retrieve the API key using the desktop client or API.
Using the desktop client:
Using the Safeguard for Privileged Passwords API:
Use the following URL is retrieve the details of the registered application from the Safeguard for Privileged Passwords API. The Id property in the response can then be used to retrieve the relevant API key. The Certificate Thumbprint property in the response identifies the certificate that the application must use to authentication the request.
https://<Appliance IP>/service/core/V2/A2ARegistrations?filter=AppName%20eq%20%22<ApplicationName>%22
Use the Id retrieved for the application registration to retrieve the API key from the Safeguard API:
https://<Appliance IP>/service/core/V2/A2ARegistrations/<Id>/AccessRequestBroker/ApiKey
Create the application request, authenticating with the retrieved API key and the certificate thumbprint.
To create an access request, use the following request:
This URL returns the new request if successful.
|
NOTE: Most of the fields in this access request match those in a normal access request, with the following exceptions: The following fields are used to identify the target Safeguard for Privileged Passwords user that will be used to create the request. The result must uniquely identify a valid Safeguard for Privileged Passwords user for which the application has been granted permission to create an access request. If the search results in multiple matches or no matches, an error is returned.
The following fields are used to uniquely identify the target system. If the search results in multiple matches or no matches, an error is returned.
The following fields are used to uniquely identify the target account. If the search results in multiple matches or no matches, an error is returned.
The following fields can be used to identify the reason code. If the search results in multiple matches or no matches, the reason code is set to null.
|
Once the target user and account have been determined, the Application to Application service attempts to create the access request. Normal policy rules determine whether the attempt is successful.
One Identity Safeguard for Privileged Passwords can be configured to send email notifications warning you of operations that may require investigation or action. Your administrative permissions determine which email notifications you will receive by default.
Administrative permission | Event/Warning |
---|---|
Appliance Administrator Operations Administrator |
Appliance Healthy Appliance Restarted Appliance Sick Appliance Task Failed Archive Task Failed Cluster Failover Started Cluster Replica Enrollment Completed Cluster Replica Removal Started Cluster Reset Started Disk Usage Warning Factory Reset Appliance License Expired NTP Error Detected Operational Mode Appliance Raid Error Detected Reboot Appliance Shutdown Appliance |
Directory Administrator or delegated partition owner |
Account Discovery Failed Dependent Asset Update Failed Password Change Failed Password Check Failed Password Check Mismatch Password Reset Needed Restore Account Failed Ssh Host Key Mismatch Ssh Key Change Failed Ssh Key Install Failed Suspend Account Failed Test Connection Failed |
Security Policy Administrator |
Policy Expiration Warning Policy Expired Entitlement Expiration Warning Entitlement Expired |
|
NOTE: Safeguard for Privileged Passwords administrators can use the following API to turn off these built-in email notifications: POST /service/core/v2/Me/Subscribers/{id}/Disable In addition, Safeguard for Privileged Passwords administrators can subscribe to additional events based on their administrative permissions using the following API: POST /service/core/v2/Events |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy