The process for creating the relying party trust in your STS (Security Token Service) will differ between applications and services. However, as stated earlier, you can download a copy of Safeguard for Privileged Passwords's federation metadata by clicking the link when you entered the STS information in Safeguard for Privileged Passwords. You can also download the Safeguard for Privileged Passwords federation metadata at any time using one of the following methods:
If the STS does not support importing federation metadata, but instead requires you to manually input values, you will typically need an App ID and Login or Redirect URL. Both of these values can be copied from the Safeguard for Privileged Passwords federation metadata XML file you downloaded.
The Login or Redirect URL will come from the Location attribute of the <AssertionConsumerService> element within the <SPSSODescriptor> element.
|
NOTE: Only the HTTP-POST binding is supported for this end point. |
You must then configure or ensure that the STS returns the authenticated user's email address as a SAML attribute claim. The email address must appear in either the standard SAML email address claim or name claim:
If the emailaddress and name attribute claims are not present in the SAML assertion, the SAML Subject NameID can be used.
|
NOTE: Any other attributes or claims will be ignored. |
The SAML Response or Assertion must be signed, but not encrypted. When the signing certificate used by your STS expires, you must update the metadata in Safeguard for Privileged Passwords by uploading a new copy of your STS's metadata file. Safeguard for Privileged Passwords will not automatically attempt to refresh the metadata.
|
NOTE: Your STS's metadata can contain more than one signing certificate to allow for a grace period between an expiring certificate and a new one. |
For further details regarding specific STS servers, see the following knowledge base articles on the One Identity support site:
It is the responsibility of either the Authorizer Administrator or the User Administrator to add an associated external federation Safeguard for Privileged Passwords user.
|
NOTE: You must add external federation service providers to Safeguard for Privileged Passwords before you can add external federation users. |
|
NOTE: No user information, such as first name, last name, phone number, email address, is ever imported from the STS claims token. You must enter that information manually when creating the user in Safeguard for Privileged Passwords if you need it. |
Safeguard for Privileged Passwords makes it possible for you to manage passwords for accounts on unsupported platforms and not addressed by a Custom platforms.
You will use a profile with a manual change password setting. For example, you might have an asset that is not on the network. The manual change password setting allows you to comply with your company policies to change account passwords on a regular schedule without using the Safeguard for Privileged Passwords automatic change password settings. Safeguard for Privileged Passwords notifies you by email, toast notification, or both on a set schedule to change account passwords manually. You can then reset the password yourself, or allow Safeguard for Privileged Passwords to generate a random password according to the password rule selected in the profile.
|
Important: After you change the password in Safeguard for Privileged Passwords you must remember to change the password on the account; Safeguard for Privileged Passwords does not do that automatically for you. |
The following summarizes the general workflow for managing accounts on unsupported platforms.
To manage account passwords manually
Click Copy to place the value into your copy buffer.
OK updates the Safeguard for Privileged Passwords database.
You can modify the appliance configuration settings using the Web client or Windows desktop client (Administrative Tools | Settings | Appliance).
|
Note: This topic assumes you have already performed the initial appliance installation and configuration steps in the One Identity Safeguard for Privileged Passwords Appliance Setup Guide provided in the box with your hardware equipment. |
To modify the appliance configuration settings (web client)
On the Appliance Configuration page, configure the following:
|
NOTE: Click the |
To modify the appliance configuration settings (Windows desktop client)
Expand the Appliance Information pane to change the appliance name.
Expand the Networking pane to add or modify DSN suffixes
To change the DNS suffixes for your primary interface, click Edit next to the Network Interface X0 heading.
To configure the sessions interface, click Edit next to the Network Interface X1 heading. If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy