Safeguard for Privileged Passwords allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log into Safeguard. You can create providers for Active Directory, OpenLDAP 2.4, any SAML 2.0 federated service, or Radius.
To be managed, a directory asset must be added as both an asset and as an identity provider. When adding the identity provider, if the account name matches an account name already linked to an identity provider, the provider is automatically assigned.For more information, see Accounts.
Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication. The Identity and Authentication pane displays the following details about the identity and authentication providers defined.
Property | Description | ||
---|---|---|---|
Name |
The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.
| ||
Type |
Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.
| ||
Description |
Enter any descriptive information to use for administrative purposes. |
Use these toolbar buttons to manage identity and authentication provider configurations.
Option | Description |
---|---|
Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers. | |
Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users. | |
Update the list of identity and authentication providers. | |
|
Run the directory addition and deletion synchronization process on demand. In addition, it runs through the discovery, if there are discovery rules and configurations set up. |
Download a copy of Safeguard for Privileged Passwords's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited. |
Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.
|
NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling. |
|
NOTE: It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in. |
Primary Authentication |
Secondary Authentication | ||
---|---|---|---|
Local: The specified login name and password will be used for authentication. |
None Starling Radius Active Directory LDAP FIDO2 | ||
Certificate: The specified certificate thumbprint will be used for authentication. |
None Starling Radius Active Directory LDAP FIDO2 | ||
External Federation: The specified email address or name claim will be used for authentication. |
None Starling Radius Active Directory LDAP FIDO2 | ||
Radius: The specified login name will be used for authentication.
|
None Starling Active Directory LDAP FIDO2 |
Primary Authentication |
Secondary Authentication | ||
---|---|---|---|
Active Directory: The samAccountName or X509 certificate will be used for authentication.
|
None Starling Radius LDAP FIDO2 | ||
External Federation: The specified email address or name claim will be used for authentication. |
None Starling Radius Active Directory LDAP FIDO2 | ||
Radius: The specified login name will be used for authentication.
|
None Starling Active Directory LDAP FIDO2 |
Primary Authentication |
Secondary Authentication | ||
---|---|---|---|
LDAP: The specified username attribute will be used for authentication. |
None Starling Radius Active Directory FIDO2 | ||
External Federation: The specified email address or name claim will be used for authentication. |
None Starling Radius Active Directory LDAP FIDO2 | ||
Radius : The specified login name will be used for authentication.
|
None Starling Active Directory LDAP FIDO2 |
It is the responsibility of the Asset Administrator to add directories to Safeguard for use as identity and authentication providers.
If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of a User Administrator or Appliance Administrator to create an External Federation or Radius provider to use for authentication.
To add identity and authentication providers
Use the General tab to add the required service account information. The following table lists the properties and designates the properties for Active Directory or LDAP only, if applicable.
Property | Description |
---|---|
Service Account Domain Name (for Active Directory) |
Enter the fully qualified Active Directory domain name, such as example.com. Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE. The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers. |
Network Address
(for OpenLDAP) |
Enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network. |
Service Account Name (for Active Directory) |
Enter an account for Safeguard for Privileged Passwords to use for management tasks. If the account name matches an account name already linked to an identity provider, the provider is automatically assigned. When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords. Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object which represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify. |
Service Account Distinguished Name (for OpenLDAP) |
Enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com |
Service Account Password |
Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory. |
Description |
Enter information about this external identity provider. |
Connect |
Click Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication. |
Advanced | Open to reveal the following synchronization settings: |
Available Domains for Identity and Authentication (for Active Directory) |
All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. |
Port (for LDAP) |
Enter port 389 used for communication with the LDAP directory. |
Use SSL Encryption (for OpenLDAP) | Select to enable Safeguard for Privileged Passwords to encrypt communication with an LDAP directory. |
Verify SSL Certificate (for OpenLDAP) |
Select to verify the SSL certificate. This option is only available when the Use SSL Encryption option is selected. |
Sync additions every |
Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647 |
Sync deletions every |
Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647 |
On the Attributes tab, synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.
The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.
To map the Safeguard for Privileged Passwords properties to different directory attributes
|
Note: You can use or remove the default object class. |
The following table list the default directory attributes.
Safeguard for Privileged Passwords Attribute | Directory Attribute |
| ||
---|---|---|---|---|
Users |
| |||
Object Class |
Browse to select a class definition that defines the valid attributes for the user object class. Default: user for Active Directory, inetOrgPerson for LDAP |
| ||
User Name |
sAMAccountName for Active Directory, cn for LDAP |
| ||
Password |
userPassword for LDAP |
| ||
First Name |
givenName |
| ||
Last Name |
sn |
| ||
Work Phone |
telephoneNumber |
| ||
Mobile Phone |
mobile |
| ||
|
| |||
Description |
description |
| ||
The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS). For both Active Directory and OpenLDAP 2.4, this will default to the "mail" attribute. This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication. |
| |||
The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication. For Active Directory, this will default to using the "samAccountName" attribute. For OpenLDAP 2.4, this will default to using the "cn" attribute.
|
| |||
The directory attribute used when automatically associating existing managed Accounts to users of a directory user group as linked accounts. Defaults:
When choosing an attribute, it must exist on the user itself and contain one or more "Distinguished Name" values of other directory user objects. For example, you would not want to use the "owner" attribute in OpenLDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an “owns” attribute to exist on the user such as the default "seeAlso" attribute. |
| |||
Groups |
|
| ||
Object Class |
Browse to select a class definition that defines the valid attributes for the group object class. Default: group for Active Directory, groupOfNames for LDAP |
| ||
Name |
sAMAccountName for Active Directory, cn for LDAP |
| ||
Member |
member |
| ||
Description |
description |
|
One Identity Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.
|
NOTE: Additional two-factor authentication can be assigned to the associated Safeguard for Privileged Passwords user account to force the user to authenticate again after being redirected back from the external STS. |
To use external federation, you must first download the federation metadata XML for your STS and save it to a file. For example, for Microsoft's AD FS, you can download the federation metadata XML from:
https://<adfs server>/FederationMetadata/2007-06/FederationMetadata.xml.
To add external federation:
Name: The unique name assigned to the external federation service provider. The name is for administrative purposes only and will not be seen by the end users.
Realm: The unique realm value (typically a DNS suffix, like contoso.com) that matches the email addresses of users that will use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery.
Create and configure a Radius server for use as either a primary authentication provider or secondary authentication provider. To use a Radius server for both primary and secondary authentication, you will need to create two authentication providers. The steps to create Radius as a primary provider or secondary provider follow:
Name: The unique display name. When creating the Radius provider for primary authentication, this name value will be displayed in the drop-down list on the login page.
Type: Choose As Primary Authentication or As Secondary Authentication.
Click OK.
Create and configure FIDO2 for use as a secondary authentication provider.
Domain Suffix: This must be a DNS name that identifies the appliance. Typically, this will be the DNS name used to access Safeguard. It cannot be an IP address. The value is a a domain string identifying the WebAuthn Relying Party for which the registration or authentication ceremony is performed.
A public key credential can only be used for authentication with the same entity (identified by this value) it was registered with. However, this value can be a registerable domain suffix of what appears in the user’s browser when registering. For example, you could enter contoso.com to register against a server at https://www.contoso.com or https://node1.contoso.com. Later, you can use the same authenticator security key to authenticate at either of the locations.
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. One Identity Safeguard for Privileged Passwords allows you to configure SNMP subscriptions for sending SNMP traps to your SNMP console when certain events occur.
Navigate to Administrative Tools | Settings | External Integration | SNMP. The SNMP pane displays the following about the SNMP subscribers defined.
Property | Description |
---|---|
Network Address | The IP address or FQDN of the primary SNMP network server. |
Port | The UDP port number for SNMP traps. |
Version | The SNMP version being used. |
Community | The SNMP community string being used by the SNMP subscriber. |
Description | The description of the SNMP subscriber. |
# of Events | The number of events selected to be sent to the SNMP console. |
Use these toolbar buttons to manage the SNMP subscriptions.
Option | Description |
---|---|
Add a new SNMP subscription. For more information, see Configuring SNMP subscriptions. | |
Update the list of SNMP subscriptions. | |
Modify the selected SNMP subscription. | |
Clone the selected SNMP subscription. |
© 2022 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy