Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.11 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Starling

Safeguard for Privileged Passwords can join with the cloud platform One Identity Starling. By joining with One Identity Starling, Safeguard for Privileged Passwords customers can take advantage of companion features from Starling services; such as Starling Two-Factor Authentication . For more information, see Join Starling.

Join Starling

In order to use Starling 2FA with Safeguard for Privileged Passwords's Approval Anywhere feature or as a secondary authentication provider, you must join Safeguard for Privileged Passwords to Starling. It is the responsibility of the Appliance Administrator to join One Identity Safeguard for Privileged Passwords to Starling.

NOTE: In version 2.1 and earlier, you had to specify a Starling API key in order to use Approval Anywhere and Starling Two-Factor Authentication (2FA) as a secondary authentication provider. This is no longer necessary when you join Safeguard for Privileged Passwords to Starling. If you previously configured these features, once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process.

For additional information and documentation regarding the Starling Cloud platform and Starling Two-Factor Authentication, see Starling Two-Factor Authentication - Technical Documentation.

Prerequisites

See the Starling Release Notes for currently supported platforms.

In order to use the companion features from Starling services, first configure the following:

  • Register a Starling organization. For more information on Starling, see the One Identity Starling User Guide.
  • Download the Starling 2FA app on your mobile phone to use the Approval Anywhere feature.

  • If your company requires the use of a proxy to access the internet, you must configure the web proxy to be used. For more information on configuring a web proxy to be used by Safeguard for Privileged Passwords for outbound web requests to integrated services, see Networking.
Join Safeguard for Privileged Passwords with Starling

NOTE: You must be an Organization Admin for the Starling organization in order to join Safeguard for Privileged Passwords with Starling.

  1. Navigate to Administrative Tools | Settings| External Integration | Starling. This pane also includes the following links, which provide assistance with Starling:
    • Visit us online to learn more displays the Starling login page where you can create a new Starling account.
    • Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
  2. Click Join to Starling.

    NOTE: The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.

    After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords desktop client and the Starling settings pane will now show Joined to Starling. Once Starling is joined, you can configure users to require secondary authentication using Starling. For more information, see Authentication tab (add user).

To unjoin Safeguard for Privileged Passwords from Starling

  1. In Settings, select External Integration | Starling.
  2. Click Unjoin Starling.

    Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Approval Anywhere and two-factor authentication as a secondary authentication provider are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account can rejoin Safeguard for Privileged Passwords to Starling at any time.

After the join

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled and can be implemented using Starling Two-Factor Authentication:

  • Secondary authentication

    Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.

    A Starling 2FA authentication provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging into Safeguard for Privileged Passwords. For more information, see Configuring user for Starling Two-Factor Authentication when logging in to Safeguard.

  • Approval Anywhere

    The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.

    Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere. For more information, see Adding authorized user for Approval Anywhere.

Syslog

Safeguard for Privileged Passwords allows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Using this feature, Appliance Administrators can specify to send different types of messages to different syslog servers.

Navigate to Administrative Tools | Settings | External Integration | Syslog. The Syslog pane displays the following about each syslog server defined.

Table 166: Syslog server: Properties
Property Description
Network Address The IP address or FQDN of the syslog server
Port The UDP port number for syslog server
Facility The type of program being used to create syslog messages
Description The description of the syslog server configuration
# of Events The number of events selected to be logged to the syslog server

Use these toolbar buttons to manage the syslog server configurations

Table 167: Syslog server: Toolbar
Option Description
New Add a new syslog server configuration. For more information, see Configuring a syslog server.
Delete Selected

Remove the selected syslog server configuration from Safeguard for Privileged Passwords.

Refresh Update the list of syslog server configurations.
Edit Modify the selected syslog server configuration.
Copy Clone the selected syslog server configuration.

Configuring a syslog server

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server.

To configure a syslog server

  1. Navigate to Administrative Tools | Settings | External Integration | Syslog.
  2. Click New to display the Syslog dialog.
  3. In the Syslog dialog, enter the following:

    1. Network Address: Enter the IP address or FQDN of the syslog server.

      Limit: 255 characters

    2. UDP Port: Enter the UDP port number for the syslog server.

      Default: 514

      Range: between 1 and 32767

    3. Description: Enter a description for the syslog server configuration.

      Limit: 255 characters

    4. Events: Click Browse to select the events to be included in the syslog.

      On the Event selection dialog, select the events to be included, then click OK.

    5. Facility: Choose the type of program to be used to log syslog messages.

      Default: User-level messages

  4. Click OK to save your selection and add the syslog server configuration.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating