Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Configuring user for Starling Two-Factor Authentication when logging in to Safeguard

It is the responsibility of the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging in to Safeguard for Privileged Passwords.

TIP: If you want to use one-touch approvals, download and install the Starling 2FA app onto your mobile device.

To configure users to use Starling Two-Factor Authentication when logging in to Safeguard for Privileged Passwords

  1. Log in to Safeguard for Privileged Passwords as an Authorizer Administrator or User Administrator.
  2. Navigate to Administrative Tools | Users.
  3. Add or edit users, ensuring the following settings are configured:
    1. Authentication tab:
      • Require Secondary Authentication: Select this check box.
      • Authentication Provider: Select the Starling 2FA service provider.

        NOTE: If the Starling 2FA service provider is not listed, you must first join Safeguard for Privileged Passwords to Starling. For more information, see Starling.

      • Use alternate mobile phone number: Optionally, select this check box and enter an alternate mobile number to be used for two-factor authentication notifications.

        NOTE: If you want to use one-touch approvals, this feature requires a valid mobile phone number for the user. If the user does not have their mobile number published in Active Directory, use this option to specify a valid mobile phone number for the user.

    2. Contact Information tab:
      • Mobile Phone: Enter a valid mobile phone number in E.164 format.
      • Email Address: Enter a valid email address.

Now whenever any of these users attempt to log in to Safeguard for Privileged Passwords, after entering their password, a message appears on the login screen informing them that an additional authentication step is required.

NOTE: If the Safeguard for Privileged Passwords user is required to use Starling Two-Factor Authentication and has the Starling 2FA mobile app installed, Safeguard for Privileged Passwords sends a push notification to their mobile device where they can complete the login by pressing a button in the app. If the user does not have the Starling 2FA app, they have the option to receive a one-time password via SMS or a phone call.

Adding a user to user groups

It is the responsibility of the Security Policy Administrator to add users to user groups to assign to password policies.

To add a user to a user group

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the User Groups tab.
  3. Click Add User Groups from the details toolbar.
  4. Select one or more groups from the list in the User Groups dialog and click OK.

If you do not see the user group you are looking for and are a Security Policy Administrator, you can click Create New in the User Groups dialog and add the user group. For more information about creating user groups, see Adding a user group.

Adding a user to entitlements

It is the responsibility of the Security Policy Administrator to add users to entitlements. When you add users to an entitlement, you are specifying which people can request access governed by the entitlement's policies.

To add a user to entitlements

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the Entitlements tab.
  3. Click Add Entitlement from the details toolbar.
  4. Select one or more entitlements from the list in the Entitlements dialog and click OK.

If you do not see the entitlement you are looking for and are a Security Policy Administrator, you can click Create New in the Entitlements dialog. For more information about creating entitlements, see Adding an entitlement.

Linking a directory account to a user

It is the responsibility of the Security Policy Administrator to link directory accounts to a user. Once linked, these linked accounts can be used to access assets and accounts within the scope of an access request policy.

To link a directory account to a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, select a user from the object list and open the Linked Accounts tab.
  3. Click Add Linked Account from the details toolbar.

    The Directory Account dialog displays, listing the directory accounts available in Safeguard for Privileged Passwords. This dialog includes the following details about each directory account listed:

    • Name: Displays the name of the directory account.
    • Domain Name: Displays the name of the domain where this account resides.
    • Service Account: A check mark indicates the account is a service account.
    • Password Request: A check mark indicates password release requests are allowed.
    • Session Request: A check mark indicates the account is enabled for session requests.
    • SSH Key Request: A check mark indicates SSH key release requests are allowed.
    • Password: A check in this column indicates that a password is set for the selected account. For more information, see Checking, changing, or setting an account password.
    • SSH Key: A check in this column indicates that an SSH key is set for the selected account. For more information, see Checking, changing, or setting an SSH key.
    • Description: Displays descriptive text about the directory account.
  4. Select one or more accounts from the list in the Directory Account dialog and click OK.

Related Topic

Adding an account

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating