Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Setting up Application to Application

desktop client only

In order to use Application to Application integration with Safeguard for Privileged Passwords, you must perform the following tasks:

Step 1: Prepare third-party application for integration with Safeguard for Privileged Passwords.

Step 2: Appliance Administrator enables Application to Application service in Safeguard for Privileged Passwords.

Using the desktop client, navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service and click the Application to Application Enabled toggle to toggle on.

-OR-

Use the following URL: https://appliance/service/appliance/v2/A2AService/Enable

Step 3: Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords. For more information, see Adding an asset and Adding an account

Step 4: User Administrator adds certificate users to Safeguard for Privileged Passwords. For more information, see Adding a user.

Step 5: Security Policy Administrator adds application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration.

Step 6: Get the API key and copy/paste it into the third-party application in order to make requests from the third-party application. For more information, see Making a request using the Application to Application service.

Adding an application registration

desktop client only

To allow a third-party application to perform one of the tasks provided by the Application to Application service, you must register the third-party application with Safeguard for Privileged Passwords.

Prerequisites
  • User Administrator adds certificate users to Safeguard for Privileged Passwords.
  • Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords.

To add an application registration

  1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
  2. Navigate to Administrative Tools | Settings | External Integration | Application to Application.
  3. Click Add.

    The New Registration dialog displays.

  4. On the General tab, specify the following information: 
    1. Name: Enter a name for the application registration.
    2. Description: Enter information about the application registration.
    3. Certificate User: Click Browse to select a certificate user who is associate with the third-party application being registered.

      A certificate user must be specified. If not specified when you initially add an application registration, click Edit on the Application to Application pane to specify the certificate user.

      NOTE: For SignIR, connect as a certificate user using A2A API key for the retrievable account you want to monitor that is assigned an A2A registration for Retrievable Accounts. The connected certificate user will receive event notifications for any events related to that account (for example, password change, update, and delete). For more information, see Making a request using the Application to Application service.

    4. I want to configure this registration for: Select the tasks to be performed by the Application to Application service:

      • Access Request Broker: Select this check box if you want the third-party application to create an access request on behalf of another user.
      • Credential Retrieval: Select this check box if you want the third-party application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.

        • Visible to certificate user: Select this check box to make the registration, including the API keys, visible by the certificate user that is configured for the A2A registration.

      Depending on the check boxes selected, additional tabs are displayed.

  5. If Access Request Broker is selected, the Access Request Broker tab displays a list of users for which the third-party application can create an access request on behalf of.

    • Click to add a user or user group to the list.
    • Click Edit Restrictions to specify IP address restrictions for all of the users and user groups in the list.

      A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.

      The IP address notation can be:

      • An IPv4 or IPv6 address (for example, 10.5.32.4)
      • An address range in CIDR notation (for example, 10.5.0.0/16)

    • Click to remove the selected user from the list.
  6. If Credential Retrieval is selected, the Credential Retrieval tab displays a list for which the third-party can retrieve credentials from Safeguard for Privileged Passwords without going through the normal workflow process.

    • Click to add an account to the list.
    • Click Restrictions in the Restrictions column to specify IP address restrictions for the selected account.

      A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.

      The IP address notation can be:

      • An IPv4 or IPv6 address (for example, 10.5.32.4)
      • An address range in CIDR notation (for example, 10.5.0.0/16)

    • Click to remove the selected account from the list.
  7. Click Create Registration.

Once an application registration is added to Safeguard for Privileged Passwords, the third-party application can authenticate with Safeguard for Privileged Passwords using the API key that was generated and the certificate that was associated with the registration. To make a request, you must retrieve the relevant API key for the application using an authorized account (that is, using bearer token authentication) and install the correct certificate on the host that will make the request. For more information, see Making a request using the Application to Application service.

Deleting an application registration

desktop client only

Click Delete on the Application to Application pane in the External Integration settings view to delete an application registration from Safeguard for Privileged Passwords.

To delete an application registration

  1. Navigate to Administrative Tools | Settings | External Integration | Application to Application.
  2. Select the application registration to be deleted.
  3. Click the toolbar button.
  4. Confirm your request.

Regenerating an API key

desktop client only

If, as the Security Policy Administrator, you discover that the API key has been stolen or misplaced, you can regenerate the API key at any time. When you regenerate an API key, it invalidates the old API key and prevents any services from using that key to access the Application to Application service.

To regenerate an API key

  1. Log in to the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
  2. Navigate to Administrative Tools | Settings | External Integration | Application to Application.
  3. Select an application registration from the list.
  4. Click from the toolbar.
  5. On the API Keys dialog, select the API key to be replaced.
  6. Click .

You can now view or copy the new API key to the clipboard and use this new API key in your third-party application to access the Application to Application interfaces. See Making a request using the Application to Application service.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating