Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Modifying user password requirements

It is the responsibility of the Authorizer Administrator to configure the user password rules.

To configure user password rules

  1. Go to password rules:
    • web client: Navigate to  Settings | Safeguard Access | Local Password Rule.
    • desktop client: Navigate to Administrative Tools | Settings | Safeguard Access | Password Rules.
  2. web client: Check the current password requirements displayed in the Rule Summary.
  3. Set the password rule requirements follow. The desktop client layout is slightly different.

    • Password Length: Set a range for the password allowable length from three to 255 characters. The default is 8 to 64 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have two uppercase letters, two lowercase letters, and two numeric characters, the minimum Password Length must be six. Note that a diacritical letter is one character.

    • First Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Last Character Type: Choose one of the following:
      • All: Alphabetical, numeric, or symbols
      • Alphanumeric: Alphabetical or numeric
      • Alphabetic: Only alphabetical characters
    • Repeated Characters: Choose one of the following:
      • Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
      • No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
      • No repeated characters: All letters, numbers, or symbols can only be used once in the password.
    • Allow Uppercase: Select to allow uppercase (capital) letters. In the desktop client, click Advanced, as needed.

      • Require a Minimum of Uppercase Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at zero.
      • Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Maximum Allowed Characters value of one or more.
      • Exclude these Uppercase Characters: Enter any uppercase characters you want to exclude from the password. This field is case-sensitive.
    • Allow Lowercase: Select to allow lowercase (small) letters. In the desktop client, click Advanced, as needed.
      • Require a Minimum of Lowercase Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at zero.
      • Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Maximum Allowed Characters value of one or more.
      • Excluded these Lowercase Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
    • Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Maximum Allowed Characters.

      For example, if you set the Max Allowed at 2 then you can not have more than two alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has three alphabet characters in a row.

    • Allow Numeric Character (0-9): Select to allow numeric characters in the password. In the desktop client, click Advanced, as needed.
      •  Require a Minimum of Numeric Characters: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at zero.
      • Limit Consecutively Repeated Numeric Characters: Select the check box to limit the number of consecutively repeated numeric characters. You must enter a Maximum Allowed Characters value of one or more.
      • Exclude these Numeric Characters: Enter any numeric characters you want to exclude from the password. This field is case sensitive.
    • Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /

      In the desktop client, click Advanced, as needed.

      • Require a Minimum of Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at zero.
      • Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Maximum Allowed Characters value of one or more.
      • Set the following:
        • Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
        • Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
  4. Click Test Rule to check the rules set.
  5. When the rules are complete, click Apply (web client) or OK (desktop client).

Time Zone

desktop client only

Safeguard for Privileged Passwords sets a default time zone based on the location of the person performing the set up. The time zone is expressed as UTC + or – hours:minutes and is used for timed access (for example, access from 9 a.m. to 5 p.m.). It is recommended that the Bootstrap Administrator set the desired time zone on set-up. An Authorizer Administrator can also change the time zone.

To configure the time zone

  1. Navigate to Administrative Tools | Settings | Safeguard Access | Time Zone.
  2. The User Administrator can search for and select the desired time zone.
  3. desktop client: The User Administrator can change Allow users to modify their own time zone.
    • Enable the setting to let users change their time zone (the default).
    • Disable the setting to prohibit a user from changing their time zone, possibly to ensure the user conforms with policy.

Identity and Authentication

Safeguard for Privileged Passwords allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, OpenLDAP 2.4, any SAML 2.0 federated service, or Radius.

To be managed, a directory asset must be added as both an asset and as an identity provider. When adding the identity provider, if the account name matches an account name already linked to an identity provider, the provider is automatically assigned.For more information, see Accounts.

Go to Identity and Authentication:

  • web client: Navigate to  Settings | Safeguard Access | Identity and Authentication.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication.

The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 179: Identity and Authentication: Properties
Property Description
Name

The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.

NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling.

Type

Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.

  • Active Directory
  • LDAP
  • External Federation
  • Radius (use as a secondary authentication provider)
  • Radius as Primary (use as a primary authentication provider)
  • FIDO2

Description

Enter any descriptive information to use for administrative purposes.

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 180: Identity and Authentication: Toolbar
Option Description
Add

Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers.

Remove

Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.

Edit

Modify the selected identity or authentication provider.

Syncronize Now

Run the directory addition (incremental) synchronization process for directory users (identity providers) and directory user groups. All changes except for deletions are synced. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task.

In addition, this process runs through the discovery, if there are discovery rules and configurations set up.

The directory deletion and addition (full) synchronization process must be run from the API (IdentityProviders/Synchronize).

Download Safeguard Federation Metadata

Download a copy of Safeguard for Privileged Passwords's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.

Refresh

Update the list of identity and authentication providers.

Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 181: Allowable local identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified login name and password or SSH key will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

Certificate: The specified certificate thumbprint will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE:The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

FIDO2

Using Active Directory as the identity provider

Table 182: Allowable Active Directory identity provider combinations

Primary authentication

Secondary

authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

Starling

Radius

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE:The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

FIDO2

Using LDAP as the identity provider

Table 183: Allowable LDAP identity provider combinations

Primary authentication

Secondary

authentication

LDAP: The specified username attribute will be used for authentication.

None

Starling

Radius

Active Directory

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

FIDO2

Radius : The specified login name will be used for authentication.

NOTE:The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

FIDO2

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating