Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Starling

One Identity Starling Two-Factor Authentication (2FA) is a SaaS solution that provides two-factor authentication on a product allowing organizations to quickly and easily verify a user's identity. This service is provided as part of the One Identity Starling cloud platform. In addition, Starling offers a hybrid service, One Identity Hybrid, that allows you to take advantage of companion features from multiple Starling services, such as Starling Two-Factor Authentication.

Joining Safeguard for Privileged Passwords to Starling adds Safeguard to the One Identity Hybrid service allowing you to use features from the Starling 2FA services. For more information, see Join Starling.

A video of Safeguard and Starling 2FA and Approval Anywhere can be found on the Support site at One Identity Safeguard Video and Tutorials then scroll to the video, Safeguard and Starling 2FA.

Join Starling

In order to use Starling 2FA with Safeguard for Privileged Passwords's Approval Anywhere feature or as a secondary authentication provider, you must join Safeguard for Privileged Passwords to Starling. It is the responsibility of the Appliance Administrator to join One Identity Safeguard for Privileged Passwords to Starling.

NOTE: In version 2.1 and earlier, you had to specify a Starling API key in order to use Approval Anywhere and Starling Two-Factor Authentication (2FA) as a secondary authentication provider. This is no longer necessary when you join Safeguard for Privileged Passwords to Starling. If you previously configured these features, once you join to Starling, Safeguard for Privileged Passwords automatically migrates your previous configurations to use the credential string generated by the join process.

For additional information and documentation regarding the Starling Cloud platform and Starling Two-Factor Authentication, see Starling Two-Factor Authentication - Technical Documentation.

Prerequisites

See the Starling Release Notes for currently supported platforms.

In order to use the companion features from Starling services, first configure the following:

  • A valid license for Safeguard for Privileged Passwords with One Identity Hybrid subscription included.

    NOTE: You must have a valid license for Safeguard: Privileged Passwords.

  • Register a Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. For more information on Starling, see the One Identity Starling User Guide.
  • Download the Starling 2FA app on your mobile phone to use the Approval Anywhere feature.

  • If your company requires the use of a proxy to access the internet, you must configure the web proxy to be used. For more information on configuring a web proxy to be used by Safeguard for Privileged Passwords for outbound web requests to integrated services, see Networking.

To sign up for a Starling One Identity Hybrid service trial account

  1. Go to https://www.cloud.oneidentity.com/ and log in or register a new account for the Starling cloud platform.
    1. From the Starling home page, click Sign in to Starling.
    2. Enter a valid email address and click Next.
    3. Enter your password and click Sign In.
    4. On the Create your Account page, enter your organization and your mobile phone number.

    NOTE: If the email address you entered does not exist, you will be taken directly to the Create your Account page to register your organization and enter your name, password, and mobile phone number.

    When registering for the first time, you will be sent a verification email in which you must click the supplied link in order to complete the registration process.

  2. Once logged in, click the Trial button under the One Identity Hybrid tile. Follow the prompts on the screen.

    The service will be added to the My Services section and be available for use until the trial period has ended. The number of days left in your trail is indicated by a countdown at the top right of the service access button on the home page of Starling. At any point in the trial you can use the More Information button associated with the service to find out how to purchase the product.

Join Safeguard for Privileged Passwords with Starling
  1. Go to Starling:
    • web client: Navigate to  Settings | External Integration | Starling.
    • desktop client: Navigate to Administrative Tools | Settings| External Integration | Starling.
  2. Notice that this pane also includes the following links, which provide assistance with Starling:
    • Visit us online to learn more displays the Starling login page where you can create a new Starling account.
    • Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
  3. Click Join to Starling.
    The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.

    After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords desktop client and the Starling settings pane will now show Joined to Starling. Once Starling is joined, you can configure users to require secondary authentication using Starling. For more information, see Authentication tab (add user).

To unjoin Safeguard for Privileged Passwords from Starling

  1. Go to Starling:
    • web client: Navigate to  Settings | External Integration | Starling.
    • desktop client: Navigate to Administrative Tools | Settings| External Integration | Starling.
  2. Click Unjoin Starling.

    Safeguard for Privileged Passwords will no longer be joined to Starling, which means that Approval Anywhere and two-factor authentication as a secondary authentication provider are also disabled in Safeguard for Privileged Passwords. A Starling Organization Admin account or Collaborator account associated with the Starling One Identity Hybrid subscription can rejoin Safeguard for Privileged Passwords to Starling at any time.

After the join

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled and can be implemented using Starling Two-Factor Authentication:

  • Secondary authentication

    Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.

    A Starling 2FA authentication provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging into Safeguard for Privileged Passwords. For more information, see Configuring user for Starling Two-Factor Authentication when logging in to Safeguard.

  • Approval Anywhere

    The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication (2FA), allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.

    Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere. For more information, see Adding authorized user for Approval Anywhere.

Syslog

Safeguard for Privileged Passwords allows you to define one or more syslog servers to be used for logging Safeguard for Privileged Passwords event messages. Appliance Administrators can specify to send different types of messages to different syslog servers. The syslog client certificate will be used. For more information, see Syslog Client Certificate.

To define and manage the syslog servers, go to Syslog:

  • web client: Navigate to  Settings | External Integration | Syslog.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.

The Syslog pane displays the following about each syslog server defined. The desktop client is in a different order and includes some fields that are in the Syslog Events setting in the web client.

Table 164: Syslog server: Properties
Property Description

Name

web client

The name of the syslog server

Network Address The IP address or FQDN of the syslog server
Port The port number for syslog server

Protocol

The network protocols and syslog header type

Use TLS Encryption

web client

If selected, provides encrypted communication with the syslog server instead of plain text over TCP

Use Client Certificate

web client

If selected, the syslog server requires clients to authenticate

Verify Server Certificate

web client

If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate

Facility

desktop client

The type of program being used to create syslog messages

Description

desktop client

The description of the syslog server configuration

# of Events

desktop client

The number of events selected to be logged to the syslog server

Format

desktop client

The format which can be CEF or JSON

Prefix

desktop client

  • If the format is JSON, the text that will be prepended to the JSON attributes
  • Use these toolbar buttons to manage the syslog server configurations

    Table 165: Syslog server: Toolbar
    Option Description
    Add Add a new syslog server configuration. For more information, see Configuring and verifying a syslog server.
    Remove

    Remove the selected syslog server configuration from Safeguard for Privileged Passwords.

    If you attempt to remove a syslog server in use, you will see a message like: <syslog server> will be removed. Select Yes or No.

    A second Force Delete message like this may display: There are dependencies on this syslog server: This object is referenced by ServiceDebug. Do you want to force delete this server? Select Force Delete or Cancel. If you select Force Delete, the dependent setting (such as an event subscriber or debug logging) will be deleted as well.

    Edit Modify the selected syslog server configuration.
    Copy Syslog Template Clone the selected syslog server configuration.
    Refresh Update the list of syslog server configurations.

    Configuring and verifying a syslog server

    It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to log event messages to a syslog server. The steps below cover configuration.

    Other considerations:

    Some of the actions performed from Syslog on the desktop client are in the web client: Syslog Events and Debug.

    To configure a syslog server

    1. Go to Syslog:
      • web client: Navigate to  Settings | External Integration | Syslog.
      • desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.
    2. Click Add to display the Syslog Serverdialog.
    3. In the Syslog Server dialog, enter the following:

      1. Name: Enter a descriptive name for the syslog server.

      2. Network Address: Enter the IP address or FQDN of the syslog server. Limit: 255 characters
      3. Port: Enter the port number for the syslog server. Default: 514 and range: between 1 and 32767

      4. Protocol: Select the network protocol and syslog header type:

        • UDP (RFC 3164): Sends messages over UDP using the syslog header format specified in RFC 3164. (desktop client)

        • UDP (RFC 5424): Sends messages over UDP using the syslog header format specified in RFC 5424.
        • TCP (RCF 5424): Sends messages over TCP using the syslog header format specified in RFC 5424. TCP is required for TLS options.
      5. If you selected a Protocol of TCP (RCF 5424), additional selections can be made to configure Safeguard for Privileged Passwords to use Transport Layer Security (TLS). This provides encrypted communication with the syslog server instead of plain text over TCP.
        • In the web client, select Use TLS Encrypton or in the desktop client, select Use TLS (Requires TCP).

        • Verify Syslog Server Certificate: If selected, the syslog server certificate messages will only be sent if Safeguard for Privileged Passwords is able to verify the authenticity of the syslog server TLS certificate. If Safeguard for Privileged Passwords cannot resolve the syslog server TLS certificate to a trusted root, the message will not be sent.
        • Use Client Certificate: Select this option if the syslog server requires clients to authenticate. You should also set the syslog client certificate appropriately. For more information, see Creating a syslog client Certificate Signing Request.
    4. The following settings in the desktop client. For the web client, the same capabilities are available from Syslog Events and Debug.
      1. Format: Select between Common Event Format (CEF) or Javascript Object Notation (JSON).
      2. Description: Enter the description of the syslog event.
      3. For Events, click Browse then select the check boxes of the Events to which you want to subscribe You can enter characters then click Search to limit the events that are displayed. Click OK.
      4. Facility: Select which syslog facility to use, for example User or Mail.
    5. Click OK to save your selection and add the syslog server configuration.
    6. You can verify the syslog server. See the next section.

    To verify a syslog server

    1. desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.
    2. When configuring the syslog server, add the test event. For more information, see To configure a syslog server.
    3. Select the syslog server configuration on the grid you want to test.
    4. Select Send Test Event. Safeguard for Privileged Passwords logs a test message to the designated syslog server.

    web client: Navigate to  Settings| External Integration | Syslog Event. Click Send Test Event. For more information, see Syslog Events.

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating