One Identity Safeguard for Privileged Passwords 7.1.1

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring secondary authentication log in.

Using Local as the identity provider

Table 63: Allowable local identity provider combinations
Primary authentication	Secondary authentication
Local: The specified login name and password or SSH key will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Certificate: The specified certificate thumbprint will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using Active Directory as the identity provider

Table 64: Allowable Active Directory identity provider combinations
Primary authentication	Secondary authentication
Active Directory: The samAccountName or X509 certificate will be used for authentication. NOTE: The user must authenticate against the domain from which their account exists.	None OneLogin MFA Radius LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using LDAP as the identity provider

Table 65: Allowable LDAP identity provider combinations
Primary authentication	Secondary authentication
LDAP: The specified username attribute will be used for authentication.	None OneLogin MFA Radius Active Directory FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius : The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using Starling as the identity provider

Table 66: Allowable Starling identity provider combinations
Primary authentication	Secondary authentication
Starling	None

Adding identity and authentication providers

It is the responsibility of the Appliance Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of an Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

Go to Identity and Authentication:
- web client: Navigate to Safeguard Access > Identity and Authentication.
Click Add.
Click the provider:
- Active Directory: See Active Directory and LDAP settings.
- LDAP: See Active Directory and LDAP settings.
- External Federation: See External Federation settings.
- Radius: See Radius settings.
- FIDO2: See FIDO2 settings.
- OneLogin MFA: See OneLogin MFA settings.

Active Directory and LDAP settings

Table 67: Active Directory and LDAP: General tab properties
Property	Description
Product	The product name.
Forest Root Domain Name	Forest Root Domain Name.
Name	Unique name.
Service Account Domain Name (for Active Directory)	Enter the fully qualified Active Directory domain name, such as example.com. Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE. The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.
Network Address (for LDAP)	Enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.
Service Account Name (for Active Directory)	Enter an account for Safeguard for Privileged Passwords to use for management tasks. If the account name matches an account name already linked to an identity provider, the provider is automatically assigned. If you want the password to be available for release, click Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request. Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords. Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object that represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify. For more information, see About service accounts.
Service Account Distinguished Name (for LDAP)	Enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com
Service Account Password	Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.
Description	Enter information about this external identity provider.
Connect	Click Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication.
Available Domains for Identity and Authentication (for Active Directory)	All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. Clearing the forest root domain will have undesired results when managing directory users and groups. For more information, see Adding a directory user group.
Advanced	Open to reveal the following synchronization settings:
Port (for LDAP)	Enter port 389 used for communication with the LDAP directory.
Use SSL Encryption	Select whether or not to use SSL when connecting to the server. You must have a valid SSL certificate and have the SSL's issuer certificate be trusted by Safeguard for Privileged Passwords. For more information, see Trusted CA Certificates.
Domain Controllers	For Active Directory, instead of having Safeguard for Privileged Passwords automatically find domain controllers from a DNS and CLDAP ping, you can specify domain controllers.
Sync additions every	Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647
Sync deletions every	Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords. Default: 15 minutes Range: Between 1 and 2147483647

Table 68: Active Directory and LDAP: Attributes tab (defaults)
Safeguard for Privileged Passwords attribute	Directory attribute
Users
Object Class	Browse to select a class definition that defines the valid attributes for the user object class. Default: user for Active Directory, inetOrgPerson for LDAP
User Name	sAMAccountName for Active Directory, cn for LDAP
Password	userPassword for LDAP
First Name	givenName
Last Name	sn
Work Phone	telephoneNumber
Mobile Phone	mobile
Email	mail
Description	description
External Federation Authentication	The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS). For both Active Directory and LDAP 2.4, this will default to the "mail" attribute. This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication. For more information, see Adding a directory user group.
Radius Authentication	The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication. For Active Directory, this will default to using the samAccountName attribute. For LDAP 2.4, this will default to using the cn attribute. NOTE: This is only used when processing members of a directory user group in which the group has been configured to use Radius as either the primary or secondary authentication provider. For more information, see Adding a directory user group.
Managed Objects	The directory attribute used when automatically associating existing managed Accounts to users of a directory user group as linked accounts. Defaults: For Active Directory, this defaults to managedObjects. However, you may want to use the directReports attribute based on where you have the information stored in Active Directory. For LDAP 2.4, this defaults to the seeAlso attribute. When choosing an attribute, it must exist on the user itself and contain one or more Distinguished Name values of other directory user objects. For example, you would not want to use the owner attribute in LDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an owns attribute to exist on the user such as the default seeAlso attribute. For more information, see Adding a directory user group.
Groups
Object Class	Browse to select a class definition that defines the valid attributes for the group object class. Default: group for Active Directory, groupOfNames for LDAP
Name	sAMAccountName for Active Directory, cn for LDAP
Member	member
Description	description

External Federation settings

Radius settings

FIDO2 settings

OneLogin MFA settings

Branding Customization

The Appliance Administrator can customize the login page and application for their users. Any customization must be configured on the primary, however any customization will also appear on replicas.

To customize the branding used on the login page and application header

Navigate to Appliance Management > Safeguard Access > Branding.
Select Custom Branding.
In the Login Page section, the Title field allows you to enter a name for the application (up to 50 characters long) that will appear on the login page.
For the Title Size, enter the font size in pixels to use for the application name. By default this is 36 px.
To customize the display colors, click the box beneath each field name to open a color selector dialog:
1. Title Color
2. Background Color
3. Page Text Color
Click the Upload Logo button to select a logo file to use for the login page (256KB max file size; recommended width: 160px to 400px, height 160px to 200px). Once uploaded, the uploaded logo will be displayed beneath the Page Text Color field.
In the Application Header section, the Title field allows you to enter the display name (up to 50 characters long) that will be used within the header of the application.
Click the Upload Logo button to select a logo file to use within the header of the application (256KB max file size; recommended width: 48px to 150px, height 48px to 64px). Once uploaded, the uploaded logo will be displayed beneath the Title field.
Click Save.

After saving, you can view the changes using the Review Login Page Customization or Review Application Customization buttons.

NOTE: You can select the Safeguard Branding option at the top of the page and click Save to remove any configured customizations and restore the Safeguard for Privileged Passwords branding. After clicking Save you will be prompted for confirmation.

Appliance Management Settings

In the web client, Appliance Management has a settings page used to manage the maximum number of platform task retries.

Navigate to Appliance Management > Settings to manage the setting listed below.

Table 69: Appliance Management Setting
Setting	Description
Maximum Platform Task Retries	Set the maximum number of platform retries.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Passwords 7.1.1 - Administration Guide

Authentication provider combinations