Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Join Starling

In order to use the SPP features associated with Starling services, you must join SPP to Starling. It is the responsibility of the Appliance Administrator to join One Identity Safeguard for Privileged Passwords to Starling.

For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.

Prerequisites

See the Starling Release Notes for currently supported platforms.

In order to use the companion features from Starling services, first configure the following:

  • Register a Starling organization. For more information on Starling, see the One Identity Starling User Guide.

    IMPORTANT: Not all Starling services are available to organizations in both the United States and European Union data centers. Check the documentation for the Starling services to see if there are any data center restrictions.

  • If your company requires the use of a proxy to access the internet, you must configure the web proxy to be used. For more information on configuring a web proxy to be used by SPP for outbound web requests to integrated services, see Networking.
  • To use the Cloud Assistant feature, you must subscribe to the Starling Cloud Assistant feature and configure the channel(s) that will be used.
Join SPP with Starling

NOTE: You must be an Organization Admin for the Starling organization in order to join SPP with Starling.

  1. Go to Starling:
    • web client: Navigate to External Integration > Starling.
  2. Notice that this pane also includes the following links, which provide assistance with Starling:
    • Visit us online to learn more displays the Starling login page where you can create a new Starling account.
    • Trouble Joining displays the Starling support page with information on the requirements and process for joining with Starling.
  3. Click Join to Starling and follow the prompts to complete the process.
    The following additional information may be required:
    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization SPP will be joined with.
  4. After the join has successfully completed, you will be returned to the SPP client and the Starling pane will now show Joined to Starling. For information on the features that are now available, see After joining Starling. For information on unjoining from Starling, see Unjoin Starling.

    IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.

After joining Starling

Once SPP is joined to Starling, the following SPP features are enabled:

Feature using Starling Connect
  • Starling Connect Registered Connectors

    This feature integrates your Starling connectors with SPP. This allows for the accounts stored in the connectors to be discovered and controlled by SPP through the use of partitions which allow for rotating passwords to provide additional security for them. For more information, see Registered Connectors.

Feature using Starling Cloud Assistant
  • Cloud Assistant

    The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the SPP web application.

    The Cloud Assistant feature is enabled when you join SPP to Starling. For more information, see Starling.. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

    IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.

Feature using Connect for Safeguard Assets
  • Connect for Safeguard Assets

    Within Starling, a Connect for Safeguard Assets service is available. Once added, this service allows for assets not connected to your corporate network to use the check and change passwords functionality of SPP. For more information, see the Connect for Safeguard Assets User Guide available as part of the SPP documentation.

    IMPORTANT: Regardless of the version of SPP you are using, the Connect for Safeguard Assets User Guide associated with the latest version of SPP should always be used when configuring a new agent. This is available from the SPP documentation site.

Starling as an identity provider

Once SPP has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. This is indicated by the Realm(s) section under Starling. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling.

Using Starling as an identity provider

  1. Join SPP with Starling. For more information, see Join Starling.

  2. Enable a Microsoft Azure Active Directory tenant in your Starling organization (multiple Microsoft Azure Active Directory tenants can be added to Starling, but they will be available and treated as a single tenant when used by Safeguard). This is done via the Directories settings page in Starling. For more information, see the Starling User Guide.

  3. In order for Safeguard users to authenticate against Starling, a Relying Party Trust Application must be created in Starling via the Applications settings page. For more information, see the Starling User Guide.

    To create the application in Starling, you will need to Download Safeguard Federation Metadata from Identity and Authentication.

    NOTE: You cannot use the Add OpenID Connect Application with SPP.

  4. You will need to enter one or more values in the Realm(s) section to associate with the new Starling authentication provider. This will then allow users logging in to Safeguard to select External Federation and use Starling for their authentication.

  5. When the Require User to Always Authenticate check box is selected, the user will always be required to enter their credentials on the external provider, regardless of whether they are already logged in.

Adding new users and groups to Safeguard that come from Starling follows the same process as with other directory based identity providers (such as, Active Directory and LDAP) and the user information will be periodically synchronized from Starling.

IMPORTANT: You may need to restart the client in order for Starling to appear as an available identity provider.

Unjoin Starling

It is the responsibility of the Appliance Administrator to unjoin One Identity Safeguard for Privileged Passwords from Starling.

For additional information and documentation regarding the Starling Cloud platform and services, see the One Identity Documentation.

To unjoin SPP from Starling

  1. Go to Starling:
    • web client: Navigate to External Integration > Starling.
  2. Click Unjoin Starling.

    IMPORTANT: If there is an issue with the connection to Starling, a warning message will appear on the page and you will instead see a Force Unjoin button.

  3. SPP will no longer be joined to Starling, which means that Cloud Assistant, Starling identity providers, and integrated connectors are also disabled in SPP. A Starling Organization Admin account can rejoin SPP to Starling at any time.

    IMPORTANT: If you attempt to unjoin from Starling while there are still Safeguard users or groups that use the Starling provider for identity and authentication, you will get an error. You must manually delete any users or groups first before unjoining from Starling.

Syslog

SPP allows you to define one or more syslog servers to be used for logging SPP event messages. Appliance Administrators can specify to send different types of messages to different syslog servers. You may configure a connection to a syslog server to use TLS encryption, with or without a client authentication certificate. For more information, see Syslog Client Certificate..

To define and manage the syslog servers, go to Syslog:

  • web client: Navigate to External Integration > Syslog.

The Syslog pane displays the following about each syslog server defined.

Table 54: Syslog server: Properties
Property Description

Name

The name of the syslog server

Network Address The IP address or FQDN of the syslog server
Port The port number for syslog server

Protocol

The network protocols and syslog header type

TCP Framing

When using syslog with the TCP protocol, since the connection is stream based both the client and server need to be configured to process the data using the same delimiter. See RFC 6587 section 3.4.1 and 3.4.2 for more details. By default, SPP will use octet counting, as is recommended by RFC 6587. However, some syslog servers do not support octet counting. If that is the case, use this setting to configure SPP to use the delimiter that is supported by your syslog server.

Use TLS Encryption

If selected, provides encrypted communication with the syslog server instead of plain text over TCP

Use Client Certificate

If selected, the syslog server requires clients to authenticate

Verify Server Certificate

If selected, the syslog server certificate messages will only be sent if SPP is able to verify the authenticity of the syslog server TLS certificate

Use these toolbar buttons to manage the syslog server configurations

Table 55: Syslog server: Toolbar
Option Description
Add Add a new syslog server configuration. For more information, see Configuring and verifying a syslog server..
Remove

Remove the selected syslog server configuration from SPP.

If you attempt to remove a syslog server in use, you will see a message like: <syslog server> will be removed. Select Yes or No.

A second Force Delete message like this may display: There are dependencies on this syslog server: This object is referenced by ServiceDebug. Do you want to force delete this server? Select Force Delete or Cancel. If you select Force Delete, the dependent setting (such as an event subscriber or debug logging) will be deleted as well.

Edit Modify the selected syslog server configuration.
Copy Syslog Template Clone the selected syslog server configuration.
Refresh Update the list of syslog server configurations.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating