Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Checking, changing, or setting an API key

The Asset Administrator can manually check, change, or set an API key associated with Azure AD and AWS connectors.

To manually check, change, or set an API key

NOTE: Should 4 or more API keys be configured, the tiles will be condensed into a single summary tile. To access and manage the individual API keys, click the name of the tile (API Keys <n>). This will open a pane containing a table view of the configured API keys as well as toolbar options for managing the keys.

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.
  5. Each configured API key is represented by a tile available on this page which provides the following options: 

    1. Set to set the API key secret in the SPP database. This option does not change the API key information on the platform. The following options may appear depending on the type of platform:

      1. Client Identifier: Copy the client identifier from the platform and add it to this field.

      2. Client Secret: Copy the client secret from the platform and add it to the field. Once configured, click  Copy to put it into your copy buffer. You can then log in to your device, using the old client secret, and change it to the client secret in your copy buffer.

      3. Client Secret Identifier (Azure AD only): Copy the client secret identifier from the platform and add it to the field. If the identifier doesn't match, when you attempt to change the API key for the Azure AD platform it will create a new one with the identifier set in Safeguard for SPP.

      4. Set Client Secret: Click this button to save the configuration.

    2. Check to verify the API key is in sync with the SPP database. If the API key verification fails, you can change it.

    3. Change to reset and synchronize the API key with the SPP database.

    4. (Remove): Click this button to remove a previously configured API Key.

Viewing API Key Archive

The Asset Administrator can access an archive of an account's API Keys.

To access an account's API key archive

  1. Navigate to Asset Management > Accounts.
  2. Select an account and click (View Details).
  3. Navigate to Properties > Secrets.
  4. For a configured API key, click View Archive.
  5. In the API Key archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current API key.

  6. In the View column, click to display the API Key that was assigned to the asset at that given date and time.

  7. In the details dialog, click Copy to copy the API Key to your copy buffer.

Setting a TOTP authenticator

Many asset types support the use of a TOTP authenticator for the accounts associated with it using password requests. The following instructions explain how to add a TOTP authenticator to an existing asset.

To set up a TOTP authenticator

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.
  5. On the TOTP Authenticator tile available on this page, click Set.

  6. On the Set TOTP Authenticator pane, select one of the following options:

    NOTE: Once you start the process for setting up a TOTP authenticator you will need to connect the authenticator with the account in SPP by entering the code(s) sent by the authenticator within a set time limit. It is strongly suggested you have your authenticator ready prior to beginning this process to avoid having to restart the setup process due to timing out.

    1. QR Code Image: Select this method to connect with the TOTP authenticator through the use of a QR code image file. Click Browse Your Computer to select the QR code image file or drag the QR code image file into the dashed box.

    2. URI or Secret String: Select this option to connect with the TOTP authenticator through the use of the URI string or secret generated by the authenticator. If only a secret is provided, then the process for generating the string will depend upon the authenticator itself.

      Click Submit.

  7. A Setup Confirmation Code section will appear as soon as the authenticator setup begins and you will need to start entering the provided code(s) into your authenticator (you can use the Copy button to copy the code instead of typing the value). The amount of time you have left before the code becomes invalid and a new code is displayed to the right of the Copy button.

    The number of code(s) required depends upon the requirements for the authenticator (for example, AWS requires 2 successive codes be entered, with each code being available for approximately 30 seconds. Only 5 codes will be displayed before the authenticator setup times out and you will need to restart the process.). If you are unable to successfully complete the setup, click Remove Authenticator to restart the process.

  8. Once you have successfully completed the TOTP authenticator setup, click Done.

Removing a TOTP authenticator

The following instructions explain how to remove a previously configured TOTP authenticator.

To remove a TOTP authenticator

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.
  5. On the TOTP Authenticator tile available on this page, click Remove.

  6. On the Remove Authenticator confirmation dialog, click Remove.

    The previously configured TOTP authentication will no longer be available for the account.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating