Once SPP is joined to Starling, the following SPP features are enabled:

Feature using Starling Connect

• Starling Connect Registered Connectors

  This feature integrates your Starling connectors with SPP. This allows for the accounts stored in the connectors to be discovered and controlled by SPP through the use of partitions which allow for rotating passwords to provide additional security for them. For more information, see Registered Connectors.

Feature using Starling Cloud Assistant

• Cloud Assistant

  The Cloud Assistant feature integrates its access request workflow with Starling Cloud Assistant, allowing approvers to receive a notification through a configured channel when an access request is submitted. The approver can then approve (or deny) access requests through the channel without needing access to the SPP web application.

  The Cloud Assistant feature is enabled when you join SPP to Starling. For more information, see Starling.. Once enabled, it is the responsibility of the Security Policy Administrator to define the users who are authorized to use Cloud Assistant to approve access requests.

  IMPORTANT: In order to use the Cloud Assistant feature, once you have joined with Starling you must enable the Register as a sender with Cloud Assistant toggle on the External Integration > Starling pane.

Feature using Connect for Safeguard Assets

• Connect for Safeguard Assets

  Within Starling, a Connect for Safeguard Assets service is available. Once added, this service allows for assets not connected to your corporate network to use the check and change passwords functionality of SPP. For more information, see the Connect for Safeguard Assets User Guide available as part of the SPP documentation.

  IMPORTANT: Regardless of the version of SPP you are using, the Connect for Safeguard Assets User Guide associated with the latest version of SPP should always be used when configuring a new agent. This is available from the SPP documentation site.

Starling as an identity provider

Once SPP has joined with Starling, a Starling Identity and Authentication provider will automatically be added to Safeguard. This is indicated by the Realm(s) section under Starling. However, there won't be any users or groups available until an administrator adds a Microsoft Azure Active Directory tenant to their Starling organization via the Directories settings page in Starling.

Using Starling as an identity provider

1. Join SPP with Starling. For more information, see Join Starling.

2. Enable a Microsoft Azure Active Directory tenant in your Starling organization (multiple Microsoft Azure Active Directory tenants can be added to Starling, but they will be available and treated as a single tenant when used by Safeguard). This is done via the Directories settings page in Starling. For more information, see the Starling User Guide.

3. In order for Safeguard users to authenticate against Starling, a Relying Party Trust Application must be created in Starling via the Applications settings page. For more information, see the Starling User Guide.

   To create the application in Starling, you will need to Download Safeguard Federation Metadata from Identity and Authentication.

   NOTE: You cannot use the Add OpenID Connect Application with SPP.

4. You will need to enter one or more values in the Realm(s) section to associate with the new Starling authentication provider. This will then allow users logging in to Safeguard to select External Federation and use Starling for their authentication.

5. When the Require User to Always Authenticate check box is selected, the user will always be required to enter their credentials on the external provider, regardless of whether they are already logged in.

Adding new users and groups to Safeguard that come from Starling follows the same process as with other directory based identity providers (such as, Active Directory and LDAP) and the user information will be periodically synchronized from Starling.