One Identity Safeguard for Privileged Passwords 7.5

SPP allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, LDAP 2.4, any SAML 2.0 federated service, or Radius.

Go to Identity and Authentication:

web client: Navigate to Appliance Management > Safeguard Access > Identity and Authentication.

The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 62: Identity and Authentication: Properties
Property	Description
Name	The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.
Type	Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.. Active Directory LDAP External Federation Radius (use as a secondary authentication provider) Radius as Primary (use as a primary authentication provider) FIDO2 OneLogin MFA SCIM
Description	Enter any descriptive information to use for administrative purposes.
Login Provider ID	A system generated identifier that can be used when integrating with third-party or other custom software or automation scripts. For information on accessing the SPP API, see Using the API. NOTE: When integrating with Safeguard for Privileged Sessions, you can effectively enable Single Sign-On (SSO) between the two applications by creating and using the same SAML2 external federation login provider in both. This Login Provider ID value from SPP must then be entered into the Safeguard for Privileged Sessions Script Reference field when creating the matching SAML2 login method.

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 63: Identity and Authentication: Toolbar
Option	Description
Add	Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers..
Remove	Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.
Edit	Modify the selected identity or authentication provider.
Syncronize Now	Run the directory addition (incremental) synchronization process for directory users (identity providers) and directory user groups. All changes except for deletions are synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. The directory deletion and addition (full) synchronization process must be run from the API (IdentityProviders/Synchronize).
Update Signing Certificates and Metadata	For external federation providers that have been configured with a URL pointing to the metadata, you can manually trigger SPP to request the metadata from the URL if you know it has changed and don't want to wait for the daily automatic update. This may be necessary in cases where the external STS doesn't support having multiple active signing certificates and you want to minimize any downtime from not being able to log in.
Download Safeguard Federation Metadata	Download a copy of SPP's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.
Refresh	Update the list of identity and authentication providers.

Authentication provider combinations

Appliance Management > Safeguard Access > Identity and Authentication > Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into SPP. For more information, see Requiring secondary authentication log in..

Using Local as the identity provider

Table 64: Allowable local identity provider combinations
Primary authentication	Secondary authentication
Local: The specified login name and password will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Certificate: The specified certificate thumbprint will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using Active Directory as the identity provider

Table 65: Allowable Active Directory identity provider combinations
Primary authentication	Secondary authentication
Active Directory: The samAccountName or X509 certificate will be used for authentication. NOTE: The user must authenticate against the domain from which their account exists.	None OneLogin MFA Radius LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius: The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using LDAP as the identity provider

Table 66: Allowable LDAP identity provider combinations
Primary authentication	Secondary authentication
LDAP: The specified username attribute will be used for authentication.	None OneLogin MFA Radius Active Directory FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2
Radius : The specified login name will be used for authentication. NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.	None OneLogin MFA Active Directory LDAP FIDO2

Using Starling as the identity provider

Table 67: Allowable Starling identity provider combinations
Primary authentication	Secondary authentication
Starling	None

Using SCIM as the identity provider

Table 68: Allowable SCIM identity provider combinations
Primary authentication	Secondary authentication
Local: The specified username and password will be used for authentication. NOTE: A SPP user administrator must manually set the password for any newly provisioned SCIM users.	None OneLogin MFA Radius Active Directory LDAP FIDO2
External Federation: The specified email address or name claim will be used for authentication.	None OneLogin MFA Radius Active Directory LDAP FIDO2

Adding identity and authentication providers

Appliance Management > Safeguard Access > Identity and Authentication > Adding identity and authentication providers

It is the responsibility of the Appliance Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of an Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

Go to Identity and Authentication:
- web client: Navigate to Safeguard Access > Identity and Authentication.
Click Add.
Click the provider:
- Active Directory: See Active Directory and LDAP settings.
- LDAP: See Active Directory and LDAP settings.
- External Federation: See External Federation settings.
- Radius: See Radius settings.
- FIDO2: See FIDO2 settings.
- OneLogin MFA: See OneLogin MFA settings.
- SCIM: See SCIM settings.

Active Directory and LDAP settings

Table 69: Active Directory and LDAP: General tab properties
Property	Description
Product	The product name.
Forest Root Domain Name	Forest Root Domain Name.
Name	Unique name.
Service Account Domain Name (for Active Directory)	Enter the fully qualified Active Directory domain name, such as example.com. Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE. The service account domain name is the name of the domain where the service account resides. SPP uses DNS-SRV to resolve domain names to actual domain controllers.
Network Address (for LDAP)	Enter a network DNS name or the IP address of the LDAP server for SPP to use to connect to the managed system over the network.
Service Account Name (for Active Directory)	Enter an account for SPP to use for management tasks. If the Active Directory has previously been added as an asset, you can use the same service account, but you will need to know the current password of the account. Once added, you can have SPP manage the service account and periodically change the password without effecting the connectivity. For identity and authentication purposes, the service account only requires read access to the Active Directory domain(s). The service account does not require write access. Typically, any member of the default Domain Users group is sufficient. The service account must be able to read the following attributes on all users: objectGuid objectSID userPrincipalName samAccountName displayName mail userAccountControl pwdLastSet msDS-ResultantPSO tokenGroups lockoutTime accountExpires In addition, the service account requires read access to other domain level attributes: dnsHostName defaultNamingContext rootDomainNamingContext configurationNamingContext schemaNamingContext nETBIOSName nCName ldapDisplayName maxPwdAge lockoutDuration msDS-MaximumPasswordAge msDS-LockoutDuration Lastly, the service account must be able to enumerate the Active Directory User object class hierarchy to build the complete attribute schema. For more information, see About service accounts..
Service Account Distinguished Name (for LDAP)	Enter a fully qualified distinguished name (FQDN) for SPP to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com
Service Account Password	Enter the password SPP uses to authenticate to this directory.
Description	Enter information about this external identity provider.
Connect	Click Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication.
Available Domains for Identity and Authentication (for Active Directory)	All newly created Safeguard users that are imported from the directory user group will have their primary authentication provider set to use the directory domain from which their user originates. For an Active Directory forest with multiple domains, the domains must be marked as Available Domains for Identity and Authentication. Clearing the forest root domain will have undesired results when managing directory users and groups. For more information, see Adding a directory user group..
Advanced	Open to reveal the following synchronization settings:
Port (for LDAP)	Enter port 389 used for communication with the LDAP directory.
Use SSL Encryption	Select whether or not to use SSL when connecting to the server. You must have a valid SSL certificate and have the SSL's issuer certificate be trusted by SPP. For more information, see Trusted CA Certificates.
Domain Controllers	For Active Directory, instead of having SPP automatically find domain controllers from a DNS and CLDAP ping, you can specify domain controllers.
Sync additions every	Enter or select how often you want SPP to synchronize directory additions (in minutes). This updates SPP with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to SPP. Default: 15 minutes Range: Between 1 and 2147483647
Sync deletions every	Enter or select how often you want SPP to synchronize directory deletions (in minutes). This updates SPP with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to SPP. Default: 15 minutes Range: Between 1 and 2147483647

Table 70: Active Directory and LDAP: Attributes tab (defaults)
SPP attribute	Directory attribute
Users
Object Class	Browse to select a class definition that defines the valid attributes for the user object class. Default: user for Active Directory, inetOrgPerson for LDAP
User Name	sAMAccountName for Active Directory, cn for LDAP
Password	userPassword for LDAP
First Name	givenName
Last Name	sn
Work Phone	telephoneNumber
Mobile Phone	mobile
Email	mail
Description	description
External Federation Authentication	The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS). For both Active Directory and LDAP 2.4, this will default to the "mail" attribute. This is only used when processing members of a directory user group in which the group has been configured to use an External Federation provider as the primary authentication. For more information, see Adding a directory user group..
Radius Authentication	The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication. For Active Directory, this will default to using the samAccountName attribute. For LDAP 2.4, this will default to using the cn attribute. NOTE: This is only used when processing members of a directory user group in which the group has been configured to use Radius as either the primary or secondary authentication provider. For more information, see Adding a directory user group..
Managed Objects	The directory attribute used when automatically associating existing managed Accounts to users of a directory user group as linked accounts. Defaults: For Active Directory, this defaults to managedObjects. However, you may want to use the directReports attribute based on where you have the information stored in Active Directory. For LDAP 2.4, this defaults to the seeAlso attribute. When choosing an attribute, it must exist on the user itself and contain one or more Distinguished Name values of other directory user objects. For example, you would not want to use the owner attribute in LDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an owns attribute to exist on the user such as the default seeAlso attribute. For more information, see Adding a directory user group..
Groups
Object Class	Browse to select a class definition that defines the valid attributes for the group object class. Default: group for Active Directory, groupOfNames for LDAP
Name	sAMAccountName for Active Directory, cn for LDAP
Member	member
Description	description

External Federation settings

Radius settings

FIDO2 settings

OneLogin MFA settings

SCIM settings

Table 71: SCIM: General tab
Setting	Description
Name	The unique name assigned to the provider. The name is for administrative purposes only and will not be seen by the end users.
Description	Enter any text. The text is seen only here and used for administrative purposes.
Tenant URL	This is the URL for the tenant that you specified in Azure Active Directory. Use the button to copy the URL.
Application Token	This is the token required to connect with Azure Active Directory and will needed to be added to you SCIM provisioning configuration in Azure Active Directory. Use the Generate New Token button to populate this field and provide a button to copy the token. The token text for a previously generated token is unavailable for both viewing and copying once you save the configuration.
Application Token Set	This is the date (month, day, year) that the token was last generated.
Generate New Token	Click this button to generate a new token. Once generated, the token text will appear in the Application Token field.

Table 72: SCIM: Authentication tab
Setting	Description
Default Primary Authentication Provider	(Optional) Select a primary authentication provider.
Default Secondary Authentication Provider	(Optional) Select a secondary authentication provider.

Branding Customization

Appliance Management > Safeguard Access > Branding Customization

The Appliance Administrator can customize the login page and application for their users. Any customization must be configured on the primary, however any customization will also appear on replicas.

To customize the branding used on the login page and application header

Navigate to Appliance Management > Safeguard Access > Branding.
Select Custom Branding.
In the Login Page section, the Title field allows you to enter a name for the application (up to 50 characters long) that will appear on the login page.
For the Title Size, enter the font size in pixels to use for the application name. By default this is 36 px.
To customize the display colors, click the box beneath each field name to open a color selector dialog:
1. Title Color
2. Background Color
3. Page Text Color
Click the Upload Logo button to select a logo file to use for the login page (256KB max file size; recommended width: 160px to 400px, height 160px to 200px). Once uploaded, the uploaded logo will be displayed beneath the Page Text Color field.
In the Application Header section, the Title field allows you to enter the display name (up to 50 characters long) that will be used within the header of the application.
Click the Upload Logo button to select a logo file to use within the header of the application (256KB max file size; recommended width: 48px to 150px, height 48px to 64px). Once uploaded, the uploaded logo will be displayed beneath the Title field.
Click Save.

After saving, you can view the changes using the Review Login Page Customization or Review Application Customization buttons.

NOTE: You can select the Safeguard Branding option at the top of the page and click Save to remove any configured customizations and restore the SPP branding. After clicking Save you will be prompted for confirmation.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Identity and Authentication