Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.7.0 - YubiKey Multi-Factor Authentication - Tutorial

Mapping Safeguard for Privileged Sessions usernames to YubiKey identities

By default, Safeguard for Privileged Sessions assumes that the YubiKey username of the user is the same as the gateway username (that is, the username the user used to authenticate on Safeguard for Privileged Sessions during the gateway authentication). To identify the users, Safeguard for Privileged Sessions uses the username (login) field in YubiKey, which is an email address.

If the gateway usernames are different from the YubiKey usernames, you must configure the Safeguard for Privileged Sessions YubiKey plugin to map the gateway usernames to the YubiKey usernames. You can use the following methods:

  • To simply append a string to the gateway username, configure the append_domain parameter. In this case, Safeguard for Privileged Sessions automatically appends the @ character and the value of this option to the username from the session, and uses the resulting username on the YubiKey server to authenticate the user. For example, if the domain is set as append_domain: example.com and the username is Example.User, the Safeguard for Privileged Sessions plugin will look for the user Example.User@example.com on the YubiKey server.

  • To look up the YubiKey username of the user from an LDAP/Active Directory database, configure the [ldap] section of the Safeguard for Privileged Sessions YubiKey plugin. Typically, the Safeguard for Privileged Sessions plugin queries the email address corresponding to the username from your LDAP or Active Directory database. For details on LDAP parameters, see Safeguard for Privileged Sessions YubiKey plugin parameter reference.

  • If you configure both the append_domain parameter and the [ldap] section of the Safeguard for Privileged Sessions YubiKey plugin, Safeguard for Privileged Sessions appends the @ character and the value of the append_domain parameter to the value retrieved from the LDAP database.

  • If you have configured neither the Domain parameter nor the [ldap] section, Safeguard for Privileged Sessions assumes that the YubiKey username of the user is the same as the gateway username.

Bypassing YubiKey authentication

Having to perform multi-factor authentication to a remote server every time the user opens a session can be tedious and inconvenient for the users, and can impact their productivity. Safeguard for Privileged Sessions offers the following methods to solve this problem:

  • In Safeguard for Privileged Sessions, the Connection policy determines the type of authentication required to access a server. If you do not need multi-factor authentication for accessing specific servers, configure your Connection policies accordingly.

  • If the user opens a new session within a short period, they can do so without having to perform multi-factor authentication. After this configurable grace period expires, the user must perform multi-factor authentication to open the next session. For details, see Safeguard for Privileged Sessions YubiKey plugin parameter reference.

  • You can configure Safeguard for Privileged Sessions using whitelists and blacklists to selectively require multi-factor authentication for your users, for example, to create break-glass access for specific users. For details on creating exemption lists, see Safeguard for Privileged Sessions YubiKey plugin parameter reference.

Configure your YubiKey account for Safeguard for Privileged Sessions

Prerequisites:

The users must have a YubiKey device and a means to map usernames to YubiKey Public IDs. For details, see Safeguard for Privileged Sessions YubiKey plugin parameter reference and Safeguard for Privileged Sessions YubiKey plugin parameter reference.

Steps:
  1. Generate the YubiKey Client ID and API Key.

    For details on generating your Client ID and API Key, see How do I get an API key for YubiKey development?.

    To generate your Client ID and API Key, authenticate yourself using a Yubikey One-Time Password and provide your e-mail address as a reference at Yubico get API key.

    A Yubico OTP is a 44-character, one-use, secure, 128-bit encrypted Public ID and Password. The OTP is comprised of two major parts: the first 12 characters remain constant and represent the Public ID of the YubiKey device itself. The remaining 32 characters make up a unique passcode for each OTP generated.

    For example, in the following Yubico OTP, the characters cccjgjgkhcbb are the Public ID, and the remaining characters are the passcode.

    cccjgjgkhcbbirdrfdnlnghhfgrtnnlgedjlftrbdeut
  2. YubiKey does not require network connectivity or access to a mobile phone device. Just touch or tap the YubiKey device to authenticate.

Configure Safeguard for Privileged Sessions to use YubiKey multi-factor authentication

Prerequisites:
  • Your YubiKey Client ID and API Key.

    Caution:

    According to the current YubiKey policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because Safeguard for Privileged Sessions will reject your sessions if the API token is expired.

  • Administrator access to Safeguard for Privileged Sessions.

  • Make sure that you have all the required components listed in Technical requirements.

Steps:
  1. Download the Safeguard for Privileged Sessions YubiKey plugin

    Safeguard for Privileged Sessions customers can download the plugin from Plugin Page.

  2. Upload the plugin to Safeguard for Privileged Sessions

    Upload the plugin to Safeguard for Privileged Sessions. For details, see Administration Guide.

  3. Configure the plugin on Safeguard for Privileged Sessions

    The plugin includes a default configuration file, which is an ini-style configuration file with sections and name=value pairs. You can edit it on the Policies > AA Plugin Configurations page of the Safeguard for Privileged Sessions web interface.

    1. Configure the usermapping settings if needed. Safeguard for Privileged Sessions must find out which YubiKey user belongs to the username of the authenticated connection. For that, it can query your LDAP/Microsoft Active Directory server. For details, see Mapping Safeguard for Privileged Sessions usernames to YubiKey identities.

    2. Configure other parameters of your plugin as needed for your environment. For details, see Safeguard for Privileged Sessions YubiKey plugin parameter reference.

  4. Configure a Connection policy and test it

    Configure a Connection policy on Safeguard for Privileged Sessions. In the AA plugin field of the Connection policy, select the Safeguard for Privileged Sessions YubiKey plugin you configured in the previous step, then start a session to test it. For details on how a user can perform multi-factor authentication, see Perform multi-factor authentication with the Safeguard for Privileged Sessions YubiKey plugin in terminal connections and Perform multi-factor authentication with the Safeguard for Privileged Sessions YubiKey plugin in Remote Desktop connections.

    Caution:

    According to the current YubiKey policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because Safeguard for Privileged Sessions will reject your sessions if the API token is expired.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating