Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Using Lieberman ERPM to authenticate on the target hosts

Purpose:

To configure SPS to retrieve the credentials used to login to the target host from a Lieberman Enterprise Random Password Manager (ERPM) device, complete the following steps.

NOTE:

The current implementation of the integration between SPS and ERPM does not support SSH server-side private key authentication.

Prerequisites:

NOTE:

Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication or an AA plugin. Therefore gateway authentication or an AA plugin must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide and "Integrating external authentication and authorization systems" in the Administration Guide.

Steps:
  1. Navigate to Policies > Credential Stores.

  2. Click and enter a name for the Credential Store.

  3. Select Lieberman.

    Figure 253: Policies > Credential Stores > Lieberman — Authenticate with Lieberman ERPM on the target hosts

  4. Enter the hostname or IP address of your Lieberman Enterprise Random Password Manager (ERPM) server into the ERPM address field.

    Use an IPv4 address.

    If your ERPM setup is configured to use an external authentication method, then in the Authenticator field, enter the name of the Authentication Server (Authenticator Source) set on your ERPM server (under Delegation > Authentication Servers).

    For example, if you wanted SPS to authenticate to ERPM using the domain account "LSC\Shell", then you would set the Authenticator field in SPS to the value "LSC". This would indicate to ERPM that the identity being used to connect ("Shell") is associated with an authenticator (in this example, an AD domain) called "LSC". With that information, ERPM knows who to talk to in order to get an authentication response.

    If no domain account authenticator is set under Delegation > Authentication Servers in ERPM, SPS will use the [Explicit] authenticator.

  5. Specify the account SPS should use to login to the ERPM server.

    • To use always the same account, select Fixed username and enter the username and the password.

    • For SSH connections, SPS can use the username and password that the user provided during the gateway authentication process. To use this account, select Use credentials provided at gateway authentication.

    NOTE:

    Authentication with the same user as the one used during gateway authentication is only available for SSH connections and is not available in the case of RDP connections.

    NOTE:

    SPS accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

  6. To verify the certificate of the ERPM server, select Verify server certificate and select the CA list that contains the CA certificate that signed the certificate of the ERPM server from the Trusted CA list field. For details on creating trusted CA lists, see Verifying certificates with Certificate Authorities.

  7. Enter the default namespace of the accounts into the Default namespace field, for example, [Linux], [LDAP], [IPMI], W2003DOMAIN.

    If Lieberman is used in a domainless environment, you can use the following macros:

    • To use the hostname (system name) of the target as the namespace, enter {HOST}.

      This macro does not perform domain name resolution.

    • To use the IP address of the target, enter {IP}.

      This macro does not perform reverse lookup.

    NOTE:

    You cannot use both {HOST} and {IP} in the default namespace.

  8. Enter the IP address of the DNS servers to use for resolving the hostnames when using Domain mapping into the Primary DNS server and Secondary DNS server fields.

    Use an IPv4 address.

  9. Perform this step if you want to configure RDP autologin to a computer with a domain user.

    To retrieve the password of a domain user from Lieberman ERPM, SPS queries the domain controller directly. In a domainless environment, Default namespace is used instead.

    NOTE:

    Domain/Host mapping is used for authenticating RDP connections only.

    Map the domain name to the hostname of the domain controller:

    1. In Domain/Host mapping, click .

    2. Enter the domain name in the Domain field.

    3. Enter the hostname of the domain controller in the Host field.

    You can map multiple domains to domain controllers.

    Figure 254: Policies > Credential Stores > Lieberman > Domain/Host mapping

  10. Click Commit.

  11. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store to use in the Credential Store field, then click Commit.

Using a custom Credential Store plugin to authenticate on the target hosts

Purpose:

To configure SPS to retrieve the credentials used to login to the target host using a custom plugin, complete the following steps.

Prerequisites:

To use a custom Credential Store plugin, you need to upload a working Credential Store plugin to SPS. This plugin is a script that uses the SPS API to access an external Credential Store or Password Manager. If you want to create such a plugin, contact our Support Team. For more information on creating a custom plugin, see "Creating a custom plugin" in the Administration Guide.

NOTE:

Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication or an AA plugin. Therefore gateway authentication or an AA plugin must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide and "Integrating external authentication and authorization systems" in the Administration Guide.

To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins, browse for the file and click Upload. Note that it is not possible to upload or delete Credential Store plugins if SPS is in sealed mode.

Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.

Steps:
  1. Navigate to Policies > Credential Stores.

  2. Click and enter a name for the Credential Store.

  3. Select External Plugin, then select the plugin to use from the Plugin list.

  4. If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.

    NOTE:

    Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.

  5. Click Commit.

  6. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click Commit.

Integrating external authentication and authorization systems

SPS provides a plugin framework to integrate SPS to external systems to authenticate or authorize the user before authenticating on the target server. Such plugins can also be used to request additional information from the users, for example, to perform multi-factor authentication.

You can use an Authentication and Authorization plugin (aa-plugin) in the following protocols:

  • Remote Desktop (RDP)

  • Secure Shell (SSH)

  • TELNET

How Authentication and Authorization plugins work

If a Connection Policy has an Authentication and Authorization plugin (AA plugin) configured, then SPS executes the plugin as the last step of the connection authorization phase. SPS can request the client to perform other types of authentication before executing the plugin. Using an AA plugin in a Connection Policy is treated as gateway authentication if:

  • the plugin authenticates the user

  • authentication is successful

  • the plugin returns the gateway_user and gateway_groups elements, identifying the user it has authenticated

Other types of gateway authentication will come before authentication by the AA plugin, so information from any other type of gateway authentication (for example, the username and usergroups of this authentication) will already be available and therefore can be used by the plugin. If the Authentication and Authorization plugin does perform gateway authentication, you can use a Credential Store as well.

The plugin can interactively request additional information from the client in the SSH, Telnet, and RDP protocols.

Optionally, the plugin can return the gateway_user and gateway_groups elements. SPS will only update the gateway username and gateway groups fields in the connection database if the plugin returns the gateway_user and gateway_groups elements. The returned gateway username and gateway groups override any such attributes already available on SPS about the connection, so make sure that the plugin uses the original values appropriately.

If the plugin returns the gateway_user and gateway_groups elements, you may have to configure an appropriate Usermapping Policy in the Connection Policy. If the plugin returns a gateway_user that is different from the remote user, the connection will fail without a Usermapping Policy. For details on Usermapping Policies, see "Configuring usermapping policies" in the Administration Guide.

NOTE: In SPS 5.8, a user's group membership is determined by querying only the relevant groups configured for the connection from the LDAP/AD server, instead of retrieving all groups of a given user.

This may cause problems when using AD/LDAP-based gateway authentication together with an AA plugin. The AA plugin authorize() hook may be called with only a subset of groups as group membership lookup does not consider groups referenced in the AA plugin code.

As a possible workaround, you can add a rule to the channel policy assigned to the connection that never matches (for example, set the From address to 0.0.0.0/32), but contains all the gateway groups that the plugin requires. This channel rule will never match, but it will cause SPS to evaluate if a user is a member of those groups, and will make them available for the plugin if so.

Note that only groups queried by SPS are affected. Gateway groups returned by the AA plugin authenticate() hook are passed to the authorize() hook unchanged.

Related Documents