Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Modifying an email template

Safeguard for Privileged Passwords provides default email templates for most events, such as when a password change fails or when emergency access is granted or an access request is denied. However, you can customize individual email templates.

Each template corresponds to a single event type; the event triggers an email notification that uses the template.

To modify an email template

  1. Open the email template for editing.
  2. In the Email Template configuration dialog,
    1. Event: Select an event type for an email template. For more information, see Enabling email notifications.

      NOTE: You can create only one email template per event type.

    2. Subject: Enter a "subject" line for the email message.

      As you type, click (or tap)  Insert Event Property Macro to insert predefined text into the subject line. For example, you might create the following subject line:

      Approval is required for {{Requester}}'s request

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note at the end of this topic.)

      Required

      Limit: 1024 characters

    3. Reply to: Enter the email address of the person to reply to concerning this notification.

      Limit: 512 characters

    4. Body: Enter the body of the message.

      As you type, click (or tap)  Insert Event Property Macro to insert predefined text into the body. For example, you might create the following body for an email template:

      {{Requester}} has requested the password for {{AccountName}} on {{AssetName}}

      where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces. (For more information about using macros, see note below.)

      Required

      Limit: 16384 characters

    5. Preview Email: Select this link to display the Preview Email dialog so you can see how your email message will look.

Note: Each event type supports specific macros that are appropriate for that type of event. You can enter the macro into the text of the subject line or body using keywords surrounded by double braces rather than inserting the macro. However, Safeguard for Privileged Passwords ignores macros that are not supported by the event type. Unsupported macros appear blank in the email preview.

Identity and Authentication

Safeguard for Privileged Passwords allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log into Safeguard. You can create providers for Active Directory, OpenLDAP 2.4, any SAML 2.0 federated service, or Radius.

Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication. The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 190: Identity and Authentication: Properties
Property Description
Name

The name assigned to the identity or authentication provider. If the provider is for Active Directory, the name will be the service account domain name. If the provider is for OpenLDAP 2.4, the name will be the network address. Names are displayed in a drop-down menu on the login page with other selected domains of an Active Directory forest and the name given to a Radius server used for primary authentication. The name given to any external federation provider or a Radius server used for secondary authentication will not be seen by end users and is for administrative purposes only.

NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling.

Type

Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.

  • Active Directory
  • LDAP
  • External Federation
  • Radius (use as a secondary authentication provider)
  • Radius as Primary (use as a primary authentication provider)

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 191: Identity and Authentication: Toolbar
Option Description
Add

Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers.

Delete Selected

Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.

Refresh

Update the list of identity and authentication providers.

Edit

Modify the selected identity or authentication provider.

Download

Download a copy of Safeguard for Privileged Passwords's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.

Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

NOTE: The Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to One Identity Starling. You cannot manually add, edit, or delete the Starling 2FA secondary authentication provider. For more information, see Starling.

 

NOTE: It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into Safeguard for Privileged Passwords. For more information, see Requiring user to log in using secondary authentication.

Using Local as the identity provider

Table 192: Allowable local identity provider combinations

Primary Authentication

Secondary

Authentication

Local: The specified login name and password will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

Certificate: The specified certificate thumbprint will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

Using Active Directory as the identity provider

Table 193: Allowable Active Directory identity provider combinations

Primary Authentication

Secondary

Authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

Starling

Radius

LDAP

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory LDAP

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

Using LDAP as the identity provider

Table 194: Allowable LDAP identity provider combinations

Primary Authentication

Secondary

Authentication

LDAP: The specified username attribute will be used for authentication.

None

Starling

Radius

Active Directory

External Federation: The specified email address or name claim will be used for authentication.

None

Starling

Radius

Active Directory

LDAP

Radius : The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

Starling

Active Directory

LDAP

Adding identity and authentication providers

It is the responsibility of the Directory Administrator to add directories to Safeguard for use as identity and authentication providers. Any directories added using the Directories view, will automatically appear here as an identity provider. For more information, see Adding a directory.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of a User Administrator or Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

  1. Navigate to Administrative Tools | Settings | External Integration | Identity and Authentication.
  2. Click (or tap) Add .
  3. Click (or tap) the provider:

    Active Directory and LDAP settings

    Use the General tab to add the required service account information. The following table lists the properties and designates the properties for Active Directory or LDAP only, if applicable.

    Table 195: Active Directory and LDAP: General tab properties
    Property Description
    Service Account Domain Name (for Active Directory)

    Enter the fully qualified Active Directory domain name, such as example.com.

    Do not enter the domain controller hostname, such as server.example.com; the domain controller's IP address, such as 10.10.10.10; or the NETBIOS domain name, such as EXAMPLE.

    Important: The service account domain name is the name of the domain where the service account resides. Safeguard for Privileged Passwords uses DNS-SRV to resolve domain names to actual domain controllers.

    Network Address

    (for LDAP)

    Enter a network DNS name or the IP address of the LDAP server for Safeguard for Privileged Passwords to use to connect to the managed system over the network.

    Service Account Name (for Active Directory)

    Enter an account for Safeguard for Privileged Passwords to use for management tasks.

    NOTE: When you add the directory, Safeguard for Privileged Passwords automatically adds the service account to the directory's Accounts tab and disables it for access requests. If you want the password to be available for release, click (or tap) Access Requests and select Enable Password Request from the details toolbar. To enable session access, select Enable Session Request.

    Important: Add an account that has permission to read all of the domains and accounts that you want to manage with Safeguard for Privileged Passwords.

    Safeguard for Privileged Passwords is forest-aware. Using the service account you specify, Safeguard for Privileged Passwords automatically locates all of the domains in the forest and creates a directory object which represents the entire forest. The directory object will have the same name as the forest-root domain regardless of which account you specify.

    For more information, see About service accounts.

    Service Account Distinguished Name (for LDAP)

    Enter a fully qualified distinguished name (FQDN) for Safeguard for Privileged Passwords to use for management tasks. For example: cn=dev-sa,ou=people,dc=example,dc=com

    Service Account Password

    Enter the password Safeguard for Privileged Passwords uses to authenticate to this directory.

    Description

    Enter information about this external identity provider.

    Connect

    Click (or tap) Connect to verify the credentials. If adding an Active Directory provider, all domains in the forest will be displayed. Choose which ones can be used for identity and authentication.

    Advanced Open to reveal the following synchronization settings:
    Port (for LDAP)

    Enter port 389 used for communication with the LDAP directory.

    Use SSL Encryption (for LDAP) Select to enable Safeguard for Privileged Passwords to encrypt communication with an LDAP directory .
    Verify SSL Certificate (for LDAP)

    Select to verify the SSL certificate.

    NOTE: This option is only available when the Use SSL Encryption option is selected.

    Sync additions every

    Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory additions (in minutes). This updates Safeguard for Privileged Passwords with any additions, or modifications that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

    Default: 15 minutes

    Range: Between 1 and 2147483647

    Sync deletions every

    Enter or select how often you want Safeguard for Privileged Passwords to synchronize directory deletions (in minutes). This updates Safeguard for Privileged Passwords with any deletions that have been made to the directory objects, including group membership and user account attributes mapped to Safeguard for Privileged Passwords.

    Default: 15 minutes

    Range: Between 1 and 2147483647

On the Attributes tab, synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.

The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.

To map the Safeguard for Privileged Passwords properties to different directory attributes

  1. Browse to select one or more object classes for the users, computers, and groups categories, as applicable.

    Note: You can use or remove the default object class.

  2. If you do not want to use the default property, begin typing in the property box. Safeguard for Privileged Passwords's auto-complete feature immediately displays a list of attributes to choose. Safeguard for Privileged Passwords only allows you to choose attributes that are valid for the object classes you have selected for users, groups, and computers.
  3. Once you have set all the properties, click (or tap) Apply.

The following table list the default directory attributes.

Table 196: Active Directory and LDAP: Attributes tab
Safeguard for Privileged Passwords Attribute Directory Attribute
Users
Object Class

Browse to select a class definition that defines the valid attributes for the user object class.

Default: user for Active Directory, inetOrgPerson for LDAP

User Name

sAMAccountName for Active Directory, cn for LDAP

Password

userPassword for LDAP

First Name

givenName

Last Name

sn

Work Phone

telephoneNumber

Mobile Phone

mobile

Email

mail

Description

description

Groups
Object Class

Browse to select a class definition that defines the valid attributes for the group object class.

Default: group for Active Directory, groupOfNames for LDAP

Name

sAMAccountName for Active Directory, cn for LDAP

Member

member

Description

description

External Federation settings

One Identity Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.

NOTE: Additional two-factor authentication can be assigned to the associated Safeguard for Privileged Passwords user account to force the user to authenticate again after being redirected back from the external STS.

To use external federation, you must first download the federation metadata XML for your STS and save it to a file. For example, for Microsoft's AD FS, you can download the federation metadata XML from:

https://<adfs server>/FederationMetadata/2007-06/FederationMetadata.xml.

To add external federation:

  1. In the External Federation dialog, supply the following information:
    1. Name: The unique name assigned to the external federation service provider. The name is for administrative purposes only and will not be seen by the end users.

    2. Realm: The unique realm value (typically a DNS suffix, like contoso.com) that matches the email addresses of users intended to use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery.

    3. Federation Metadata File: Click (or tap) Browse to select the STS federation metadata xml file.
  2. Click (or tap) Download Safeguard for Privileged Passwords Metadata File: You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited. Also see: How do I create a relying party trust for the STS.

Radius settings

Create and configure a Radius server for use as either a primary authentication provider or secondary authentication provider. To use a Radius server for both primary and secondary authentication, you will need to create two authentication providers. The steps to create Radius as a primary provider or secondary provider follow:

  1. In the Radius dialog, supply the following information:
    1. Name: The unique display name. When creating the Radius provider for primary authentication, this name value will be displayed in the drop-down list on the login page.

    2. Type: Choose As Primary Authentication or As Secondary Authentication.

    3. Server Address: Enter a network DNS name or the IP address used to connect to the server over the network.
    4. Secondary Server Address: (Optional) Enter a network DNS name or the IP address for an additional or redundant server.
    5. Shared Secret: Enter the server's secret key. Click (or tap) to show the server's secret key.
    6. Port: Enter the port number that the Radius server uses to listen for authentication requests. The default is port 1812.
    7. Timeout: Specify how long to wait before a Radius authentication request times out. The default is 3 seconds. The valid range is 3 to 60 seconds.
  2. Click (or tap) OK.

Sessions management

You can view, edit, or delete joined Sessions Appliance connections. Once joined, all sessions are initiated by the Safeguard for Privilege Password (SPP) appliance via an access request and managed by the Safeguard for Privileged Sessions (SPS) appliance and sessions are recorded via the Sessions Appliance.

To join a Sessions Appliances with a standalone primary SPP Appliance, SPS and SPP user names and passwords are required.

The sessions appliance certificate is available for audit by the Auditor.

For information, see the following:

Once the join is complete, navigate to Administrative Tools | Settings | External Integration | Sessions Management. The Sessions Management pane displays the following session details.

Table 197: Sesssions Management: Properties
Property Description

Network Address

The network DNS name or IP address of the session connection.

SPS Username

The user name for Safeguard for Privileged Sessions (SPS).

SPP

Username

The user name for Safeguard for Priviliged Passwords (SPP).

Thumbprint

A unique hash value that identifies the certificate.

Name

The name of the Safeguard for Privileged Sessions Appliance used to authenticate the joined SPS session connection.

Description

Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).

Use these toolbar buttons to manage sessions.

Table 198: Sessions Management: Toolbar
Option Description
Delete Selected

Remove the selected joined SPS session connection.

Refresh

Update the list of joined SPS session connections.

Edit

Modify the selected joined SPS session connection Description, Network Address, SPS Username, Password, or PEM Encoded Certificate Chain.

If you change the Certificate, you must include the values for the Username and Password to confirm validity and pass the trust check.

Related Documents