One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Application to Application

In order for third-party applications to use the Application to Application service to integrate with the Safeguard for Privileged Passwords vault, you must first register the application in Safeguard for Privileged Passwords. This can be done using the Administrative Tools | Settings | External Integration | Application to Application pane.

The Application to Application pane displays a list of previously registered third-party applications. From this page, the Security Policy Administrator can add new application registrations, and modify or remove existing registrations.

The Application to Application pane displays the following details about application registrations.

Table 185: Application to Application: Properties
Property Description

Name

The name assigned to the application's registration.

Certificate User

The name of the certificate user associated with the registered application.

NOTE: If there is no certificate user listed for an application registration, contact your Security Policy Administrator to add one. The Application to Application service on the third-party application will not work with the Safeguard for Privileged Passwords vault until a certificate user has been specified.

Enable/Disable

Indicates whether the application registration is enabled. The toggle appears blue with the switch to the right when a registration is enabled and gray with the switch to the left when a registration is disabled. Click the toggle to enable or disable an application registration.

NOTE: When an application registration is disabled, Application to Application access is disabled for that third-party application until the registration is enabled again.

Description

Information about the application's registration.

Use these toolbar buttons to manage application registrations.

Table 186: Application to Application: Toolbar
Option Description

Add

Add an application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration.

Delete Selected

Remove the selected application registration from Safeguard for Privileged Passwords. For more information, see Deleting an application registration.

Refresh

Update the list of application registrations.

Edit

Modify the selected application registration.

API Keys

Display the API keys that were generated for Access Request Broker or Credential Retrieval. An API key can then be copied and used in the third-party application to authenticate with Safeguard for Privileged Passwords.

NOTE: For credential retrieval, the registration process generates an API key for each managed account. However, for access request broker, the registration process generates a single API key for all users or user groups that are added.

About Application to Application functionality

Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:

  • Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
  • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.
Credential retrieval

A credential retrieval request using the Application to Application service allows the third-party application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.

For example, say you have an automated system that performs a routine system diagnostic on various services in the data center every 24 hours. In order for the automated system to perform the diagnostics, it must first authenticate to the target server. Since all of the credentials for the target servers are stored in the Safeguard for Privileged Passwords vault, the automated system retrieves the credentials for a specified system by calling the Application to Application service.

Access request broker

An access request broker request using the Application to Application service allows the application to create an access request on behalf of another user.

For example, say you have a ticketing system and one of the types of tickets that can be created is to request access to a specific asset. The ticketing system can be integrated with Safeguard for Privileged Passwords through the Application to Application service to create an access request on behalf of the user that entered the ticket into the system. Once the request is created, it follows the normal access request workflow in Safeguard for Privileged Passwords and the user who entered the ticket will be notified when access is granted.

In order for a third-party application to perform one of tasks provided by the Application to Application service, the application must first be registered with Safeguard for Privileged Passwords. This registration will be associated with a certificate user and authentication to the Application to Application service will be done using the certificate and an API key. The registered application will not be allowed to authenticate to Safeguard for Privileged Passwords other than for the purpose specified. The properties associated with an application registration are:

  • API key: As part of the registration process, an API key is generated. An administrator must then copy this API key and make it available to the third-party application.
  • Certificate user: In addition to the API key, the application registration must be associated with a certificate user. The certificate that is associated with the certificate user must be signed by a certificate authority that is also trusted by Safeguard for Privileged Passwords.

    NOTE: Use your corporate PKI for issuing this certificate and installing it on the third-party application.

The Application to Application service is disabled by default and must be enabled before any credential retrievals or access request broker functions can be performed. An Appliance administrator can use the desktop client or Safeguard for Privileged Passwords API to enable the service.

Using the desktop client:

  1. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service.
  2. Click the Application to Application Enabled toggle to enable the service.

Using the API, use the following URL:

https://appliance/service/appliance/v2/A2AService/Enable

In addition, you can check the current state of the service using this same desktop client page or using the following URL:

https://appliance/service/appliance/v2/A2AService/Status

Related Topics

What needs to be set up to use Application to Application

How do I make a request using the Application to Application service

Adding an application registration

Allowing a third-party application to perform one of tasks provided by the Application to Application service, starts with registering the third-party application with Safeguard for Privileged Passwords.

Prerequisites:
  • User Administrator adds certificate users to Safeguard for Privileged Passwords.
  • Asset Administrator adds assets and accounts to Safeguard for Privileged Passwords.

To add an application registration

  1. Log into the Safeguard for Privileged Passwords desktop client as a Security Policy Administrator.
  2. Navigate to Administrative Tools | Settings | External Integration | Application to Application.
  3. Click Add.

    The New Registration dialog displays.

  4. On the General tab, specify the following information: 
    1. Name: Enter a name for the application registration.
    2. Description: Enter information about the application registration.
    3. Certificate User: Click Browse to select a certificate user who is associate with the third-party application being registered.

      NOTE: You do not need to specify a certificate user when you initially add an application registration. Once the User Administrator creates the certificate user associated with the application, use the Edit button on the Application to Application pane to specify the certificate user. The Application to Application service on the third-party application will not work with the Safeguard for Privileged Passwords vault until a certificate user has been specified.

    4. I want to configure this registration for: Select the tasks to be performed by the Application to Application service:

      • Access Request Broker: Select this check box if you want the third-party application to create an access request on behalf of another user.
      • Credential Retrieval: Select this check box if you want the third-party application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.

      Depending on the check boxes selected, additional tabs are displayed.

  5. The Access Request Broker tab displays a list of users for which the third-party application can create an access request on behalf of.

    • Click to add a user or user group to the list.
    • Click Edit Restrictions to specify IP address restrictions for all of the users and user groups in the list.

      A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.

      The IP address notation can be:

      • An IPv4 or IPv6 address (for example, 10.5.32.4)
      • An address range in CIDR notation (for example, 10.5.0.0/16)

    • Click to remove the selected user from the list.
  6. The Credential Retrieval tab displays a list for which the third-party can retrieve credentials from Safeguard for Privileged Passwords without going through the normal workflow process.

    • Click to add an account to the list.
    • Click Restrictions in the Restrictions column to specify IP address restrictions for the selected account.

      A restriction is a list of IP addresses or range of IP addresses that are allowed to call the Application to Application service to perform this task. That is, if a restriction is added to a Credential Retrieval or Access Request Broker task, the service will only allow requests that initiate from the IP addresses specified in the restriction list.

      The IP address notation can be:

      • An IPv4 or IPv6 address (for example, 10.5.32.4)
      • An address range in CIDR notation (for example, 10.5.0.0/16)

    • Click to remove the selected account from the list.
  7. Click Create Registration.

Once an application registration is added to Safeguard for Privileged Passwords, the third-party application can authenticate with Safeguard for Privileged Passwords using the API key that was generated and the certificate that was associated with the registration. To make a request, you must retrieve the relevant API key for the application using an authorized account (that is, using bearer token authentication) and install the correct certificate on the host that will make the request. For more information, see How do I make a request using the Application to Application service.

Deleting an application registration

Click Delete on the Application to Application pane in the External Integration settings view to delete an application registration from Safeguard for Privileged Passwords.

To delete an application registration

  1. Navigate to Administrative Tools | Settings | External Integration | Application to Application.
  2. Select the application registration to be deleted.
  3. Click the toolbar button.
  4. Confirm your request.
Related Documents