One Identity Safeguard 2.5 - Evaluation Guide

Setting up a Starling account

We will be using Starling Two-Factor Authentication as our service provider for secondary authentication and Approval Anywhere. To get started, you must register a Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. Also, you must download the Starling 2FA app on your mobile phone to use the Approval Anywhere feature.

NOTE: For additional information and documentation regarding the Starling Cloud platform and Starling Two-Factor Authentication, see https://support.oneidentity.com/starling-two-factor-authentication/hosted/technical-documents.

To sign up for a Starling One Identity Hybrid service trial account

  1. Go to https://www.cloud.oneidentity.com/ and log in or register a new account for the Starling cloud platform.
    1. From the Starling home page, click Sign in to Starling.
    2. Enter a valid email address and click Next.
    3. Enter your password and click Sign In.
    4. On the Create your Account page, enter your organization and your mobile phone number.

    NOTE: If the email address you entered does not exist, you will be taken directly to the Create your Account page to register your organization and enter your name, password, and mobile phone number.

    When registering for the first time, you will be sent a verification email in which you must click the supplied link in order to complete the registration process.

  2. Once logged in, click the Trial button under the One Identity Hybrid tile. Follow the prompts on the screen.

    The service will be added to the My Services section and be available for use until the trial period has ended. The number of days left in your trail is indicated by a countdown at the top right of the service access button on the home page of Starling. At any point in the trial you can use the More Information button associated with the service to find out how to purchase the product.

Joining Starling

One Identity Starling Two-Factor Authentication is a software-as-a-service solution that provides two-factor authentication on a product enabling organizations to quickly and easily verify a user's identity. This service is provided as part of the One Identity Starling cloud platform. In addition Starling offers a hybrid service, One Identity Hybrid, that allows you to take advantage of companion features from multiple Starling services, such as Starling Two-Factor Authentication and Starling Identity Analytics & Risk Intelligence.

Joining Safeguard for Privileged Passwords to Starling addsSafeguard for Privileged Passwords to the One Identity Hybrid service allowing you to use features from both the Starling Two-Factor Authentication and Starling Identity Analytics & Risk Intelligence services.

Once Safeguard for Privileged Passwords is joined to Starling, the following Safeguard for Privileged Passwords features are enabled and can be implemented using Starling Two-Factor Authentication:

  • Secondary authentication

    Safeguard for Privileged Passwords supports two-factor authentication by configuring authentication providers, such as Starling Two-Factor Authentication, which are used to configure Safeguard for Privileged Passwords's authentication process such that it prompts for two sources of authentication when users log in to Safeguard for Privileged Passwords.

    A Starling 2FA service provider is automatically added to Safeguard for Privileged Passwords when you join Safeguard for Privileged Passwords to Starling. As an Authorizer or User Administrator, you must configure users to use Starling 2FA as their secondary authentication provider when logging in to Safeguard for Privileged Passwords.

  • Approval Anywhere

    The Safeguard for Privileged Passwords Approval Anywhere feature integrates its access request workflow with Starling Two-Factor Authentication, allowing approvers to receive a notification through an app on their mobile device when an access request is submitted. The approver can then approve (or deny) access requests through their mobile device without needing access to the desktop or web application.

    Approval Anywhere is enabled when you join Safeguard for Privileged Passwords to One Identity Starling. As a Security Policy Administrator, you must define the Safeguard for Privileged Passwords users authorized to use Approval Anywhere.

Later in the guide, we will step through the process of configuring a user to require two-factor authentication as well as logging in with two-factor authentication. We will also discuss how to define the users who are authorized to use Approval Anywhere to approve access requests.

To join Safeguard for Privileged Passwords to Starling

  1. Log into the Windows desktop client as ApplianceAdmin.
  2. From the Home page, navigate to  Administrative Tools | Settings | External Integration | Starling.
  3. Click Join to Starling.

    NOTE: The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard for Privileged Passwords will be joined with.

    After the join has successfully completed, you will be returned to the Safeguard for Privileged Passwords desktop client and the Starling settings pane will now show Joined to Starling. In addition, the Administrative Tools | Settings | External Integration | Secondary Authentication pane displays Starling 2FA as a secondary authentication provider.

Stay logged in as the ApplianceAdmin for setting up email notifications.

Setting up notifications

To demonstrate how Safeguard for Privileged Passwords sends out event notifications, you must configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur. For the purposes of this software evaluation, we have you set up a template for Access Request Auto-Approval.

To setup email notifications

  1. Navigate to  Administrative Tools and select Settings.
  2. In Settings, select External Integration | Email.
  3. To configure the Email notifications, enter these settings for all Safeguard for Privileged Passwords emails:
    SMTP Server Address

    Enter the IP address or FQDN of the mail server.

    NOTE: If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.

    SMTP Port

    Enter the TCP port number for the email service.

    Sender Email

    Enter your email address.

    Require Transport Layer Security Select this option to require that Safeguard for Privileged Passwords uses TLS to provide communication security over the internet.

To validate your setup

  1. Select the Test Email Settings link.
  2. Enter your email address as the Send To email address and click Send.

    Safeguard for Privileged Passwords sends an email using the configuration settings.

Creating local users

Local users do not have any Safeguard for Privileged Passwords administrative permissions. These users can be granted rights to request access, approve access requests, or review completed access requests.

Note: You can perform the exercises in this guide with directory users as well as local users. To do that, you must add a directory, the associated directory accounts, and directory users.

To streamline your software evaluation, we recommend that you simply use local users. The access request workflow is the same no matter what users perform them. To make your user experience more realistic, you can set up other local users from your test lab to be a "Requester", "Approver", and "Reviewer" or use the test users we suggest creating below.

To create local users

  1. Log into the Windows desktop client as UserAdmin.
  2. From the Home page, navigate to  Administrative Tools and select Users.
  3. In Users, click  Add User to add the following Safeguard for Privileged Passwords non-administrator users:
    Username Password Permissions Description
    Joe Test123 None The "Requester user", authorized to request access.
    Abe Test123 None

    The "Approver user", authorized to approve access requests.

    See the following procedure for more information on how to configure Abe for two-factor authentication.

    Ralph Test123 None The "Reviewer user", authorized to review past (or completed) access requests.
    Pete Test123 None The delegated partition owner.

To configure a user for two-factor authentication

NOTE: Abe will be authorized to approve access requests.

  1. As the UserAdmin add a new local user named "Abe".
  2. On the Authentication page,
    1. Authentication Provider: Select Local.
    2. User Name: Enter Abe.
    3. Password | Confirm Password: Enter Test123.
    4. Require Secondary Authentication: Select this check box.
    5. Authentication Provider: Select the Starling 2FA service provider.
    6. Use alternate mobile phone number: Optionally, select this check box and enter an alternate mobile number to be used for two-factor authentication notifications.
  3. On the Contact page,
    1. Mobile Phone: Enter your mobile phone number.
    2. Email Address: Enter a valid email address.
  4. Finish adding the local user to Safeguard for Privileged Passwords.
  5. Log out of Safeguard for Privileged Passwords.
  6. Log in as the PolicyAdmin and navigate to Administrative Tools | Settings | External Integration | Approval Anywhere.
  7. Click Add to add Abe as a user authorized to use the Approval Anywhere feature.
  8. Log out of Safeguard for Privileged Passwords.
Related Documents