Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Trusted Servers, CORS, and Redirects

You can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. By default, a single asterisk (*) means there are no restrictions. This will allow you to easily join multiple Safeguard for Privileged Passwords appliances together to form a cluster. In addition, you will also be able to link to a Safeguard for Privileged Sessions appliance. However, as a best practice, you should change or delete this value after configuring your cluster. It is recommended to set it to the empty string to prevent external CORS requests and login redirects to unknown servers. Or, set it to a list of known servers that integrate with the Safeguard API.

One or more values can be separated by a space, comma, or new line. Do not include the scheme, port, or path. The maximum length for the setting is 512 characters, including separators. Example values and additional details can be seen in the following table.

Table 178: Value detail

IPv4

No reverse DNS lookup will be performed. No scheme or port values are considered.

10.5.33.37

192.168.0.2

IPv6

No reverse DNS lookup will be performed. No scheme or port values are considered.

2001:0db8:85a3:0000:0000:8a2e:0370:7334

2001:0db8:85a3:0:0:8a2e:0370:7334

2001:db8::1:0:0:1

2001:db8::2:1

2001:db8::1

DNS/Host Names

Case insensitive match. No scheme or port values are considered. If using Internationalized Domain Names (IDN), you must also manually include the punycode equivalent.

spp.contoso.corp

primary.spp.contoso.corp

widget.contoso.corp

widget

DNS Wildcards

Only one level to the wildcard is allowed, just like SSL certificates. No scheme or port values are considered. If using Internationalized Domain Names (IDN), you must also manually include the punycode equivalent.

*.spp.contoso.corp

*.contoso.corp

CIDR Notation

Any DNS or host name values being validated will have DNS lookup performed to see if any resolved IP addresses are contained within any of the specified CIDR networks. No scheme or port values are considered.

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

76.240.155.0/24

fd12:3456:789a:1::/64

fd00::/8

Allow All

A single asterisk, no other values allowed.

*

Allow None

Delete all values and leave as the empty string.

 

Considerations:

  • When adding a new node to the Safeguard for Privileged Passwords cluster, the node’s host name or IP address must be specified in this list, or enter a single asterisk to allow all.
  • When linking Safeguard for Privileged Sessions to Safeguard for Privileged Passwords, the host name or IP address of the Safeguard for Privileged Sessions appliance must be specified in this list, or enter a single asterisk to allow all.
  • As a best practice, after clustering (or if using just a single appliance/VM), change the setting value to the empty string or a list of integration applications you wish to allow.

To set up Trusted Servers, CORS and Redirects:

  1. Go to Trusted Servers, CORS and Redirects:
    • web client: Navigate to External Integration | Trusted Servers, CORS and Redirects.
    • desktop client: Navigate to Administrative Tools | Settings | External Integration | Trusted Servers, CORS and Redirects.
  2. Refresh: Update the information displayed.
  3. In Allow Hosts, enter the list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. As mentioned above, the default is a single asterisk (*) which means there are no restrictions.
  4. Click OK (desktop client) or Save (web client).

Messaging settings (desktop client)

desktop client: To use Messaging, see Messaging settings

Password Management settings

desktop client only

Use the Password settings to define the profile configuration settings, including account password rules and password check and change schedules, which can then be used in profile definitions.

Navigate to Administrative Tools | Settings | Password Management.

Table 179: Profile settings
Setting Description
Account Password Rules

Where you define the complexity rules used by Safeguard for Privileged Passwords when constructing new passwords during an automatic account password change

Change Password

Where you define the rules Safeguard for Privileged Passwords uses to reset account passwords

Check Password

Where you define the rules Safeguard for Privileged Passwords uses to verify account passwords

Password sync groups

Where you define the password sync groups and associated accounts so Safeguard for Privileged Passwords can synchronize passwords across accounts

Account Password Rules

desktop client only

Navigate to Administrative Tools | Settings | Password Management | Account Password Rules.

Account password rules govern the construction of a new password created by Safeguard for Privileged Passwords during an automatic account password change. You can create rules governing the allowable account passwords, such as:

  • Set the allowable password length in a range from 3 to 225 characters.

    IMPORTANT: The default password length for a macrocosm partition does NOT meet the password requirements for Azure AD. If you are using the Starling Connect functionality with Azure AD, you will need to set the password range between 8 and 225 characters.

  • Set first characters type and last character type.
  • Allow uppercase letters, lowercase letters, numbers, and/or printable ASCII symbols along with the minimum amounts of each.
  • Identify excluded uppercase letters, lowercase letters, numbers, and symbols.
  • Identify if consecutive letters, numbers, and/or symbols can be repeated sequentially and, if allowed, set the maximum repetitions allowed.

NOTE: You select an account password rule set when defining a partition's profile. For more information, see Creating a password profile. An account password rule applies to all accounts governed by the profile.

Navigate to Administrative Tools | Settings | Password Management | Account Password Rules.

Use these toolbar buttons to manage your account password rules.

Table 180: Account Password Rules: Toolbar
Option Description
Add Account Password Rule

Add an account password complexity rule. For more information, see Adding an account password rule.

Delete Selected

Remove the selected rule.

Refresh

Update the list of account password rules.

Edit

Modify the selected rule.

Copy

Clone the selected rule.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating