Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Custom Rule

Custom Rule

You can use this rule to create your own password policy message to be displayed on the Self-Service site when users change or reset their passwords. For example, use this rule to enter the settings of the local or domain password policy applied to the server on which AD LDS is running.

If you want to hide all other policy messages and display your custom message to users, enable this policy rule, enter the message text, and select the Hide messages from other policy rules and display only this message check box. If you do not select this check box, messages from all enabled policy rules will be displayed.

Note, that this rule does not check the password compliance with the configured password policy. Configure this rule to display your custom message instead of or together with other policy messages when users change or reset passwords on the Self-Service site.

To configure the custom rule

  1. Follow the steps outlined in Configuring Password Policy Rules.
  2. On the Policy Rules tab, click Custom Rule to expand the rule settings.
  3. Under Custom Rule, select the Enable check box to enable this rule.
  4. Select the Hide messages from other policy rules and display only this message check box if you want users to see only the custom password rule message and hide all other password policy messages.
  5. In the text box, enter the rule message in the default language (English). To enter the message in other languages, click the Add new language link, select the language, specify the message and click OK. Note, that only languages of the user interface of the Self-Service site are available in the list.

Deleting a Password Policy

Deleting a Password Policy

To delete a password policy

  1. On the home page of the Administration site, click the Password Policies tab.
  2. Click the <N> One Identity Password Policies link under the AD LDS instance that you want to manage.
  3. Click Remove under the policy that you want to delete.

    NOTE: When you delete a password policy, the deleted policy is no longer valid for an AD LDS instance. To restore a deleted password policy, create a new policy and manually configure its settings as required.

One Identity Hybrid Subscription

One Identity Hybrid Subscription

The newest versions of One Identity's on-premises products offer a mandatory One Identity Hybrid Subscription, which helps you transition to a hybrid environment on your way to the cloud. The subscription enables you to join Password Manager with the One Identity Starling software-as-a-service platform. This gives your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of Password Manager. When new products and features become available to One Identity Starling, the One Identity Hybrid Subscription allows you to use these immediately for Password Manager to add value to your subscription.

One Identity Starling

One Identity Starling

Password Manager5.8.2 supports integration with One Identity Starling services. The Starling Join feature in Password Manager now enables you to connect to One Identity Starling, the Software as a Service (SaaS) solution of One Identity. To use One Identity Starling, you have to purchase One Identity Starling subscription. Each One Identity Starling subscription is registered with a phone number to which the token response for authentication or the push notification is sent. The token generation method is dependent on the method (SMS, Phone call, OTP on Starling 2FA app or push notification) that is enabled for your subscription.

Pre-requisites to configure One Identity Starling

Before you configure Starling using the Password Manager, ensure the following:

  • Users must have acquired valid Starling Credentials, such as a Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. For more information on Starling, see the One Identity Starling User Guide.
  • The Password Manager must be running on the computer where you want to configure Starling.
  • The Password Manager must have a managed domain.

To configure One Identity Starling for authentication

  1. On the home page of the Administration site, click the One Identity Starling tab.
  2. Click Join to Starling. It will redirect to One Identity Starling website. Enter your One Identity Starling credentials to take advantage of connected services like Two-Factor Authentication, Identity Analytics & Risk Intelligence, and more.

    NOTE: After join to Starling, Password Manager deletes old subscription for Starling Two-Factor Authentication.
  1. After successful verification, you will be redirected to One Identity Starling page on Administration site.
  2. After the information is saved, Starling Join status displays.

    NOTE: If you have a Starling account, when a subscription is created for you, you will receive a Starling invitation email. Click the link in the email and log in to the Starling account.

    NOTE: If you do not have a Starling account, when a subscription is created for you, you will get a Starling Sign-up email to complete a registration process to create a Starling account. Complete the registration and log in using the credentials that you have provided during registration. For account creation details, see the One Identity Starling User Guide.
  3. Configure active directory attribute to use for user's phone number for Starling Two-factor Authentication. It can be configured in General Settings -> One Identity Starling -> Starling configurations.

Disconnecting One Identity Starling from Password Manager

To unjoin One Identity Starling, click Unjoin Starling. This deletes the joined instances from One Identity Starling services and the Starling Join information from storage. After the unjoin, the initial page displays.

One Identity Starling Two-factor Authentication for Password Manager

Since Password Manager manages confidential Password Manager user details in both on-premises and cloud based environments, it is appropriate and safer to have an additional security measure such as the two-factor authentication. Password Manager now supports One Identity's Starling Two-Factor Authentication service.

The Starling Two-factor authentication provides enhanced security by necessitating users to provide two forms of authentication to Password Manger, namely a user name and password combination along with a token response. The token response is collected through an SMS, Phone call, or push notification received on a physical device such as a mobile or any other device other than the browser.

Registering to One Identity Starling 2FA

In order to use Starling 2FA, you must first register to the product. When you register to Starling 2FA using your mobile number, an SMS is delivered with the mobile app download link. Click on the link to access the App Store or Play Store from where you can download the Starling mobile application. Alternatively, you can go to the App Store or Play Store and search and download the Starling.

The following 2FA options are supported:

  1. Push Notification: After the Starling app is downloaded and registered with user’s email id and mobile number, the user will get a push notification to Approve or Deny Starling Authentication.
  2. Voice: The user will get a voice call on the registered mobile number and on call user will get an OTP.
  3. SMS OTP: The user will get an OTP through SMS on the registered mobile number.
  4. The user can open starling app and copy paste the code form the Starling app to Password Manager and click on Verify.
Logging in to Web interface through 2FA authentication

When a Starling 2FA enabled user tries to log in to the Password Manager Web interface, the user is prompted to enter the Starling Two-factor token response. Based on the option selected by the user, the token response is provided through SMS, Phone Call or Push Notifications.

On entering the token response and after successful verification the Web interface is displayed.

NOTE: Push Notification works only if the Starling App is installed on the device with registered mobile number. The link to install the Starling App will be send to your registered mobile number at the time of registering to Starling.
Related Documents