Chat now with support
Chat with Support

Password Manager 5.9.5 - Administration Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

One Identity Starling

One Identity Starling

Password Manager5.9.5 supports integration with One Identity Starling services. The Starling Join feature in Password Manager now enables you to connect to One Identity Starling, the Software as a Service (SaaS) solution of One Identity. To use One Identity Starling, you have to purchase One Identity Starling subscription. Each One Identity Starling subscription is registered with a phone number to which the token response for authentication or the push notification is sent. The token generation method is dependent on the method (SMS, Phone call, OTP on Starling 2FA app or push notification) that is enabled for your subscription.

Pre-requisites to configure One Identity Starling

Before you configure Starling using the Password Manager, ensure the following:

  • Users must have acquired valid Starling Credentials, such as a Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. For more information on Starling, see the One Identity Starling User Guide.
  • The Password Manager must be running on the computer where you want to configure Starling.
  • The Password Manager must have a managed domain.

To configure One Identity Starling for authentication

  1. On the home page of the Administration site, click the One Identity Starling tab.
  2. Click Join to Starling. It will redirect to One Identity Starling website. Enter your One Identity Starling credentials to take advantage of connected services like Two-Factor Authentication, Identity Analytics & Risk Intelligence, and more.

    NOTE: In case of Password Manager upgrade, you will not be able to see the old subscription key and the configuration details of Starling that were used for Starling Two factor Authentication. You will again have to Join Starling in the One Identity Starling page, with a valid Starling account.
  1. After successful verification, you will be redirected to One Identity Starling page on Administration site.
  2. After the information is saved, Starling Join status displays.

    NOTE: If you have a Starling account, when a subscription is created for you, you will receive a Starling invitation email. Click the link in the email and log in to the Starling account.

    NOTE: If you do not have a Starling account, when a subscription is created for you, you will get a Starling Sign-up email to complete a registration process to create a Starling account. Complete the registration and log in using the credentials that you have provided during registration. For account creation details, see the One Identity Starling User Guide.
  3. For Starling Two-Factor Authentication, you can configure user's phone number in the appropriate Active Directory's attribute and the same attribute must be configured in General Settings -> Reinitialization.

  4. In the Select the attribute of user’s account in Active Directory in which user’s Questions and Answers profile and Corporate phone will be stored section, configure the attribute of Corporate phone field. By default, the attribute value for Corporate phone is mobile.

Disconnecting One Identity Starling from Password Manager

To unjoin One Identity Starling, click Unjoin Starling. This deletes the joined instances from One Identity Starling services and the Starling Join information from storage. After the unjoin, the initial page displays.

One Identity Starling Two-factor Authentication for Password Manager

Since Password Manager manages confidential Password Manager user details in both on-premises and cloud based environments, it is appropriate and safer to have an additional security measure such as the two-factor authentication. Password Manager now supports One Identity's Starling Two-Factor Authentication service.

The Starling Two-factor authentication provides enhanced security by necessitating users to provide two forms of authentication to Password Manger, namely a user name and password combination along with a token response. The token response is collected through an SMS, Phone call, or push notification received on a physical device such as a mobile or any other device other than the browser.

Registering to One Identity Starling 2FA

In order to use Starling 2FA, you must first register to the product. When you register to Starling 2FA using your mobile number, an SMS is delivered with the mobile app download link. Click on the link to access the App Store or Play Store from where you can download the Starling mobile application. Alternatively, you can go to the App Store or Play Store and search and download the Starling.

The following 2FA options are supported:

  1. Push Notification: After the Starling app is downloaded and registered with user’s email id and mobile number, the user will get a push notification to Approve or Deny Starling Authentication.
  2. Voice: The user will get a voice call on the registered mobile number and on call user will get an OTP.
  3. SMS OTP: The user will get an OTP through SMS on the registered mobile number.
  4. The user can open starling app and copy paste the code form the Starling app to Password Manager and click on Verify.
Logging in to Web interface through 2FA authentication

When a Starling 2FA enabled user tries to log in to the Password Manager Web interface, the user is prompted to enter the Starling Two-factor token response. Based on the option selected by the user, the token response is provided through SMS, Phone Call or Push Notifications.

On entering the token response and after successful verification the Web interface is displayed.

NOTE: Push Notification works only if the Starling App is installed on the device with registered mobile number. The link to install the Starling App will be send to your registered mobile number at the time of registering to Starling.

Enable S2FA for Administrators and Enable S2FA for HelpDesk Users

This section describes the steps to enable Starling Two-Factor Authentication to protect AD LDS Administration site and Helpdesk site users.

To enable S2FA for Administrators and HelpDesk Users

  1. On the home page of the AD LDS Administration site, click the One Identity Starling tab.
  2. Select Enable S2FA for Administrators checkbox to protect the AD LDS Administration site or select Enable S2FA for HelpDesk Users checkbox to protect the HelpDesk site with Starling Two-Factor Authentication. Select both checkboxes to enable authentication for both Administration and HelpDesk user sites.

    NOTE: The Administrator can choose if the user's mobile, or telephone number, or home phone number, or any other custom set attribute to be used for authentication from the Specify user's AD attribute for mobile number to authenticate the user dropdown box. The Administrator can also add a custom attribute to the existing list of attributes.
  1. Click Save to save the settings.

NOTE: The Administrator can choose which user’s active directory attributes to be used for the mobile number from the Specify user's AD attribute to authenticate the user dropdown box. The administrator can also specify other user’s active directory attribute for mobile number apart from the list.

NOTE: If the administrator unjoins from the Starling, S2FA will stop the protection for AD LDS Administration and HelpDesk sites.
Failsafe Login

In case of One Identity Starling downtime situation, a failsafe method is provided by Password Manager to log in. For such case, Password Manager creates a user qpms2faadmin to log in. The qpms2faadmin user is managed by the administrator.

If the One Identity Starling is down while login to Password Manager, the AD LDS administration site prompts for user credential. The Administrator must provide the password for the qpms2faadmin user to authenticate and login to the AD LDS administration site.


Reporting and User Action History Overview

Password Manager provides a simple and convenient way to view, print, and save reports and charts allowing you to analyze information on how the application is used. The reporting functionality within the solution is based on Microsoft SQL Server Reporting Services as a common reporting environment.

The Reports section of the Administrator site includes a number of pre-defined reports that help you perform the following tasks:

  • Track user registration activity
  • Analyze information about what actions are performed by users in Password Manager
  • Check users’ registration status
  • View a list of users whose Questions and Answers profiles must be updated to comply with the current administrator-defined settings
  • Track helpdesk operators’ activity

The user action history provides records of all actions performed by users registered with Password Manager. You can search for records using a full-text search functionality. The user action history is provided by Enterprise Auditing Service embedded in Password Manager.

To use Password Manager reports, you need to connect to an SQL Server and a Report Server.

To use the user action history functionality, you need to connect to an SQL Server only.



Alternative options

Starting with Password Manager 5.9.5, you can use predefined Power BI templates to generate interactive reports as an alternative to Reporting. For more information on Power BI, see Working with Power BI section.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating