Chat now with support
Chat with Support

Password Manager 5.9.5 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Password Manager Integration Appendixes Glossary

One Identity Hybrid Subscription

The newest versions of One Identity's on-premises products offer a mandatory One Identity Hybrid Subscription, which helps you transition to a hybrid environment on your way to the cloud. The subscription enables you to join Password Manager with the One Identity Starling software-as-a-service platform. This gives your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of Password Manager. When new products and features become available to One Identity Starling, the One Identity Hybrid Subscription allows you to use these immediately for Password Manager to add value to your subscription.

One Identity Starling

One Identity Starling

Password Manager 5.9.5 supports integration with One Identity Starling services. The Starling Join feature in Password Manager now enables you to connect to One Identity Starling, the Software as a Service (SaaS) solution of One Identity. To use One Identity Starling, you have to purchase One Identity Starling subscription. Each One Identity Starling subscription is registered with a phone number to which the token response for authentication or the push notification is sent. The token generation method is dependent on the method (SMS, Phone call, OTP on Starling 2FA app or push notification) that is enabled for your subscription

Pre-requisites to configure One Identity Starling

Before you configure Starling using the Password Manager, ensure the following:

  • Users must have acquired valid Starling Credentials, such as a Starling Organization Admin account or a Collaborator account associated with the One Identity Hybrid subscription. For more information on Starling, see the One Identity Starling User Guide.
  • The Password Manager must be running on the computer where you want to configure Starling.
  • The Password Manager must have a managed domain.

To configure One Identity Starling for authentication

  1. On the home page of the Administration site, click the One Identity Starling tab.
  2. Click Join to Starling. It will redirect to One Identity Starling website. Enter your One Identity Starling credentials to take advantage of connected services like Two-Factor Authentication, Identity Analytics & Risk Intelligence, and more.

    NOTE: In case of Password Manager upgrade, you will not be able to see the old subscription key and the configuration details of Starling that were used for Starling Two factor Authentication. You will again have to Join Starling in the One Identity Starling page, with a valid Starling account.
  1. After successful verification, you will be redirected to One Identity Starling page on Administration site.
  2. After the information is saved, Starling Join status displays.

    NOTE: If you have a Starling account, when a subscription is created for you, you will receive a Starling invitation email. Click the link in the email and log in to the Starling account.

    NOTE: If you do not have a Starling account, when a subscription is created for you, you will get a Starling Sign-up email to complete a registration process to create a Starling account. Complete the registration and log in using the credentials that you have provided during registration. For account creation details, see the One Identity Starling User Guide.
  1. For Starling Two-Factor Authentication, you can configure user's phone number in the appropriate Active Directory's attribute and the same attribute must be configured in General Settings -> Reinitialization.

  2. In the Select the attribute of user’s account in Active Directory in which user’s Questions and Answers profile and Corporate phone will be stored section, configure the attribute of Corporate phone field. By default, the attribute value for Corporate phone is mobile.

Disconnecting One Identity Starling from Password Manager

To unjoin One Identity Starling, click Unjoin Starling. This deletes the joined instances from One Identity Starling services and the Starling Join information from storage. Once you unjoin, the initial page displays.

One Identity Starling Two-factor Authentication for Password Manager

Since Password Manager manages confidential Password Manager user details in both on-premises and cloud based environments, it is appropriate and safer to have an additional security measure such as the two-factor authentication. Password Manager now supports One Identity's Starling Two-Factor Authentication service.

The Starling Two-factor authentication provides enhanced security by necessitating users to provide two forms of authentication to Password Manger, namely a user name and password combination along with a token response. The token response is collected through an SMS, Phone call, or push notification received on a physical device such as a mobile or any other device other than the browser.

Registering to One Identity Starling 2FA

In order to use Starling 2FA, you must first register to the product. When you register to Starling 2FA using your mobile number, an SMS is delivered with the mobile app download link. Click on the link to access the App Store or Play Store from where you can download the Starling mobile application. Alternatively, you can go to the App Store or Play Store and search and download the Starling.

The following 2FA options are supported:

  1. Push Notification: After the Starling app is downloaded and registered with user’s email id and mobile number, the user will get a push notification to Approve or Deny Starling Authentication.
  2. Voice: The user will get a voice call on the registered mobile number and on call user will get an OTP.
  3. SMS OTP: The user will get an OTP through SMS on the registered mobile number.
  4. The user can open starling app and copy paste the code form the Starling app to Password Manager and click on Verify.
Logging in to Web interface through 2FA authentication

When a Starling 2FA enabled user tries to log in to the Password Manager Web interface, the user is prompted to enter the Starling Two-factor token response. Based on the option selected by the user, the token response is provided through SMS, Phone Call or Push Notifications.

On entering the token response and after successful verification the Web interface is displayed.

NOTE: Push Notification works only if the Starling App is installed on the device with registered mobile number. The link to install the Starling App will be sent to your registered mobile number at the time of registering to Starling.

Enable S2FA for Administrators & Enable S2FA for HelpDesk Users

Enable S2FA for Administrators and Enable S2FA for HelpDesk Users

This section describes the steps to enable Starling Two-Factor Authentication to protect Administration site and Helpdesk site users.

To enable S2FA for Administrators & HelpDesk Users

  1. On the home page of the Administration site, click the One Identity Starling tab.
  2. Select Enable S2FA for Administrators checkbox to protect the Administration site or select Enable S2FA for HelpDesk Users checkbox to protect the HelpDesk site with Starling Two-Factor Authentication. Select both checkboxes to enable authentication for both Administration and HelpDesk user sites.

    NOTE: The Administrator can choose which user’s active directory attributes to be used for the mobile number from the Specify user's AD attribute to authenticate the user dropdown box. The administrator can also specify additional active directory attributes to use for mobile number apart from the list.
  1. Click Save to save the settings.

NOTE: If the administrator user or the helpdesk user has not registered mobile number in the Active Directory, the administrator can send a preconfigured email to the respective users by clicking on the link displayed while configuration S2FA for Admin and Helpdesk site.

NOTE: If the administrator unjoins from the Starling, S2FA will stop the protection for Administration and HelpDesk sites.
Failsafe Login

In case of One Identity Starling downtime situation, a failsafe method is provided by Password Manager to log in. For such case, Password Manager creates a user qpms2faadmin to log in. The qpms2faadmin user is managed by the administrator.

If the One Identity Starling is down while login to Password Manager, the administration site prompts for user credential. The Administrator must provide the password for the qpms2faadmin user to authenticate and login to the administration site.

To work with a Failsafe Login account

  1. Enable the Failsafe Login account and create a password.
  2. Provide the samAccountname (logon name) as qpms2faadmin.
  3. Select the required UPN suffix from the drop-down list.
  4. Update the pre-windows 2000 logon to qpms2faadmin.

  5. Add the account to the local Administrators group and the local Password Manager Administrators group on the Password Manager server.

If the account is no longer required, disable the Failsafe Login account, rename the login and pre-windows 2000 logon field, and remove the account from the local Administrators group and the local Password Manager Administrators group on the Password Manager server.


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating