Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Joining Authentication Services with Starling

Joining Authentication Services to Starling adds Authentication Services to the One Identity Hybrid service allowing you to use features from Starling Two-Factor Authentication.

To join Authentication Services with Starling

  1. From the Control Center, navigate to Preferences | Starling Two-Factor Authentication Join.
  2. Use the Product TIMs drop-down to select a valid Authentication Services with One Identity Hybrid subscription license.

  3. Click Join to Starling.

    NOTE: The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Authentication Services will be joined with.

    After the join has successfully completed, you will be returned to the Authentication Services Control Center and the Starling Two-Factor Authentication Join settings pane will display the following:

    • Product Name: Authentication Services.
    • Product Instance: Unique identifier for Starling.
    • Product License: License file you are using.

Logging in with Starling Two-Factor Authentication

Once Starling Two-Factor Authentication is enabled (that is, Authentication Services is joined to Starling and users are authorized to use Starling Two-Factor Authentication), anytime an authorized user attempts to log in to an integrated Unix-based host, they will see an additional login screen informing them that an additional authentication step is required.

The default prompt contains the following:

Enter a token or select one of the following options:

  1. Starling Push
  2. Phone call
  3. Send an SMS

Token or option (1-3) [1]: <Token or option number>

This default prompt can be modified in vas.conf.

vas.conf example:


The behavior of QAS Starling can be modified by using the following options in the [starling] section.


prompt = <boolean>

prompt = <message-text>

Default value: "Enter a token or select one of the following options:\n\n 1. Starling Push\n 2. Phone

call\n 3. Send an SMS\n \nToken or option (1-3)[1]: "

This is the message that is initially displayed during a Starling authentication.

This prompt can span multiple lines, line separation is specified by adding \n to the prompt string.

NOTE: Changing the prompt will not change what is accepted as input.


prompt = "Enter 1 for a push request, 2 for a phone call, 3 for a txt, or enter a token.\n "

NOTE: In order to display the prompts, the application must be able to handle pam conversations, such as sshd(keyboard-interactive). If the application can not handle pam conversations, such as sshd(password), a push authentication is sent instead of a prompt.

Unjoining from Starling

Unjoining Authentication Services from Starling disables Starling Two-Factor Authentication in Authentication Services.

To unjoin Authentication Services from Starling

  1. From the Control Center, navigate to Preferences | Starling Two-Factor Authentication Join.
  2. Click Unjoin Starling.

A Starling Organization Admin account or Collaborator account associated with the Starling One Identity Hybrid subscription can rejoin Authentication Services at any time.

Disabling Starling 2FA for a specific PAM service

To disable Starling 2FA for a specific PAM service, edit the PAM configuration file (/etc/pam.conf or /etc/pam.d/<service>). Modify the auth pam_vas line for the desired service.

To disable Starling 2FA for a specific PAM service

  1. As root, add the following line to the PAM configuration file, on the first auth pam_vas line for the service:


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating