One Identity Safeguard for Privileged Sessions 6.0.5 - inWebo Multi-Factor Authentication - Tutorial

Configure your inWebo account for SPS

1. Add users to your inWebo account.

   The users you want to authenticate with SPS must have an activated account in inWebo. For details on adding or importing your users, see Start provisioning your users on our platform in the inWebo documentation.

2. Enable Multi-factor Authentication (MFA) for your organization.

   Optionally, you can create a Multi-factor Policy in inWebo to enable MFA only for the group of users who you want to authenticate with SPS.

   For details, see 2-Step Multi-Factor Authentication using a Push request to a Smartphone in the inWebo documentation.

3. Create an API token.

   Navigate to Admin > API > Tokens, click Create Token, and save it.

Configure SPS to use inWebo multi-factor authentication

To configure SPS to use inWebo multi-factor authentication

1. Download the SPS inWebo plugin

   SPS customers can download the official plugin from GitHub.

2. Upload the plugin to SPS

   Upload the plugin to SPS. For details, see "Using a custom Authentication and Authorization plugin to authenticate on the target hosts" in the Administration Guide.

3. Configure the plugin on SPS

   The plugin includes a default configuration file, which is an ini-style configuration file with sections and name=value pairs. You can edit it on the Policies > AA Plugin Configurations page of the SPS web interface.

   1. Configure the usermapping settings if needed. SPS must find out which inWebo user belongs to the username of the authenticated connection. For that, it can query your LDAP/Microsoft Active Directory server. For details, see Mapping SPS usernames to inWebo identities.

   2. Configure other parameters of your plugin as needed for your environment. For details, see SPS inWebo plugin parameter reference.

4. Configure a Connection policy and test it

   Configure a Connection policy on SPS. In the AA plugin field of the Connection policy, select the SPS inWebo plugin you configured in the previous step, then start a session to test it. For details on how a user can perform multi-factor authentication, see Perform multi-factor authentication with the SPS inWebo plugin in terminal connections and Perform multi-factor authentication with the SPS inWebo plugin in Remote Desktop connections.

   Caution: According to the current inWebo policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired.

SPS inWebo plugin parameter reference

This section describes the available options of the SPS inWebo plugin.

The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).

[section name]
dirname=%(dir)s/mydirectory
dir=/var

All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.

You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.

[inwebo]
service_id=<your-inWebo-service-ID>
api_url=https://api.myinwebo.com/FS/
client_cert=$
timeout=60
http_socket_timeout=10
rest_poll_interval=1
ignore_conn_err=no

[auth]
prompt=Press Enter for push notification or type one-time password:
disable_echo=yes

[connection_limit by=client_ip_gateway_user]
limit=0

[authentication_cache]
soft_timeout=15
hard_timeout=90
conn_limit=5

######[WHITELIST]######

[whitelist source=user_list]
name=<name-of-user-list-policy>

[whitelist source=ldap_server_group]
allow=no_user
except=<group-1>,<group-2>

######[USERMAPPING]######

[usermapping source=explicit]
<user-name-1>=<id-1>
<user-name-2>=<id-2>

[usermapping source=ldap_server]
user_attribute=description

[username_transform]
append_domain=<domain-without-@-character>

[ldap_server]
name=<name-of-LDAP-server-policy>

[credential_store]
name=<name-of-credential-store-policy-that-hosts-sensitive-data>

[logging]
log_level=info

[https_proxy]
server=<proxy-server-name-or-ip>
port=3128

[question_1]
key=<name-of-name-value-pair>
prompt=<the-question-itself-in-text>
disable_echo=No

[question_2]...

[inwebo]

This section contains the options related to your inWebo account.

[inwebo]
service_id=<your-inWebo-service-ID>
api_url=https://api.myinwebo.com/FS/
# Do NOT use client_cert in production
; client_cert:
http_socket_timeout=5
ignore_conn_err=Yes
rest_poll_interval=1
timeout=25

service_id

Description: For SPS to be able to communicate with the inWebo server, a service ID is required. It is displayed on the inWebo Administration interface under the Service Users tab.

api_url

Description: The URL where the inWebo server can be accessed. Usually you can use the default value:

api_url=https://api.myinwebo.com/FS/

To override the access URL for the inWebo API, change the value.

client_cert

Description: For SPS to be able to communicate with the inWebo server, an unencrypted key is required. A certificate is generated by inWebo, which you have to store in the credential store of SPS. The X.509 certificate and the private key either has to be uploaded to SPS or copied into the configuration file. If you want to copy the X.509 certificate and the private key in PEM format inline, insert a whitespace before every line for both the certificate and the private key so that the configuration parser considers it a single value.

For details on using a local Credential Store to host this data, read Store sensitive plugin data securely.

1. In the inWebo Administration interface, navigate to Secure Sites and click Download a new certificate for the API. Configure the parameters (Authentication: Yes, Provisioning: No) and click Download.

   Decrypt the downloaded X.509 certificate with the following command: openssl rsa -in <certificate-file-name>.crt. Enter the required passphrase. The decrypted part of the certificate is displayed on the console screen.

   Copy the decrypted part from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----, open the <certificate-file-name>.crt and replace the encrypted part with the copied decrypted part from -----BEGIN ENCRYPTED PRIVATE KEY----- to -----END ENCRYPTED PRIVATE KEY-----.

timeout

Description: How long an HTTP request can take during the communication with the inWebo server.

http_socket_timeout

Description: How long the plugin waits for an approval when using the inWebo push notification factor. This option sets the timeframe (measured from the user initiating the connection to SPS) within which SPS must receive the approval from the inWebo server. SPS periodically asks the inWebo server to check if the user successfully authenticated on the inWebo server.

rest_poll_interval

Description: How often the plugin checks the inWebo server to see if the push notification was successful. Note that SPS rejects the connection of the user if it does not receive an approval for the push notification within the period set in http_socket_timeout.

ignore_conn_err

Description: Determines how to handle the sessions if the inWebo service is not available. If set to yes, the plugin assumes that the user successfully authenticated even if the plugin cannot access inWebo to verify this.