立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 6.0 LTS - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

How do I add an external federation provider trust

It is the responsibility of the Appliance Administrator to configure the external federation service providers in Safeguard for Privileged Passwords.

To add an external federation service provider

  1. In Settings, select External Integration |Identity and Authentication.
  2. Click Add then select External Federation.
  3. In the External Federation dialog, supply the following information:
    1. Name: Enter a unique display name for the external federation service provider. The name is used for administrative purposes only and will not be seen by end users.

      Limit: 100 characters

    2. Realm: Enter a unique realm value, typically a DNS suffix, like contoso.com, that matches the email addresses of users intended to use this STS for authentication. A case-insensitive comparison will be used on this value when performing Home Realm Discovery.

      Wildcards are not allowed.

      Limit: 255 characters

    3. Federation Metadata File: Choose or enter the file path to the STS federation metadata file that you previously downloaded.
    4. Download Safeguard for Privileged Passwords Federation Metadata: If you have not done so before, click the link to download a copy of Safeguard for Privileged Passwords's federation metadata XML. You will need this file when creating the corresponding trust relationship on your STS server.

    NOTE: The federation metadata XML files typically contain a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure that it has not been edited.

How do I create a relying party trust for the STS

The process for creating the relying party trust in your STS (Security Token Service) will differ between applications and services. However, as stated earlier, you can download a copy of Safeguard for Privileged Passwords's federation metadata by clicking the link when you entered the STS information in Safeguard for Privileged Passwords. You can also download the Safeguard for Privileged Passwords federation metadata at any time using one of the following methods:

  • Click Settings | External Integration |Identity and Authentication. Click Download Safeguard Federation Metadata.
  • Download the file from the following URL:
https://<Safeguard for Privileged Passwords server>/RSTS/Saml2FedMetadata

If the STS does not support importing federation metadata, but instead requires you to manually input values, you will typically need an App ID and Login or Redirect URL. Both of these values can be copied from the Safeguard for Privileged Passwords federation metadata XML file you downloaded.

  • The App ID for Safeguard for Privileged Passwords will come from the entityID attribute of the <EntityDescriptor> element in the XML file.
  • The Login or Redirect URL will come from the Location attribute of the <AssertionConsumerService> element within the <SPSSODescriptor> element.

    NOTE: Only the HTTP-POST binding is supported for this end point.

You must then configure or ensure that the STS returns the authenticated user's email address as a SAML attribute claim. The email address must appear in either the standard SAML email address claim or name claim:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

If the emailaddress and name attribute claims are not present in the SAML assertion, the SAML Subject NameID can be used.

NOTE: Any other attributes or claims will be ignored.

The SAML Response or Assertion must be signed, but not encrypted. When the signing certificate used by your STS expires, you must update the metadata in Safeguard for Privileged Passwords by uploading a new copy of your STS's metadata file. Safeguard for Privileged Passwords will not automatically attempt to refresh the metadata.

NOTE: Your STS's metadata can contain more than one signing certificate to allow for a grace period between an expiring certificate and a new one.

For further details regarding specific STS servers, see the following knowledge base articles on the One Identity support site:

  • Configuring Microsoft's AD FS Relying Party Trust for Safeguard for Privileged Passwords: KB Article 233669
  • Configuring Microsoft's Azure AD for Safeguard for Privileged Passwords: KB Article 233671

How do I add an external federation user account

It is the responsibility of either the Authorizer Administrator or the User Administrator to add an associated external federation Safeguard for Privileged Passwords user.

Preparation

You must add external federation service providers to Safeguard for Privileged Passwords before you can add external federation users.

No user information, such as first name, last name, phone number, email address, is ever imported from the STS claims token. You must enter that information manually when creating the user in Safeguard for Privileged Passwords if you need it.

To add a user

  1. Navigate to Administrative Tools | Users.
  2. In Users, click Add User from the toolbar.
  3. In the User dialog, provide information in each of the tabs:

How do I manage accounts on unsupported platforms

Safeguard for Privileged Passwords makes it possible for you to manage passwords for accounts on unsupported platforms and not addressed by a Custom platforms.

You will use a profile with a manual change password setting.

For example, you may have an asset that is not on the network. The manual change password setting allows you to comply with your company policies to change account passwords on a regular schedule without using the Safeguard for Privileged Passwords automatic change password settings. Safeguard for Privileged Passwords notifies you by email, toast notification, or both on a set schedule to change account passwords manually. You can then reset the password yourself, or allow Safeguard for Privileged Passwords to generate a random password according to the password rule selected in the profile.

Important: After you change the password in Safeguard for Privileged Passwords you must remember to change the password on the account; Safeguard for Privileged Passwords does not do that automatically for you.

The following summarizes the general workflow for managing accounts on unsupported platforms.

To manage account passwords manually

  1. Configure a profile with a manual change password setting and assign asset accounts to it. For more information, see Adding change password settings.
  2. Ensure toast notifications or email notifications are properly configured. For more information, see Settings (desktop client) or Enabling email notifications.
  3. When notified to change an account password, choose the Set Password option you prefer:
    1. Generate Password: To have Safeguard for Privileged Passwords generate a new random password , that complies with the password rule that is set in the account's profile.
      1. Click Generate Password to display the Password Change dialog.
      2. Click Show Password to reveal the new password.
      3. Click  Copy to place the value into your copy buffer.

        • Log in to your device, using the old password, and change it to the value in your copy buffer.
      4. Click Success to change the password in the Safeguard for Privileged Passwords database.
    2. Manual Password: To manually set the account password in the Safeguard for Privileged Passwords database.
      1. Click Manual Password to display the Set Password dialog.
      2. Enter and save a new password.

        OK updates the Safeguard for Privileged Passwords database.

      3. Set the account password on the physical device to synchronize it with Safeguard for Privileged Passwords.

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级