立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.0.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Starling Two-Factor Authentication requirements

In order to use Starling Two-Factor Authentication with Safeguard Authentication Services, you will need the following:

  • A valid license for Safeguard Authentication Services.
  • A Starling Organization Admin account or a Collaborator account. For more information on Starling, see the One Identity Starling Hosted User Guide.
  • An Active Directory group for Starling users.

    NOTE: All Starling users must have the following defined in order to work with Starling 2FA:

    • Valid email address
    • Valid mobile phone number in E.164 format. (that is, +<country code><area code><phone number>)
    • Be a member of this Starling group dictated by GPO.

    For more information, see Setting up Starling users.

  • Safeguard Authentication Services 4.2 (or later)

The following table provides a list of supported platforms for integrating Safeguard Authentication Services with Starling Two-Factor Authentication.

NOTE: PPC64 and PPC64LE architectures require a kernel greater than 2.6.37.

Table 21: Starling 2FA: Supported platforms

Platform

Version

Architecture

CentOS Linux

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Debian

Current supported releases

x86_64, x86, AARCH64

Fedora Linux

Current supported releases

x86_64, x86, AARCH64

FreeBSD

10.x, 11.x

x32, x64

IBM AIX

7.1, 7.2

Power 4+

OpenSuSE

Current supported releases

x86_64, x86, AARCH64

Oracle Enterprise Linux (OEL)

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Oracle Solaris

10 8/11,

11.x

SPARC, x64

Red Hat Enterprise Linux (RHEL)

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

SuSE Linux Enterprise Server (SLES)/Workstation

11, 12, 15

Current Linux architectures: s390, s390x, PPC64, PPC64le, ia64, x86, x86_64, AARCH64

Ubuntu

Current supported releases

x86_64, x86, AARCH64

Setting up Starling users

A new Group Policy Object has been added to Safeguard Authentication Services to manage the group file for Starling, which is located in /etc/opt/quest/vas/users.starling.

Sample users.starling file

# This assumes that the host has been joined to the example.com domain.

# To validate the users.starling file, run:

# vastool info acl

#

# This file controls which user's have Starling appled to them during login based

# on group membership.

# For entries:

# If DOMAIN is omitted ( simple name given )it is assumed to be the joined domain.

# Entries are case insensitive.

# DOMAIN can be either long(fqdn) or short(netbios).

# Apply Starling to members of the sales and engineering groups.

# The entry DOMAIN\SamAccountName format is preferred.

EXAMPLE\sales

engineering

This file can be manually created or set using the GPO.

To enable Starling for users using the GPO

  1. Open your Group Policy management system.
  2. Select the applicable group policy.
  3. Navigate to Computer configuration | Unix Settings | Starling.
  4. Double-click users.starling.
  5. Add the groups that contain the users to be enabled to use Starling 2FA.

It may take up to 90 minutes to apply this configuration change. Use vgptool apply to apply the changes quicker.

Joining Safeguard Authentication Services with Starling

Joining Safeguard Authentication Services to Starling allows you to use features from Starling Two-Factor Authentication.

To join Safeguard Authentication Services with Starling

  1. From the Control Center, navigate to Preferences | Starling Two-Factor Authentication.
  2. In the Join to Starling and enable Two-Factor Authentication pane, click Starling Join Settings
  3. On the Starling Two-Factor Authentication dialog, use the Product TIMs drop-down to select a valid Safeguard Authentication Services license.

    NOTE: The other fields on this dialog are read-only and contain the following information after you successfully join to Starling:

    • Product Name: Displays Safeguard Authentication Services.
    • Product Instance: Displays the unique identifier for Starling.
  4. Click Join to Starling.

    NOTE: The following additional information may be required:

    • If you do not have an existing session with Starling, you will be prompted to authenticate.
    • If your Starling account belongs to multiple organizations, you will be prompted to select which organization Safeguard Authentication Services will be joined with.

    After the join has successfully completed, you will be returned to the Safeguard Authentication Services Control Center and the Join to Starling and enable Two-Factor Authentication pane will display the following:

    • Product Instance: Displays the unique identifier for Starling. You can click the Copy button to the right of this field to copy the product instance identifier to your desktop.
    • Starling Join State: Displays either Joined or Unjoined.

Configuring Starling to use a proxy server

The Starling Proxy Settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard Authentication Services uses the configured proxy server for outbound web requests to Starling.

NOTE: One Identity recommends you use an automatic configuration script (proxy PAC file). To specify a previously configured PAC file, select the Use automatic configuration script check box and enter the address of the proxy.pac file.

To configure Starling to use a proxy server

  1. From the Control Center, navigate to Preferences | Starling Two-Factor Authentication.
  2. In the Starling Proxy Configuration pane, click Starling Proxy Settings.
  3. On the Starling Proxy Configuration dialog, enter the following information about the proxy server to be used:

    To specify a previously configured PAC file (recommended):

    • Use automatic configuration script: Select this check box.
    • Address: Enter the address of the proxy.pac file.

    To use username/password to specify the proxy server:

    • Address: Enter the URL for the proxy server.
    • Port: Enter the port number to be used.
    • Username: Enter the user name of a service account that is to be used to access the proxy server.
    • Password: Enter the password associated with the user name specified. The password will be displayed in clear text.

  4. Click OK to save your selections.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级