SPP allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, LDAP 2.4, any SAML 2.0 federated service, or Radius.

Go to Identity and Authentication:

  • web client: Navigate to Appliance Management > Safeguard Access > Identity and Authentication.

The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 104: Identity and Authentication: Properties
Property Description
Name

The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.

Type

Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations.

  • Active Directory
  • LDAP
  • External Federation
  • Radius (use as a secondary authentication provider)
  • Radius as Primary (use as a primary authentication provider)
  • FIDO2
  • OneLogin MFA
  • SCIM

Description

Enter any descriptive information to use for administrative purposes.

Login Provider ID

A system generated identifier that can be used when integrating with third-party or other custom software or automation scripts. For information on accessing the SPP API, see Using the API.

NOTE: When integrating with Safeguard for Privileged Sessions, you can effectively enable Single Sign-On (SSO) between the two applications by creating and using the same SAML2 external federation login provider in both. This Login Provider ID value from SPP must then be entered into the Safeguard for Privileged Sessions Script Reference field when creating the matching SAML2 login method.

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 105: Identity and Authentication: Toolbar
Option Description
Add

Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers.

Remove

Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.

Edit

Modify the selected identity or authentication provider.

Syncronize Now

Run the directory addition (incremental) synchronization process for directory users (identity providers) and directory user groups. All changes except for deletions are synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task.

The directory deletion and addition (full) synchronization process must be run from the API (IdentityProviders/Synchronize).

Update Signing Certificates and Metadata

For external federation providers that have been configured with a URL pointing to the metadata, you can manually trigger SPP to request the metadata from the URL if you know it has changed and don't want to wait for the daily automatic update. This may be necessary in cases where the external STS doesn't support having multiple active signing certificates and you want to minimize any downtime from not being able to log in.

Download Safeguard Federation Metadata

Download a copy of SPP's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.

Refresh

Update the list of identity and authentication providers.