Having to perform multi-factor authentication to a remote server every time the user opens a session can be tedious and inconvenient for the users, and can impact their productivity. SPS offers the following methods to solve this problem:
In SPS, the Connection policy determines the type of authentication required to access a server. If you do not need multi-factor authentication for accessing specific servers, configure your Connection policies accordingly.
If the user opens a new session within a short period, they can do so without having to perform multi-factor authentication. After this configurable grace period expires, the user must perform multi-factor authentication to open the next session. For details, see [authentication_cache].
The [whitelist source=user_list] and [whitelist source=ldap_server_group] sections allow configuring authentication whitelists and blacklists based on a User List policy or an LDAP Server policy. These two sections are independent, therefore any of the two can be configured and, for example, can create break-glass access for specific users to allow them to bypass
The [whitelist source=user_list] section allows whitelisting users based on a User List policy configured in SPS (Policies > User Lists). To enable this whitelist, configure one of the use cases below.
The user names are compared to the User List in a case-sensitive manner.
For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.
Type: | string |
Required: | no |
Default: | N/A |
Description: The name of a User List policy containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users (for example, to create break-glass access for specific users).
To allow specific users to connect without providing
To enforce
The [whitelist source=ldap_server_group] section allows whitelisting users based on LDAP Server group membership. To enable this whitelist, configure one of the use cases below.
The user names and groups are compared in LDAP in a case-insensitive manner.
[whitelist source=ldap_server_group] allow=<no_user-or-all_users> except=<group-1>,<group-2>
Type: | string (all_users | no_users) |
Required: | no |
Default: | N/A |
Description: This parameter defines whether to allow all users or no user to connect without providing
Type: | string |
Required: | no |
Default: | N/A |
Description: This parameter defines those specific LDAP/AD group(s) that are exempt from the rule defined by the allow parameter.
To allow members of specific LDAP/AD group(s) to connect without providing
[whitelist source=ldap_server_group] allow=<no_user> except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
To enforce
[whitelist source=ldap_server_group] allow=<all_users> except=<group-1>,<group-2>
You must configure the name of the LDAP Server policy in the [ldap_server] section.
By default, SPS assumes that the external
The external identity is the Starling ID, which is a number.
You can use the following methods:
Explicit mapping: [usermapping source=explicit]
LDAP server mapping: [usermapping source=ldap]
To look up the external
The Explicit method has priority over the LDAP server method.
If you have configured neither the append_domain parameter nor any of the [USERMAPPING] sections, SPS assumes that the external
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款 隐私