立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.5.0 - Starling Two-Factor Authentication- Tutorial

[usermapping source=explicit]

To map the gateway user name to an external Starling 2FA identity, configure the following name-value pairs.

Declaration
[usermapping source=explicit]
<example-user-1>=<ID-1>
<example-user-2>=<ID-2>
<exampleuser>
Type: string
Required: no
Default: N/A

Description: To map the gateway user name to an external Starling 2FA identity, configure the name-value pairs in the following way:

  • Type the gateway user name instead of <example-user-1>.

  • Type the external Starling 2FA ID instead of <ID-1>.

NOTE:

Use this option only if there are not only a few users, or for testing purposes. If there are too many users, it can cause performance issues.

[usermapping source=ldap_server]

To look up the external Starling 2FA identity of the user from an LDAP/Active Directory database, configure the [usermapping source=ldap_server] section of the SPS Starling 2FA plugin.

Declaration
[usermapping source=ldap_server]
user_attribute=description

You must configure the name of the LDAP Server policy in the [ldap_server] section.

If you configure both the append_domain parameter in the [username_transform] section and the [usermapping source=ldap_server] section of the SPS Starling 2FA plugin, SPS appends the @ character and the value of the append_domain parameter to the value retrieved from the LDAP database.

user_attribute
Type: string
Required: no
Default: N/A

Description: The user_attribute must be an LDAP/AD user attribute (with a non-empty UTF8 attribute string) that contains the external identity. For example, description, cn, mail. For a complete list see the User class section of the Active Directory Schema document.

[username_transform]

This section contains username transformation-related settings.

Declaration
[username_transform]
append_domain=<domain-without-@-character>

If you have configured [USERMAPPING], the [username_transform] process will run after the [USERMAPPING] process.

append_domain
Type: string (nonrequired, no default)
Required: no
Default: N/A

Description:

If the Starling 2FA service requires the use of domain name in the external Starling 2FA identity, configure the append_domain parameter in the [username_transform] section. In this case, SPS automatically appends the @ character and the value of this option to the username from the session, and uses the resulting username on the Starling 2FA server to authenticate the user. For example, if the domain is set to append_domain: example.com and the username is Example.User, the SPS plugin will look for the user Example.User@example.com on the Starling 2FA server.

If you configure both the append_domain parameter in the [username_transform] section and the [usermapping source=ldap_server] section of the SPS Starling 2FA plugin, SPS appends the @ character and the value of the append_domain parameter to the value retrieved from the LDAP database.

[ldap_server]

The LDAP Server policy that you want to use in an LDAP server usermapping source or an LDAP server group whitelist source. Required if you have configured [usermapping source=ldap_server], [whitelist source=ldap_server_group] and [starling_auto_provision].

Declaration
[ldap_server]
name=<name-of-LDAP-server-policy>
name
Type: string
Required: conditional
Default: N/A

Description: The name of a configured LDAP Server policy in SPS. For details on configuring LDAP policies, see "Authenticating users to an LDAP server" in the Administration Guide.

相关文档