Welcome to the Safeguard Privilege Access Management for tips and tricks and configuration. So this session will be provided by me, Eric Parietti, and my colleague Ian Stimpson. We are all coming from the One Identity EMEA presales team.
So a small look on the agenda, so the SAML authentication to access the Safeguard for Privilege Sessions web portal, mainly for auditors. Discover and manage accounts in AWS by my colleague Ian. Discover and manage Azure AD privileged users and how to manage privileged user and password as well on your Azure environment.
Also to take in charge the strong authentication and the one-time password authentication dynamically by Safeguard as well. And at the end of the presentation of the Just in Time capabilities of Safeguard by himself and also the One Identity Safeguard plus One Identity Active Roles.
So let's start on the SAML v2 authentication to access the Safeguard web portal. So in this presentation, we will see how to configure it quickly. And we will use as an external IdP OneLogin multifactor authentication solution.
This solution will be used-- this external OneLogin, external SAML v2 IdP will be used. And we also use an extension of this multifactor authentication system, which will be the SmartFactor. And the SmartFactor will analyze the context, the security context, for this authentication. And based on this context, the steps will be different. We will see that after.
So as you can see here, we define on the OneLogin site for the multifactor authentication, this user must have to enter his username, his password. You see the device will be certified as well. We calculate the security risk. And based on this security risk, the multifactor authentication will be triggered or not.
So as you can see at the right, we can configure-- the SmartFactor will be only triggered if the risk level is really low. The order to configure the SAML v2 authentication to access the Safeguard SPS web portal-- so in the first step, we will configure the users who can access with this kind of authentication, local user or AD user.
And also, it will not be seen in this presentation, but you will have to take this user to assign permissions to local groups in Safeguard for Privileged Session to give them the right to do the search-- for auditors, for example, to be able to search on SPS for audit trails.
So after this first step, we have to configure SPS as the service provider, SAML v2 Service Provider. The third step is to define your external IdP system, which will be OneLogin. And at the end, how to present the SAML v2 login method on the server SPS web portal.
So let's see quickly in action. So first of all, we are going in the Settings, Login options. And we can manage users, AD/LDAP users. The second step will be to define SPS as the SAML v2 service provider. You define SPS here, how to access it.
Third step to configure the identity provider, which will be OneLogin. So you put all the information on SPS, and you download the SAML v2 data file to upload it on the OneLogin side. The last step is to create the OneLogin method, which will be displayed for the user when you want to access the Safeguard corporate session web portal.
Now in action. [INAUDIBLE] in the first phase. So this user wants to do some audit trail search. So he has to access the Safeguard SPS web portal. He clicks on the login with OneLogin to have a SAML v2 login method, authentication login method. The system prompts the user to enter his username and the password also.
The capture is not there, but you know this user has entered his password. Now the two-factor authentication is triggered. The user will receive on his mobile phone the push method for the two-factor authentication. And now he can access the Safeguard corporate session web portal to do some tricky and deep search on this web portal for audit trails.
Now, with the security context analyzed by the OneLogin side and, in that case, as you can see on the right side, I added the screenshot on this connection. And OneLogin has analyzed that this connection is 17 on 100, so the security risk is really low. So now this user will connect-- will try the OneLogin SAML v2 authentication.
So login with OneLogin. The external IdP answer and prompt. So SAML will prompt you to enter the username and forward it to the external IdP SAML v2 provider. This user will enter his password.
And now, based on the security context provided to the right, that case, as the security risk is really low, in that case, the two-factor authentication is not triggered. And this user can access the search to do all the search he wants as the account selected for audit tracer on the [INAUDIBLE] session.
Now, another possibility, if you don't want any user has access to the Safeguard SPS portal for audit trails, but you want your auditors, for example, has to access the Safeguard web portal but directly from the Safeguard SPP web user portal. If you want to concentrate all the access on one web portal, in that case, it will be Safeguard for Privileged Password web portal.
So how to make it working directly from the Safeguard SPP web portal? You have to add the Windows server or Windows object server belonging to a domain. Install-- activate as well the remote app services. Install the One Identity RemoteApp Launcher on this server.
After this, you have to publish through the One Identity RemoteApp Launcher, for example, your Chrome browser. And you will define the parameter entered automatically and transparently by Safeguard SPP/SPS on this client, in that case the Google Chrome, to insert the URL, the username, the password.
And at the end, the user will be transparently connected directly to the Safeguard SPS web portal.
I want to do it how it works in action. So this user will be authenticated on the Safeguard SPP web portal. This is the user request. It belongs to the One Identity Active Directory connected with Safeguard.
Now this user wants to select the Safeguard for Privileged Session asset with the account auditor for a session with the auditor account. You can define all the configuration you want on the rules. So in that case, adding mandatory comment.
Now, this user, I choose to put another authentication. In that case, the user has to be authenticated on the RDS server with his account. So this is the reason why this user has to put again his username and password here. And he just have now to click on the Start button to be connected as the auditor account on the Safeguard for Privileged Session web portal to do his task as an auditor to search for audit trails in details.
As you can see here, automatically connected. So this user has not entered auditor, has not entered the password, and now he's connected to the Safeguard web portal to do his tasks for search in audit trail.
Thank you, Eric. Now, the next section and topic that we're going to move on to in the tips and tricks section here is around discovering and managing accounts in AWS using TOTP authentication. So within this section here, what I'm going to do first is I'm going to show you the solution as it is at the end. And then I'm going to step back through and walk you through how this was configured.
So here we are within the Safeguard for Privileged Passwords portal. I'm logged in as myself, as we can see here in the top-right-hand corner. And within here, let me just start the demonstration here. So I'm going to make a new request. In my example, I'm making a request here for the asset, which is my AWS environment. I have numerous accounts that are within the solution being managed, being vaulted, being rotated. And the one I'm going to select here is my EC2 with full access to this environment.
I am then got an autoapproval. I'm requesting it for this moment in time. And as you can see that the account and the password is now being submitted, and it goes through the workflow. As I say, this is an automatic workflow. You can put approval steps in as required. But importantly, that request is now available to me as an engineer to use those credentials to check them out, to have access into AWS.
I'm now going in via the incognito browser here. I'm taking my account name, taking the password, the credential. And then importantly, I'm also then taking that OTP code. And as you can see, it's being rotated. I'm taking that code and entering it into the requirements for the MFA within AWS. And then you'll see that there is me logged in using this EC2 full access account with credential that's being rotated and also the TOTP password code that is being generated every 30 seconds.
So that's the end goal. That's kind of showing from an engineer's perspective how they can have access into AWS using credentials being managed and rotated within Safeguard.
So let's step through and explain how this was actually created for you. So there are a few things to note here, being the tips and tricks section. You've got the ability to manage AWS as an asset in two different options, one of which is, as you can see here on the left-hand side, within Safeguard, if you go to add a new asset, Amazon Web Service is listed as an asset that can be added.
In the one on the right-hand side, we're actually using our Starling Connect cloud service to provide access. And this provides additional options. And as you can see on the right-hand side, this presents you with AWS IAM S3 1.0. So what are the differences between this? Well, the Starling capability, the platform is shared between numerous One Identity solutions, being Active Roles, Identity Manager, and, in this example here, for Safeguard.
So we can see here on the left-hand side, under My Services, we have the Starling Connect. So within Starling Connect, you have the option when you go to the Connector Catalog to actually select the dropdown to show which connectors are compatible with the Starling Connect for Safeguard for passwords.
And as you can see here, there are six that are available and compatible with Safeguard for Privileged Passwords. In my environment, I have two of these already configured, one being AWS and the other being Azure AD.
Now, the important things to notice here, being a tips and tricks section, is really how we can provide the capabilities. So stepping back, one of the first things you need to do is join your Safeguard environment to Starling. Then, within AWS, you need your programmatic account. And then you need to match the settings between Starling and AWS.
Now, just to explain the details here, it is relatively self-explanatory, but what you've got here is the client ID, which is in Starling. And this corresponds to the access key in AWS. The client secret, well, that corresponds to the secret access key in AWS. And then for the region, what I [AUDIO OUT]
--accounts that you're onboarding and providing the access to. So in this example here, I've taken one of these accounts, and we're going to assign an MFA device. Now, I'll assign in the MFA device-- you need to give it a device name. You'll then select the authenticator app. And then this will bring up the details you see here on the right-hand side of the screen with an image. You would then save that image. And with that image saved, go back into Safeguard.
You then go into the account. You go into the secrets for that account. And you can see we've got the TOTP authenticator, which is missing configuration. So by clicking Set, it will then enable you to upload that image that we've just saved. So you upload that image, and then this is going to start generating the TOTP codes. We can see here on the right-hand side, this is the first one that's been generated.
You then enter those codes into the configuration. And this enables that MFA device to be assigned, matching up with the code, matching up with the two codes that have been generated. And from that point forward, within the access request, when you make the request and check out the credential, as we can see here, within the request, you have the ability to copy and view that credential and then also copy and view the MFA code that is being generated.
With those credentials, with those codes, that then provides you with that ability to authenticate to AWS using those credentials that are provided. Now, just for further information, there's always more than one way of gaining access to resources based on different business policies. And the one thing I will mention here is in this example, I'm logged into my IdP, which is OneLogin, which also provides another mechanism for me to have single sign on using [INAUDIBLE] and using access controls within OneLogin.
But from One Identity, we really do provide the flexibility of accessing both types really to solve different business requirements. Now, as I pass over to Eric, he's going to take you through Azure AD. And one of the things that Eric will be adding into this is actually automating this process. Rather than when you saw me doing that manual copy and paste, you'll see from Eric how we can actually automate this as well to take it to that next level. Thank you. Over to you, Eric.
Now we will see how to discover and manage account in Azure as my colleague Ian presented you on how to discover a AWS privileged account on the AWS Cloud environment.
So first of all, we will discuss about Starling Connect because Safeguard with the Starling Connect connector will be able to discover privileged accounts on several environments. We can see here AWS, as described by my colleague Ian, Azure AD, Google Workspace, the OneLogin Connector, which is free with Safeguard, Salesforce, and ServiceNow. So with these connectors, you can discover and manage privileged accounts.
So in our case here, we will, for example, activate the trial to select one Starling Connect connector, which will be for Azure AD in that case. And what will be the task we will have to do after activating this connector?
So to discover Azure AD accounts and to manage this account, we will have multiple steps to do. First of all, if it is not already done, you have to create your One Identity Starling account and configure your Azure AD as an IdP because it is always good to have the possibility to import user ID in your local environment to declare, to define Safeguard users from your Azure AD.
In the second step, we will link for Safeguard SPP, so Safeguard for Privileged Password, appliance to your Starling environment to make in place-- to put in place the link between Safeguard SPP and your Starling environment.
Now we will have to go on the Azure Portal to create the application used by the Starling Connect connector. We have to activate the Starling Connect service and configure the Azure AD connector. At the end, we will pass on the Safeguard SPP side to create the Azure AD asset on Safeguard SPP.
And the last thing will be to create a Discovery task based on the new Starling Connect connector already created just before. And at the end, we will have the possibility also to define the management by SPP of the TOTP token directly within Safeguard to create TOTP.
So first thing, create your One Identity Starling account. So you have to go-- as we have seen just before, you have to go on cloud.oneidentity.com. And on the parameter settings, you have to declare your Azure AD environment.
After this, you can import Safeguard user on your SPP to define Safeguard user from your Azure AD Active Directory. Second step, create the application on your Azure AD environment. So there are many parameters to set for this application.
We created the documentation with all the parameters you have to set in this application. So you can contact us to have these kind of parameters in the app. Be careful when you create this application. The Secret and Value you will define during the creation of this application will be set only for the first time.
And copy these parameters, these settings, because you will use it after, and it will not possible to edit these fields after creation. So now you have to configure the Starling Connect connector for Azure AD.
So as you can see in the slide here, you have to go on your Starling Connect environment on Starling. You can select Azure AD and click to configure to create a new connector. And in that case, you will have to put all the information of your Azure AD.
So for example, here, you have to define your Azure AD environment and pull all the parameters to connect this Azure AD environment. Now, on Safeguard SPP, discover this new Azure AD connector. So just clicking on the plus sign, you will see directly this Azure AD connector available and selected.
Now create the Azure AD asset. So you just have to go on Safeguard SPP to create a new asset. You will see in the platform list the Azure AD. And automatically, the authentication type will be by Starling Connect. This Starling Connect has been automatically created by the steps we have done before.
To finish, it is really simple. You have to create a discovery task to discover privilege account on your Azure AD. This discovery task will be based on the Starling Connect connector. And when you start this discovery task to discover asset and accounts, automatically you will see all the accounts discovered by this discovery task on your Azure AD.
Now you can select the privileged user you want and click on the Manage button to be managed by Safeguard.
Last thing, if you want also to manage by Safeguard the token generated for this user as well, in that case, you can declare it on Safeguard. You just have to edit the privilege account. In that case, for me, AdeleV, this privileged account, you have to set the TOTP token. And you can import the QR code image you downloaded from your Azure AD environment for this user.
As you can see below, if you go on this user on Azure AD, when you set-- for this user, when you set the token, the one-time password token, so the software OATH token, at the first time you can download the QR code image file. And with this image file, you will use it to import it in Safeguard.
So just a small remark, as already mentioned, you can download this QR code image only when you declare for the first time the one-time password for this user. Otherwise, you have to kill the option and recreate it to have the possibility to download the QR code image file.
So as you can see here, on Safeguard for Privileged Password I created a password request. And this user request the password for the privileged user AdeleV. And this Safeguard user now can see the password and can see the one-time password code because now Safeguard is able to generate one-time password because of the QR code image file you downloaded. And Safeguard SPP is able to create with the right seed the same one-time password that Azure can create for this user.
How to make this Azure web portal available directly for Safeguard SPP users directly from the web user interface, the Safeguard web user interface? You have to put in place remote apps. In that case, you will install an RDS server. On this RDS server, you will install the tool One Identity RemoteApp Launcher.
And you have to configure it for a specific destination. In our case, it will be portal.azure.com. And you will have to configure as well-- on the SPP side, you have to configure and create the rule for this application access.
After this, this user can select the application directly in the SPP portal. And automatically, Safeguard and the RemoteApp Launcher will automatically transfer the username, the password, and the TOTP token to be connected directly on your Azure portal. The communication will pass through SPS for sure. And SPS will record this connection, this session. And you will have the possibility to replay the session during the session or after the session as well.
So everything will be transferred automatically by Safeguard. So we can see it in action. So this user author belongs to the oneidentity.demo Active Directory. In that case, he has to double authenticate with the two-factor authentication provided by OneLogin. OneLogin belongs to One Identity.
The user creates a request to access the Azure portal with the account AdeleV. Then only start the Play button. Everything is done transparently by Safeguard. So Safeguard can start remotely the Chrome browser, for example, and in that case, transfer the username, password, and TOTP token to the Azure portal.
Now the Safeguard user is connected with this privileged account and can do his management session. So at the end-- so first of all, Safeguard doesn't put the information in the cache, so you cannot reconnect easily without knowing the password. And after the checking of the session, Safeguard will rotate the password, after this session.
So the last part of this presentation will be to explain how Safeguard is able to provide Just in Time access provisioning to keep one privileged user activated when he is not accessing the system or a password through Safeguard.
So first of all, what is it? Just in Time is defined by Gartner to say, OK, you have to avoid to let a privileged user activate it or with the rights. So you have to put in place something to elevate the right. So what Safeguard is able to provide in that case?
First of all, we can see here the integration between Safeguard-- between all the One Identity solutions. More focus for this session on Safeguard and Active Role with the Just in Time privilege request. You can see also the Privilege Access Governance, or the PAG, module between One Identity Manager and Safeguard.
You can see that Safeguard is able to request connectors directly with the Starling Connect connectors and many other destinations as well. So what Safeguard is able by himself-- what is Safeguard able to provide with Just in Time? In that case, when a Safeguard user try to request a password or try to connect a system through Safeguard, in that case, Safeguard will be able to automatically activate or deactivate a user.
In that case, it will be activating a user during the session, a privileged user. And at the end of this session, Safeguard will automatically deactivate this user in the source user database and will also rotate the password.
So as you can see, this account, adminad_jit3, is deactivated. Now we can try a session request or a password request on Safeguard And as you can see, Safeguard shows you that the account is in funding restore state during one second, just the time used by Safeguard to activate this privileged account in Active Directory.
After this, as you can see, the adminad_jit3 account has been automatically activated by Safeguard only during the session. We can see it in action.
Now we will see in action how it works. So we are using the account, the Safeguard user arthur. We pass the two-factor authentication. Yeah, I received a push OTP on my phone. Now we can see that this user unique. So which account?
Winadmin5, winadmin6 are deactivated in Active Directory. So now I create the request to access this application. You can see the winadmin6 to retrieve the password. To automatically access this password request, it can be a session request as well.
OK, I don't know why it created a favorite during the demo, but OK. So in that case, we can see this request is in pending approval. I received the pop-up from the Starling Cloud Assistant. So I received the approval via the team's client for the cloud assistant.
Automatically, you have seen that Safeguard was restoring the password, the account, the winadmin6 account. Now, after the refresh, you will see the winadmin6 account activated by Safeguard. So you can see winadmin6 is now active. And you can start a session. So it was not a password request. It was for a session. So you can now use this privilege account during the session.
We can close this session. It was just for the test. So we can start some program just to say there is something in the session. Now we can check in the request. And after the check in, Safeguard can rotate the password depending of the rule. And also, Safeguard has deactivated this privileged account.
So as you can see here, the account winadmin6 is now, after the update, deactivated again. This is what Safeguard can provide for the Just in Time by himself.
So just one information, what are the accounts where Safeguard can activate or deactivate accounts? So in AIX, HP-UX, et cetera, et cetera, what you can see on the slide. So the parameter to give the right to Safeguard to activate, deactivate users, privileged users, or privileged accounts we can say, is the parameter you can see here, "Suspend account when checked in."
In that case, this parameter will be found in the partition of Safeguard. So in partition and in the folder name, I think it was change password or verify password, you will see this parameter "Suspend account when checked in."
The last thing for this presentation will be what kind of Just in Time we can provide if we are using Safeguard and if we are also using One Identity Active Roles. In that case, we will have a step, another step, which will be not only the activation, deactivation of the privileged account.
But by Active Roles, Active Role will be able to insert this privileged account in the right administration groups. So it will be named dynamic group membership in Active Roles. So in that case, the action of Active Roles, in addition of the action of Safeguard for activation, deactivation is to put during the session only, putting this privilege account in the right administrative groups during the session.
So as you can see here, the adminad_jit3 is deactivated by Safeguard. If you edit this privileged account, this privileged account belongs only to domain users. When you start a password request or a session request through Safeguard, Safeguard, as we have seen before, activate this account.
Now you can, for example, start the session. During that time, Safeguard has activated the account adminad_jit3. And also, Active Roles, if you can see to the right, has added automatically this adminad_jit3 user in another group, which is named-- so name is [INAUDIBLE].
In that case, this [INAUDIBLE] belongs to the administrators, the Windows administrators on the domain. So in action, it is like this.
We are on the Safeguard session. You can see this account, adminad_jit3, is deactivated. It will be activated by Safeguard. If we edit the properties, you can see this account only belongs to the domain user membership. Now we can request the session.
To access the server Windows Server MEMBER01 with this privilege account, adminad_jit3. I like to create favorites to access destination targets faster. OK, so submit request. And in that case-- Safeguard activate the privileged account.
You are not-- it is not mandatory to start the session. Everything is done. OK, so the account is now activated, adminad_jit3.
OK, now activate it. And if we edit it, you can see in live that Active Roles put this privilege account to the right group, which is [INAUDIBLE] in that case. And we can start the session.
OK, and we have connected the session. We can manage well the destination target because the privileged user belongs to the right administration group. And stop the session. Sign out.
After the check in, Safeguard deactivates this account, rotate the password if it is in the rule. And Active Roles has automatically removed this admin, adminad_jit3 account from the [INAUDIBLE] group.
We can take a look on the properties. Automatically. You can see the member has disappeared. The group admin group has disappeared here. And the account is deactivated as well. OK, so everything has been cleaned by Safeguard and Active Roles.
So thank you for attending this session. I hope I answered many interrogations you have on Safeguard, Just in Time, access provisioning, how to discover Azure AD account, et cetera, et cetera. So thank you for attending.