User is not authorized to access this system

Hi Maurice,

To use Starling as an Identity and authentication provider, there are additional configurations required in Starling (The Starling Connect is only used as a Registered connector to add the Azure AD Asset in SPP for the use-case you mentioned but is not used for the Starling Identity and authentication in this case).

For SPP on premise, you will have to enter one or more Realm(s) value(s) (for example yourDomain.OnMicrosoft.com) under the Starling join section which will be associated with the new Starling authentication provider such that when a user logs into Safeguard, choosing External Federation and enters their username@yourDomain.OnMicrosoft.com, they will be redirected to Starling to authenticate.

1. In order for users and groups to be available in Safeguard, you must register your Azure Active Directory tenant ID to your Starling organization's Directory Services:
- Login to the Starling portal
- Click on the settings icon in Starling > Under Directory Services > Directories > Manage > Registry Directory > Select a directory and Azure AD is currently supported as an option.
- Configuration > Add a display name and the Directory/TenantID
- Azure AD Admin consent must be given in order to register this directory

Note: In Azure AD > Overview > Manage tenants > here is where you can obtain the Organization ID for registering the directory in Starling as stated above.

Multiple Azure Active Directory tenants can be added to the Starling Directory Services. These tenants will all be available and treated as one when used by Safeguard.

If Joined to Starling and no Azure Active Directory tenants have been added to the your Starling Directory Services, the Starling Identity provider will still appear and be available in Safeguard. You would still be able to attempt to add a user or group from the Starling provider, but it simply won't return any results if Starling is not configured with an Azure AD directory as described above.

2. In addition, In order for Safeguard users to authenticate against Starling, a Relying Party Trust "Application" must be created in Starling.

For on Demand this will be done automatically for as part of the provisioning process. For an on-premises instance of Safeguard, you will have to manually enter or upload information into Starling:

In Starling:
- Click on the settings icon in Starling > Under Directory Services > Applications > Manage > Add Application
- you must use the Add SAML2 Application option in order for this to work with Safeguard:
- Configuration > Select SAML2 Metadata file >
- The Safeguard metadata can be obtained from SPP > Appliance Management > Safeguard Access > Identity and Authentication > Click on down arrow icon to download the Safeguard Federation Metadata then upload it to the previous step.

Adding a new user to Safeguard whose identity, and therefore authentication, comes from Starling should be similar to that of other directory based providers such as Active Directory and LDAP. Namely, you will browse for the user you want to add and all of the user's identity information, their name, email address, etc., will be marked as read-only.

Thanks!

Hi Tawfiq,

Thanks for your detailed response.

It seems I have already configured my environment as you describe, but I'm not sure about the 'Starling Identity Provider'. Under Safeguard 'Identity and Authentication', I have added an 'External Federation' connection that uses my Azure AD metadata and Realm. As mentioned, I can login to Safeguard using this Azure AD Authentication, combined with a local Identity Provider.

There is no other configuration under 'Identity and Authentication' that refers to Starling.

=> Could that be the issue?

Hi Maurice,

The Starling provider will not appear in SPP > Appliance Management > Safeguard Access > identity and authentication providers list (this is expected and is not an issue)

1. Can you confirm if you go to Appliance Management > External Integration > Starling > Realms > do you have the domain name added here?

2. Can you also try to add the user from scratch by going to Users Management > Users > + to add a new user > Change Identity Provider to Starling > Browse and find the user then add it?

3. Then test login to SPP by selecting External Federation and as long as the username is typed with username@domain.local which should match the User's Login name as defined in the User > Authentication tab in SPP and that the domain.local portion of the username matches the domain that is added in SPP > Starling > Realms as stated in point #1 above then SPP should redirect you to Starling login page to test.

I would also confirm all the steps under this section (Starling as an identity provider) of the admin guide are completed:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.3/administration-guide/41#TOPIC-2015754

Thanks!

Hi Tawfiq,

Realm is correct and i can add users (and accounts) from my directory. The inlog name equals the username (and the email address). All the steps in the admin guide have been completed, but the issue remains. 

When you say you can add users from your directory - are you selecting Starling as the provider instead of Active Directory when adding the user?

Can the user authenticate against Starling directly outside of SPP?

Yes, Starling is selected as Identity Provider. One of the users is the same user i use to logon to the Starling portal (account.cloud.oneidentity.eu)

There is a current Maintenance in progress as per the Starling status page so I would wait for this to complete and test after in case this was related:

https://status.cloud.oneidentity.com/

I still cannot log in with an Azure AD user. Whether the user is added to Safeguard (add users ->Identity provider 'Starling' -> browse) or not, makes no difference in the result. For the user, the Authentication Provider is set to 'Starling', but the Activity Center Log shows '<my configured AD>' (the connection configured under 'Identity and Authentication'). I think this is correct.

When you type the username in the field under the External federation drop down, do you get redirected to Starling OR Azure AD?

Could be that there is a conflict between where the user is being redirected?

If this is a Starling User object using Starling Identity Provider and Starling Authentication provider BUT getting redirected to Azure AD login then it makes sense that SPP will look to match the user to an Azure AD authentication provider if this does not match then will assume the user does not exist in SPP

You could try to test with having no Azure AD SSO configured rather than both configured at the same time with the same Realm?

That was spot-on. It seems to work after i deleted the configured Azure AD connection. Q: Do i actually need the Azure connection under 'Identity and Authentication' ? If yes, how should i configure the connection /  redirection (in Azure?) to get this working?