Azure Active Directory as Identity Provider

We need to configure AAD as an Identity Provider to retrieve USERS accessing the SPP.

What is the best way to proceed? Do we also have to configure Starling Connect in order to configure AAD in the Identity Provider section? What type of selection should we make? Active Directory or External Federation type?
Now in the customer's environment only EXTERNAL FEDERATION is configured to have the MFA but we must also configure it as an Identity Provider.

Also, is it necessary a specific license to join to Starling Connect?

I hope to be clear.

Thank you very much for your help

Parents

0 Tawfiq.Ahmad 4 months ago

Hi Dario,

you can use SCIM option (available in SPP version 7.3 and higher ) to provision users from Azure AD (Entra ID) to SPP and assign these users the Authentication to be External Federation via Azure:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/8.0%20lts/administration-guide/49#SCIM

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 dario guastella 4 months ago in reply to Tawfiq.Ahmad

ok Tawfiq thank you.

So, it is not necessary to enroll in Starling (Starling connect) to set it up as an Identity provider or even to see the AAD as an asset on which to make all discoveries (of assets and accounts)?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Tawfiq.Ahmad 4 months ago in reply to dario guastella

The SCIM provider option can be used to provision Users and User Groups from Entra ID to SPP for example.

Asset and Account Discovery is a separate feature:

(Managing AAD Account passwords) this requires the use of the Azure AD asset to browse and import AAD Accounts - The AAD Asset will still need to use the Starling Connect registered connector. This is already available in SPP

Azure AD (Asset Discovery) is not yet implemented but we do have a feature pending for this functionality.

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Cyril Chong 1 month ago in reply to Tawfiq.Ahmad

Hey Dario/Tawfiq,

Just came across this thread and wanted to understand more for my customer's use case. So if the use case is to have AAD user login and have Windows Authenticator as 2FA, we would need to configure SCIM to create, update, delete users into Safeguard and have External Federation to AAD for Secondary Authentication via Windows Authenticator.

With this configured, in terms of user experience on the login page, would the user first authenticate with email and password, click login and asked to login again via Microsoft login portal which has Windows authenticator?

Thanks!

--Cyril
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Cyril Chong 1 month ago in reply to Tawfiq.Ahmad

Hey Dario/Tawfiq,

Just came across this thread and wanted to understand more for my customer's use case. So if the use case is to have AAD user login and have Windows Authenticator as 2FA, we would need to configure SCIM to create, update, delete users into Safeguard and have External Federation to AAD for Secondary Authentication via Windows Authenticator.

With this configured, in terms of user experience on the login page, would the user first authenticate with email and password, click login and asked to login again via Microsoft login portal which has Windows authenticator?

Thanks!

--Cyril
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 Tawfiq.Ahmad 1 month ago in reply to Cyril Chong

Hi Cyril,

User would select External Federation and type the email address then SPP will redirect to the Azure Login where the user can complete the authentication and MFA, so in this use-case there is no password typed into SPP login page. After the Azure login + MFA is completed then user is redirected back to SPP as an authenticated user.

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Cyril Chong 1 month ago in reply to Tawfiq.Ahmad

Understood, thanks for the clarification!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel