User is not authorized to access this system

Hello,

When we try to logon to Safeguard SPP (7.3) using an user(account) in Azure AD, in combination with Starling Connect (EU), we get the message "User is not authorized to access this system" at the logon screen (and in the logging). The Activity Center shows error "User is Unknown".

For the user, both the ' Identity Provider' and 'Authentication Provider' are set tot "Starling". If we change the setup for the user to 'Identity Provider' : "local" and 'Authentication Provider': "<our Azure AD>", than even can logon to Safeguard with this user... so the Azure configuration looks Ok(?).

Also the Safeguard setup looks Ok as we are able to manage the Azure AD asset: check/change password, adding users, discover accounts; all works fine.

=> What could be the issue?

0 Tawfiq.Ahmad over 1 year ago in reply to maurice engbers

If you are switching to using Starling as your Identity and authentication provider then you do not need to have the Azure AD SSO federation configured in SPP and you would be able to authenticate using Starling instead (which is using Azure AD in the backend anyways in this case)

There is a setting that could also force a specific provider as Default which could also be used to make the authentication more seamless:

You could set an option via Core API to ForceAsDefault one of the authentication providers for example:

Login to the SPP Core API:

https://<safeguard>/service/core/swagger

- Click Authorize button to authenticate using an SPP Admin account

- Expand the AuthenticationProviders endpoint

- Find the ID for the Authentication Provider (Starling in your case) by executing the API call below

GET /v4/AuthenticationProviders > Gets a list of authentication providers

- Set the Authentication provider ID for Starling for example as default by replacing the ID for Starling in the API call below:

POST /v4/AuthenticationProviders/{id}/ForceAsDefault

The description from Swagger Core API below:

---

When ForceAsDefault is set to {true} on a provider, the login page will not display a drop down list of all available providers. Instead, the end user will be defaulted in to using the specified provider. Only one provider can be marked as the default at a time. When updating the specified provider, any previously set default will be cleared. If a default provider is set and you need to log in using some other provider, like the Safeguard Local provider in order to log in as a local administrator user, a query string parameter can be appended to the login page URL, 'primaryProviderID', where the value is set to the 'RstsProviderId' you need.

For example, "https://<safeguard>/RSTS/Login?response_type=token&redirect_uri=https%3A%2F%2F<safeguard>%2F&primaryProviderID=local". You cannot set a provider that is used for two-factor authentication as the default. This functionality is only applicable to web browser based logins, not programmatic API/OAuth2 logins.

---
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 maurice engbers over 1 year ago in reply to Tawfiq.Ahmad

Thanks ! !
Just one more question: For which use cases would you configure an Azure AD connection under 'Identity and Authentication'? To use it for authentication in combination with a local Identity Provider (?)(without use of Starling), or are other cases...?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Tawfiq.Ahmad over 1 year ago in reply to maurice engbers

The other two use-cases (Without Starling) are:

1. Local users that will use Azure AD federated SSO login as you had earlier.

2. SCIM provisioning is now supported in SPP 7.3 where you can provision Azure AD Users and Groups to be pushed to SPP
- This would be another use case where you can use Azure AD authentication provider for these provisioned users that are pushed into SPP from Azure AD via SCIM.

Reference for SCIM settings can be found here:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.3/administration-guide/47#SCIM

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel