Online Help

SafeNet Trusted Access for Thycotic Secret Server

Overview

Configuring SafeNet Trusted Access for Thycotic Secret Server is a three-step process:

1.Thycotic Secret Server setup

2.SafeNet Trusted Access setup

3.Verify authentication

Thycotic Secret Server Setup

As prerequisites:

Download the identity provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Install .NET Framework 4.6.2 or higher on your web server.

Secret Server version must be 10.5 or later.

 

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Secret Server:

1.Login to Secret Server as an administrator using the URL, https://<Secret Server URL>, where <Secret Server URL> is the domain name you registered in Secret Server.

For example, https://safenet.secretservercloud.com

2.On the Secret Server dashboard, click the ADMIN tab, and click Configuration.

3.On the Configuration window, click the SAML tab.

4.On the SAML tab, under SAML General Settings, perform the following steps:

a.Click Edit.

b.Select the SAML Enabled checkbox.

c.Click Save.

5.Under SAML Service Provider Settings, click Edit and perform the following steps:

a.In the Name field, enter a secret server service provider name (for example, SecretServerServiceProvider). This will be used as the Entity ID of the Secret Server for SAML communications.

b.Click the Select Certificate link.

c.On the Upload Certificate pop-up window:

Click Upload Certificate to search and select the self-signed certificate in the .pfx format.

In the Password field, enter your self-signed certificate password that you used to protect the private key.

Click OK.

d.Click Save.

6.Click Download Service Provider Metadata (XML) to download the Secret Server metadata and save it in your local machine.

7.Under Identity Providers, click Create New Identity Provider.

8.On the Identity Provider pop-up window, click Import IDP from XML Metadata to search and select the identity provider metadata that you downloaded earlier from the STA console.

9.In the Advanced column, click the Advanced Settings link.

10.On the Identity Provider pop-up window, ensure that the Sign Authn Request, Require Signed Assertion or Signed SAML Response, Sign Logout Request, and Sign Logout Response checkboxes are selected.

11.Click OK.

Assigning SAML Role Permission to Secret Server Users

Perform the following steps to assign SAML role permission to users:

1.On the Secret Server dashboard, click the ADMIN tab, and click Roles.

2.On the Roles window, click Create New.

3.On the Role Edit window, perform the following steps:

a.In the Role Name field, enter your role name (for example, SAML).

b.In the Permissions Unassigned list, select Administer Configuration SAML, and click .

c.Click Save.

4.On the Roles window, click Assign Roles.

5.On View Role Assignment window, on the By Role tab, in the Role field, select your role name (for example, SAML) that you created in step 3(a).

6.Click Edit.

7.On the Role Assignment window, in the Unassigned list, select user(s) (for example, bob) to which you want to assign the role and click .

Note:  Only Secret Server users who are assigned this role can perform SAML single sign-on (SSO).

8. Click Save Changes.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Secret Server, the second step is to activate the Thycotic Secret Server application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the Thycotic Secret Server application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, Thycotic Secret Server) and proceed to the next step.

2.Under STA Setup, perform the following steps:

a.Click Upload Thycotic Secret Server Metadata.

b.On the Metadata upload window, click Browse to search and select the Secret Server metadata, that you downloaded earlier in step 6 of Thycotic Secret Server Setup.

Under Account Details, the service provider metadata information is displayed.

c.Convert the self-signed certificate that you uploaded in step 5 (c) of Thycotic Secret Server Setup to the .crt or .cer format and save it on your local machine.

d.For authentication request signature validation, under SAML Certificates, under Signing Certificate, click Upload Certificate to upload the self-signed certificate (in .crt or .cer format)

Note:  If you have opted to encrypt the SAML assertion, then under SAML Certificates, under Encryption Certificate, click Upload Certificate to upload the certificate (in .crt or .cer format).

e.In the NAME ID field, select the attribute (for example, SAS User ID) whose value you want to send to Secret Server in SAML Assertion. The value of the attribute must be same as the value of username available in Secret Server. The attribute's value is used for mapping at the time of user's login to Secret Server.

f.Click Save Configuration to save the details and activate the Thycotic Secret Server application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Secret Server login URL, https://<Secret Server URL>.

For example: https://safenet.secretservercloud.com

You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Thycotic Secret Server application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the Secret Server application icon, you should be redirected to the Thycotic Secret Server application after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks held by their respective owners.