Optional Configuration Settings

The following settings offer additional functionality and control, but do not need to be completed in order to deploy an application.

Specifying the Application ID

On the Settings page, you can configure an Application ID for mobile applications that use the Delinea mobile SDK. The Privileged Access Service uses the Application ID to provide single sign-on to mobile applications. Note the following:

  • The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

  • There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

On the Settings page, you have the option to modify settings to change how and where applications are displayed in the Admin Portal Apps page.

To optionally change the app name, description, or logo

  1. Click Settings in the Admin Portal.

  2. Enter the new name in the Application Name field to change how the application name is displayed in the Admin Portal Apps page.

    For some applications, the name cannot be modified.

  3. Enter the new description in the Application Description field to change the default application description displayed in the Admin Portal Apps page.

  4. Click Select Logo and upload a new logo file and change the default logo for the application displayed in the Admin Portal Apps page.

  5. Click Save.

Specifying Additional Authentication Control

On the Policy page, can specify additional authentication controls for an application by defining rules and the order in which the rules are applied.

You can also include JavaScript to identify specific circumstances (log ins from outside corporate IP ranges) when you want to block an application or you want to require additional authentication methods. For details, see Application Access Policies with JavaScript.

To define a rule that specifies additional authentication control

  1. Click Policy in Admin Portal.

  2. (Optional) Click Add Rule to specify conditional access.

    The Authentication Rule window displays.

  3. Click Add Filter on the Authentication Rule window.

  4. Define the filter and condition using the drop-down menus.

    For example, you can create a rule that requires a specific authentication method when users access Privileged Access Service from an IP address that is outside of your corporate IP range. Available filters vary depending on the object they are applied to and features enabled on your tenant. Supported filters are:

    Filter Description
    IP Address The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.
    Identity Cookie The authentication factor is the cookie that is embedded in the current browser by Privileged Access Service after the user has successfully logged in.
    Day of Week The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.
    Date The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.
    Date Range The authentication factor is a specific date range.
    Time Range The authentication factor is a specific time range in hours and minutes.
    Device OS The authentication factor is the device operating system.
    Browser The authentication factor is the browser used for opening the Privileged Access Service portal.
    Country The authentication factor is the country based on the IP address of the user computer.
    Certificate Authentication The certificate is used for authentication.
    For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.
  5. Click the Add button associated with the filter and condition.

  6. Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.

    The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating Authentication Profiles.

  7. Click OK.

  8. (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.

    If you have no authentication rules configured and you select Not Allowed in the Default Profile drop-down, users will not be able to log in to the service.

  9. (Optional) If you have more than one authentication rule, you can drag and drop the rules to a new position in the list to control the order they are applied.

  10. Click Save.

To specify a corporate IP range

Click Settings > Network > Corporate IP Range, then click Add and enter one or more IP addresses or ranges.

If you left the Apps section of Admin Portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in Admin Portal.

Configuring Single Logout

If your service provider supports single logout ("SLO"), you can configure the application so that when your users log out of the application, they are also logged out of the Delinea Admin Portal.

To configure SLO, enter the Single Logout URL provided by your service provider on the Trust page under Service Provider Configuration > Manual Configuration > Single Logout URL.

If you are configuring single logout in the B2B app, you must include the nameID attribute in the SAML response to facilitate SAML SP and IdP logout. Without the nameID attribute, only the Delinea tenant will be logged out, not the IdP.

With SLO configured, signing out of the application sends a logout request to the Privileged Access Service at the Identity Provider Logout URL (an automatically generated URL). The Privileged Access Service validates the request and returns a logout response to the service provider at the Single Logout URL.

Configure the SAML Attributes

On the SAML Response page, use the Attributes section to configure SAML attributes that should be included in the SAML response for this application.

To add an attribute

  1. Click Add.

  2. In the Attribute Name field, enter the attribute name as required by the Service Provider.

    For example: Email

  3. In the Attribute Value field, click the drop-down menu and the applicable value for the attribute name.

    For example: LoginUser.

    Click the drop-down menu again and select Email from the popup menu to obtain LoginUser.Email.

  4. Repeat the previous steps as necessary to add additional attributes.

  5. If the drop-down menu items do not list the attribute that you want, click the input field and enter the value manually.

    For example, if you want an Active Directory attribute such as custom_ad_attr, enter LoginUser.Get('custom_ad_attr').

    If you want a hardcoded string value, enter the value enclosed in single quotes such as 'hardcoded_string_value'.

  6. Click Save.

    The attributes that you configure in the Attributes section are separate from those that you configure in the Custom Logic section. Both attribute entries appear in the SAML Response.

Editing the Assertion Script

If you use either the Advanced page or the SAML Response page, you have the option to edit the script that generates the assertion, if needed. In most cases, you don’t need to edit this script. For more information on editing the SAML Response, see SAML Application Scripting. For details on editing the assertion for user password applications, see User-Password Application Scripting.

Accessing Applications Outside the Network

On the App Gateway page in Admin Portal, you have the option to configure secure access to on-premise applications outside of your corporate network without using a VPN connection. See Configuring an Application to Use the App Gatewayfor detailed configuration instructions.

Setting up a Request and Approval Workflow

On the Workflow page you have the option to set up a request and approval workflow for an application.

See Managing Application Access Requests for more information.

Viewing a Log of Recent Changes

On the Changelog page, you have the option to see recent changes that have been made to the application settings, by date, user, and the type of change that was made.