Getting Started

This Getting Started guide is for new or prospective Delinea customers who wish to purchase or sign up for a trial of the integrated Secret Server Cloud on the Delinea Platform, with unified administration. With unified administration, individual administrators can access both Secret Server Cloud and platform functionality simultaneously and seamlessly.

The guide is not for existing Secret Server Cloud or Secret Server On Premises customers. See the Notes below:

Existing Secret Server Cloud customers must integrate their Secret Server Cloud instance into the Delinea Platform. Please see Integrating Secret Server .

Existing Secret Server On Premises customers can add Privileged Remote Access functionality using a limited integration. Please see Manually Integrate Secret Server On Premise.

To troubleshoot common on-boarding issues, see Onboarding Troubleshooting.

The Cloudadmin Account

Delinea creates the cloudadmin account for you, with the name formatted as cloudadmin@your_platform_tenant_name. It is the first account on the platform, and it has unlimited permissions across the platform and Secret Server Cloud. When you are signed in as cloudadmin, you will perform initial provisioning, login, and setup tasks that include installing the Delinea Connector, authorizing domain user accounts, assigning your own business domain user account to the System Administrator group, and .

Other Administrator Accounts

After you create the Platform Admin account, you can create additional administrator accounts with permissions tailored to specific purposes.

Provision and Log In to the Platform

  1. Contact a Delinea sales representative to request a trial platform account.

    If you do not receive one or more of the following emails from Delinea, see Onboarding Troubleshooting for guidance.

  2. Welcome to your Secret Server Cloud Trial on the Delinea Platform: You will receive this initial email when you are approved for a trial. Use the links in the email to provision your platform cloud tenant and perform these tasks:

    • Set up your platform cloud tenant
    • Set up your initial administrator account
    • Select your hosting region
    • Choose a subdomain for your organization
    • Receive your platform access licenses
    • Designate an alternate owner at your organization
    • Sign up for Delinea Support services
  3. Welcome to the Delinea Support Portal!: You will receive this second email after you complete the tasks in the first email. Click the link in this email to sign into your personalized Delinea Support portal with the username provided in the email.

  4. You have been invited to the tenant-name tenant on Delinea Platform: You will receive this third email after you use the link in the second email to log in to the Delinea Support portal.

    • Make a note of your Cloudadmin account login username provided in the email.
    • Click the Accept Invitation button in the email to be taken to your platform tenant, where you will be logged in automatically the first time, with comprehensive administrator permission on both the platform and Secret Server.
    • Bookmark your platform tenant URL.
    • The second time you log in, you will be prompted to set a password for your Cloudadmin account. We recommend having this password generated for you automatically.

Not all platform features are available by default. To trial features like ITP/PCCE or PCS, contact your sales representative to have these enabled in your tenant.

Enable Domain Users to Log into the Platform

To enable domain users to log in to the platform, you must Install the Delinea Connector and Authorize AD Accounts or configure Federation to Add Federated User Accounts, or you use both options for a mix of user types. You can then define security policies, assign them to platform identity groups, and map your existing domain groups to the platform identity groups.

Install the Delinea Connector and Authorize AD Accounts

To add Active Directory user accounts to the platform, you must install the Delinea Connector. For complete instructions on downloading, installing, and registering the Connector, see The Delinea Connector.

The basic steps for installing the Delinea Connector are as follows.

  1. Download the connector executable file by clicking Settings from the left navigation, then selecting Connectors.
  2. On the Connectors page, click Add Connector.
  3. In Box 1 on the Add connector page, click Download to get the 64-bit Connector Installer.
  4. In Box 2, copy the tenant URL, and save it for later.
  5. Generate or copy a connector Registration Code, and save that for later too.
  6. In the Connector Configuration Wizard, select the box next to Use Registration Code and paste the code that you saved earlier into the field provided. The Connector Configuration Wizard, similar to a Distributed Engine in Secret Server, will read the forest and automatically display a list of forest domains that you can connect to the platform.
  7. Select any domain where your users will be logging in from.
  8. Make sure to include the domain that your own business user account belongs to.

To map Microsoft Entra ID groups to platform groups, see Integrating Entra ID.

Assign Your Business Domain User to the System Administrator Group

After you have authorized Active Directory accounts on the platform, including your own personal domain account, you need to assign standard Administrator permissions for platform and Secret Server to your personal domain account, while logged in as cloudadmin.

  1. Click Access from the left navigation, then select Groups.
  2. Click the System Administrator group.
  3. Click the Members tab.
  4. Click Add members.
  5. In the Search dialog, change the first filter to Users and change the second filter to your connected domain. Now the search will find users from your connected domains.
  6. Find your own Platform Admin domain account and add it to the System Administrator group. Through your membership in this group, your account automatically inherits the Platform Admin role with appropriate permissions on the platform.

Synchronize the System Administrator Group to Secret Server

  1. Click Settings from the left navigation, then select Administration below Secret Server.

  2. On the Secrets Administration page, click Platform Integration.

  3. Select the Groups tab.

  4. Add the platform System Administrator group to the list of synchronized groups. Secret Server automatically creates a corresponding Secret Server group that is synchronized to the platform group.

  5. Add a role with Secret Server administrator permissions to the new enabled platform System Administrator group. Your platform System Administrator account now has Secret Server administrator permissions through its membership in the synchronized Secret Server group.

Access Secrets as a System Administrator

After you have assigned your business domain user to the system administrator group and synchronized the system administrator group to a secret server, you can access secrets from the platform using your System Administrator account.

  1. Log out of the platform as Cloudadmin.
  2. Log back into the platform using your System Administrator account.
  3. On the platform Home page, click Access Your Secret Server. The All Secrets page opens, where you can view, create, and manage your secrets.

For more on how to use and manage your secrets, see Using Secrets.

Add Federated User Accounts

Unlike Secret Server Cloud users, federated Delinea Platform users are added to the platform "on-the-fly" when they log in, as long as they satisfy the authentication requirements through an external source such as AD or a federation service provider. Users do not need to be authorized or granted permissions in advance. Users that exist in external sources will not be listed on the platform at Access >Users until they log in to the platform for the first time.

The platform does not natively support bulk import and synchronization of all users from an external source such as federation or AD. Platform administrators can find AD users to add to the platform by performing filtered searches through external AD directories, but federated directories cannot be searched.

To integrate federation Identity Provider (IdP) services on the Delinea Platform, see Federation.

To manage federation IdP services on the platform, see Federation Management. Also see Troubleshooting Federated User and Group Mapping.

About Local User Accounts

Adding local users to the platform is not considered a best practice for privileged access management. Generally, users should be added to the platform only through federation or through their membership in an Active Directory. Local user accounts should be used only rarely. For example vendors are added as local accounts, and you might need to add a local user account for someone who needs to try out platform functionality for a very limited time.

Local accounts cannot be converted to domain accounts.

(for migration customers only) After the Connector is installed and Active Directory is set up on the platform, do not add an existing Secret Server Cloud user as a local user, because doing so could cause synchronization issues between the platform and Secret Server.

To add a new local user, see Adding Users.

Assign Roles and Permissions to Users and Groups

On the Delinea Platform, permissions are assigned to roles, and roles are assigned to groups, so users inherit permissions through their group memberships. The platform supports custom roles and the following two built-in roles, which cannot be renamed or deleted:

  • Platform User: All platform users belong to the Everybody group, and through that group membership they inherit the Platform User role. The Platform User role provides the user with basic permissions to log in to the platform, access their secrets, launch PRA sessions, and view their own session recordings.
  • Platform Admin: Platform users added to the System Administrator group inherit the Platform Admin role through that group membership. The Platform Admin role provides all permissions on the platform.

    User roles and permissions are managed by clicking Access from the left navigation, then selecting Users, Groups, or Roles.

    For more detailed instructions on managing roles and permissions on the platform, see User Roles and Permissions.

Set Up and Use Privileged Remote Access

Delinea Privileged Remote Access (PRA) provides seamless access to remote machines through Remote Desktop Protocol (RDP) and Secure Socket Shell (SSH), with no need for a Virtual Private Network (VPN).

Install the Remote Access Engine

Before you install the PRA engine, make sure you meet the minimum requirements. See PRA Requirements.

  1. Click Settings from the left navigation menu, then select Remote Access.

  2. Click Add Site.
  3. Follow the instructions at Create a Site.
  4. Follow the instructions at Install an Engine.
  5. Follow the instructions at Activate the Engine.

Launch a PRA Session

To launch a PRA session from the Delinea Platform:

  1. From the left navigation menu, click Secret Server.
  2. On the All secrets page, locate a secret associated with PRA.
  3. Hover your cursor near the right end of the Name field.
  4. Click the rocket (launch) icon. The Select Launcher window pops up.
  5. Select Open with Remote Access. A new browser tab opens, where you can launch a PRA connection to a remote machine.

For more detailed instructions on using the Privileged Remote Access, see Using PRA.

About Multi-factor Authentication

The platform provides cloud-based, flexible multi-factor authentication (MFA) as powerful as many retail MFA products and services. All administrators and business users on the platform should be required to use multi-factor authentication (MFA) to log in.

Platform MFA has two components: Authentication Profiles and Identity Policies.

  • An identity MFA profile determines which MFA challenges are presented to a user (see Authentication Profiles).

  • An identity MFA policy determines whether and when a user is presented with the challenges in their assigned MFA profile (see Identity Polices).

More information about MFA on the platform can be found in the following sections:

  • MFA for Secrets. Multi-factor authentication (MFA) for secrets gives platform administrators the option to add one or more security requirements to access defined secrets.

  • Identity Policies. Enabling MFA on the platform requires setting up identity policies and assigning them to users. An identity policy determines whether and when a user is presented with the challenges specified in the associated MFA profile.

  • Authentication Profiles. Enabling MFA on the platform requires setting up authentication profiles. An authentication profile specifies the authentication challenges required to log in to the platform, and the length of time that must elapse before a user is re-prompted for authentication.

  • Corporate IP Range. The Corporate IP Range function is used to define IP ranges for both internal and external networks, and to define authentication requirements such as the locations or IP ranges from which users can log in to the Delinea Platform.

  • RADIUS Configuration. You can use your RADIUS server to authenticate users to the Delinea Platform.

  • Logging In to the Delinea Platform (MFA). The Delinea Mobile app can be used as an MFA mechanism for logging in to the Delinea Platform. Also see Delinea Mobile Log in Process.