Integrating Secret Server into the Delinea Platform

The seven steps below correspond to a walk-through demonstration of the Platform Integration Center. We recommend walking through the demonstration as you complete these tasks.

Overview

This documentation covers integrating Secret Server into the Delinea Platform for customers who are already using Secret Server but need the expanded capabilities provided by the platform.

New customers who sign up for a trial of Secret Server Cloud on the Delinea Platform receive a unified tenant—with Secret Server Cloud and the Delinea Platform already fully integrated. The initial user is automatically assigned full administrator privileges on both the Delinea Platform and the integrated Secret Server Cloud. Because no integration procedures are required, those customers do not need to read this documentation.

Integration Benefits

The Delinea Platform seamlessly extends privileged access management across your company's hybrid, multi-cloud infrastructure, with adaptive controls that help IT and cybersecurity teams to rapidly meet compliance and reduce risk. The Delinea Platform delivers a multitude of benefits, including:

• Decrease Risk: Enhance your security posture by safeguarding privileged access from login to privilege elevation and proactively address identity-related threats and misconfigurations.

• More Easily Meet Compliance: Adaptive authorization controls and unified auditing simplify the enforcement and demonstration of compliance requirements.

• Centralize Control: Manage privileged access across shared credentials and all identities spanning data, applications, cloud, and traditional infrastructure.

• Scale Your PAM Program: Leverage the Delinea secure cloud-native architecture to mature your organization through the seamless adoption of privilege controls and shared capabilities.

• Realize Fast ROI: Benefit from wizard-driven setup, configuration, and workflows that are easy to adopt.

• Benefit from Cloud-Native Resilience: Experience the most resilient solution, boasting 99.99% uptime.

Learn more about the Delinea Platform and its shared service capabilities.

After Integration

What Changes

Once the integration is complete, the platform and Secret Server run with unified administration. Management of roles and permissions transfers completely to the platform, and they become read only in Secret Server.

What Stays the Same

When Secret Server and the Delinea Platform are integrated, secrets work the same way on the platform that they always worked on Secret Server. The integrated systems share secrets and pinned folders, as well as administrative privileges, permissions, and access settings.

Secret Server Cloud customers keep everything they know and use today with no disruption to their secrets, workflows, files, or permissions.

• All your secrets, data, and permissions, remain intact and accessible

• There will be no downtime or disruption to service when you opt-in and move identity to Platform

• All your integrations remain configured

• All your customization remains intact

• You will notice very few UI differences

• All historical data and audit trails remain visible

• You keep all functionality and features you currently have

• Your current SLA remains in effect and intact

Have users log on early

Users will not appear on the platform’s list of users until they log onto the platform for the first time. We strongly recommend having all users log on to the platform to access Secret Server soon after the integration.

Here is a useful demonstration showing how users can log on to the Delinea Platform and access Secret Server.

Current Secret Server On-Prem Customers

Staying on Secret Server On-Prem

If you want to keep using Secret Server On-Premises and access the Privileged Remote Access (PRA) feature of the Delinea Platform, you must purchase PRA and follow these integration directions.

Moving to Secret Server Cloud on the Delinea Platform

If you are moving to Secret Server Cloud on the Delinea Platform:

1. Contact Delinea Professional Services to have us migrate your data from your on-premises instances to Secret Server Cloud.

2. From Secret Server Cloud, launch the self-service Platform Integration Center and follow the steps below to integrate your Secret Server Cloud into the Delinea Platform.

Current Secret Server Cloud Customers

From Secret Server Cloud, launch the self-service Platform Integration Center and follow the intuitive steps below to integrate your Secret Server Cloud into the Delinea Platform.

Integration Steps

In Secret Server Cloud, launch the Platform Integration Center:

1. Click Settings from the left navigation menu.

2. Navigate to Secret Server > Platform Integration > Integration Center.

3. Optional: Click the star to add the Platform Integration Center as a favorite for ease of access.

The seven steps below correspond to a walk-through demonstration of the Platform Integration Center. We recommend walking through the demonstration as you complete these tasks.

Step 1: Provision a Platform Tenant

In this step, you will create a new Delinea Platform Tenant and login. This step is required before proceeding to the next step.

For more information on this process, please see Current Secret Server Cloud Customers.

During this process, you will provide a tenant name that is typically the same as your Secret Server Cloud tenant name. For example, if Secret Server Cloud is named Alpha1.secretservercloud.com, then your Platform tenant would be named Alpha1.delinea.app.

The default region will match your Secret Server Cloud Region. If it is the United States (US), then platform will also be hosted on the US Cloud.

Once the Tenant setup is complete, click Launch Platform. The process will automatically log you on to the Delinea Platform where you will be asked to update the account password for the cloudadmin account. Please remember the password you have set.

Launch the Platform Integration Center from the platform this time:

1. Click Settings from the left navigation menu.

2. Navigate to Secret Server > Platform Integration > Integration Center where you can begin Step 2: Secure Access.

The initial platform administrator is named cloudadmin@[tenantname] and all processes described in this document must be completed by that cloudadmin user. The cloudadmin will get the same secret server permissions as the user provisioning the platform tenant. On the Delinea Platform they will get additional permissions as a Platform Administrator.

Step 2: Secure Access

On the Platform, user security and log-in configurations are managed by Identity Policies. If you configure one or more Active Directories using the Delinea connector, we strongly recommend implementing an Allow List identity policy. Although a default policy provided out of the box provides baseline configuration, you should tailor it to your organizational requirements.

In Step 2: Secure Access, you will configure the platform for allow-list authentication, similar to existing Secret Server behavior.

The steps below configure an Allow List identity policy that mirrors the default policy but is scoped to a specific group membership so that only the specified users can meet the profile. They then set the default policy to deny access to any users who do not meet the new profile that is configured.

For more details about these settings, see Identity Policies.

If this policy is not created automatically during this step, you can manually create a new Identity Policy by following the steps below.

1. From the platform, click Access from the left navigation , then click Groups.

2. Create a new group.

3. Name the group to indicate that it defines all users who can authenticate to the platform, such as Acme Platform Users.

4. Add the cloudadmin user to the group

5. Add any other users that are currently using the platform to the group, either directly or by a group that they are a member of.

6. Click Access from the left navigation , then click Identity Policies.

7. Add a new policy.

8. Name the policy to indicate that it will control how most users authenticate to the platform, such as Acme Default Authentication Policy.

9. Leave the policy disabled.

10. Add a description if desired.

11. Target specific groups, and select the group that was configured above.

12. In the new policy, click the Authentication tab.

13. Edit the Services section.

    1. Enable authentication policy controls.

    2. Set the Default Authentication Profile to Default Other Login Profile.

    3. Save the section.

14. Edit the Authentication Rules section.

    1. Add a rule named, Identity cookie is not present.

    2. Select the Default New Device Login Profile.

    3. Add a filter by selecting Identity Cookie and setting Is not present for the condition.

    4. Save the filter, rule and section.
       Note: If saving any of these settings causes an error:

       • Ensure that all steps above have been completed correctly,

       • Ensure that the cloudadmin user can meet the requirements of the two authentication profiles configured above.

15. Open the Overview tab and enable the policy.

16. Navigate back to Identity Policies.

17. Edit the default policy.
    

18. Open the Authentication tab and edit the Authentication rules section.

19. Select the row and delete any authentication rules.

20. Save the section.

21. Edit the Services section.

22. Set the Default Authentication Profile to Deny platform authentication.

23. Save the section.

Step 3: Customize Branding

In this step you will configure the platform’s look and feel and to comply with organizational expectations.

If your current Secret Server Cloud tenant has branding customizations, this step will copy those branding customizations to your Delinea Platform tenant.

If you have any branding customizations already in the Delinea Platform, there are no actions needed for this step and it will be marked as such.

If you do not have any branding customizations and none are detected, you can skip this step.

Step 4: Connect Domains

In this step, you will Install a Delinea Connector in each forest containing any Active Directory domain(s) currently synchronized with Secret Server.

Basic Requirements for the Delinea Connector:

• Windows Server 2019 or newer

• No outbound SSL inspection

• Domain-joined to a domain in the forest

Please Note:

• Provision an appropriate server to run the connector. The same server that is running the Distributed Engine can be used, but the minimum requirements will differ.

• Directory integration on the platform works slightly differently than in Secret Server and creates a connection to the directory for live querying on-demand.

• The connector must be configured to migrate Active Directory users or groups for each forest from which Secret Server users are synchronized.

• If you do not have any AD Domains configured in Secret Server, this step will automatically be completed and show the message,
  No Active Directory Domains configured in Secret Server and no connectors are required.

Step 5: Set up Federation

In this step you will configure your federation providers for single sign-on.

Federation is configured much per any other application, there are guides for some popular IdPs available in the Federation documentation.

• If Secret Server currently has Active Directory users, and this Federation source is intended for logging them in, set the mapping option to Required and ensure that Create local user if unable to map is disabled. These settings prevent a user from being logged in unless they exist in the domain, and ensure that the platform has access to all the associated data, like group membership and enabled state.

• If this Federation source is intended for users that are not currently associated with a domain in Secret Server, set the mapping option to Required and ensure that Create local user if unable to map is enabled. These settings will create all users as Delinea Directory users, as opposed to Federated Directory users, which assists with the migration process.

• Add any UPN suffixes or login domains to the list of domains at the bottom of the federation configuration. This determines which usernames will trigger redirection to this IdP, and which domain connectors are used for finding domain users.

Step 6: Data Pre-check

Check and synchronize Secret Server users, groups, and roles into the Delinea Platform Identity Store.

The integration center is used to move the required data for the Platform to correctly associate, map, and authenticate local users to facilitate an enhanced experience when logging into the Delinea Platform. When targeting Local Groups for migration, the following data will be copied into the Platform Identity Service:

Secret Server Roles

All roles that exist within Secret Server will be copied into the platform database, pre-pended with Secret Server. For example, the Administrator built-in role in Secret Server will be copied into the Secret Server Administrator role on the platform.

Local Users

Users will be copied from Secret Server Cloud into the Platform, including the password hash, enabling them to login to the platform directly with their existing Secret Server username and password.

Local Groups

New platform groups will be created with the same name as the existing Secret Server groups, and the membership will be updated to reflect the membership in Secret Server. These groups will be set to Managed by platform and will become read-only in Secret Server.

Associations Between Local Groups and Domain Users with the Delinea Connector

All domain users that belong to migrated groups will be looked up in the domain via the Delinea Connector, and an association made to the user in Secret Server such that when Secret Server needs information about the user, it can request it from the Platform. Once the user logs in, the Platform will associate them with the group.

Associations Between Local Groups and Secret Server Roles

Any group selected for migration will become a member of the Platform role which represents the equivalent role in Secret Server. For example, the Break-Glass Admins group that is currently a member of the Administrator role would become a member of the Secret Server Administrator platform role.

Before and after migrating a group, the users and groups will remain unchanged in Secret Server, aside from the new metadata that provides information on looking those objects up in the Platform.

At this point, users can authenticate to either Secret Server or the Delinea Platform, and have equivalent access and experience aside from some UI differences between the two applications.

We recommend migrating a small number of users first and validating the process and the user functionality described above, before migrating larger batches through to completion.

Step 7: Complete the integration

This is the final step for unifying management after all local users, groups, roles and permissions have been copied over (migrated) to the Delinea Platform.

In this step, you will transfer management of roles and permissions to the Delinea Platform as the authority.

Role and Permissions management in Secret Server will change to read only.

Users and Groups are fully orchestrated by the Platform and any updates to the platform objects (user details, membership changes etc.) will be reflected in Secret Server.

The diagram below shows the information flow once this step is completed.

After this step is implemented, we strongly recommend having all users log in via the Delinea Platform and access Secret Server. See this demonstration.

Now that you are fully integrated into the Delinea Platform you can leverage other applications such as.

• Privileged Remote Access

• Privilege Control for Servers

• Identity Threat Protections and Privilege Control for Cloud Entitlements

• Cloud Identity Discovery

• Built-in Delinea Marketplace

• NextGen Mobile Application

Welcome to the next generation Delinea Platform.

More useful links:

• Delinea Platform Documentation

• Delinea Platform API Documentation

• Duo Authentication