Using Platform Integration Center

This feature is being rolled out automatically each month to a selection of Secret Server Cloud customers. If you’d like earlier access, please contact your support or account team for assistance.

The seven steps below correspond to a walk-through demonstration of the Platform Integration Center. We recommend walking through the demonstration as you complete these tasks.

Overview

This documentation is for customers who are already using Secret Server Cloud and want to gain the expanded capabilities of the Delinea Platform with a permanent integration.

Prerequisites

You must assign the following permissions to the Secret Server Admin role before the Platform Integration option will appear in the interface (see Secret Server Permissions):

  • Administer Platform Integration

  • View Platform Integration

  • Migrate Data to Platform

Integration Benefits

The Delinea Platform seamlessly extends privileged access management across your company's hybrid, multi-cloud infrastructure, with adaptive controls that help IT and cybersecurity teams to rapidly meet compliance and reduce risk. The Delinea Platform delivers a multitude of benefits, including:

  • Decrease Risk: Enhance your security posture by safeguarding privileged access from login to privilege elevation and proactively address identity-related threats and misconfigurations.

  • More Easily Meet Compliance: Adaptive authorization controls and unified auditing simplify the enforcement and demonstration of compliance requirements.

  • Centralize Control: Manage privileged access across shared credentials and all identities spanning data, applications, cloud, and traditional infrastructure.

  • Scale Your PAM Program: Leverage the Delinea secure cloud-native architecture to mature your organization through the seamless adoption of privilege controls and shared capabilities.

  • Realize Fast ROI: Benefit from wizard-driven setup, configuration, and workflows that are easy to adopt.

  • Benefit from Cloud-Native Resilience: Experience the most resilient solution, boasting 99.99% uptime.

Learn more about the Delinea Platform and its shared service capabilities.

After Integration

What Changes

Once the integration is complete, the platform and Secret Server run with unified administration. Management of roles and permissions transfers completely to the platform, and they become read only in Secret Server.

What Stays the Same

When Secret Server and the Delinea Platform are integrated, secrets work the same way on the platform that they always worked on Secret Server. The integrated systems share secrets and pinned folders, as well as administrative privileges, permissions, and access settings.

Secret Server Cloud customers keep everything they know and use today with no disruption to their secrets, workflows, files, or permissions.

  • All your secrets, data, and permissions, remain intact and accessible

  • There will be no downtime or disruption to service when you opt-in and move identity to Platform

  • All your integrations remain configured

  • All your customization remains intact

  • You will notice very few UI differences

  • All historical data and audit trails remain visible

  • You keep all functionality and features you currently have

  • Your current SLA remains in effect and intact

Have users log on early

Users will not appear on the platform’s list of users until they log onto the platform for the first time. We strongly recommend having all users log on to the platform to access Secret Server soon after the integration.

Here is a useful demonstration showing how users can log on to the Delinea Platform and access Secret Server.

Integration Steps

In Secret Server Cloud, launch the Platform Integration Center:

  1. Click Settings from the left navigation menu, then Navigate to Platform IntegrationCenter.

Optional: If you see a NEW! button near the top of the portal, you can also click that to be taken to the Platform Integration Center procedure.
If you do not see the New! button, but would like to use it, you can still provision a platform tenant by contacting your Delinea representative or by completing the steps below:
1. Browse to <tenant>.secretservercloud.com/ConfigurationAdvanced.aspx
2. Edit the configuration, and set the “Delinea Platform Enablement Code” to BETTERTOGETHER.
3. Save the configuration.
4. Go back to the Secret Server home page.
5. Click the “New!” button at the top near the search bar.
6. Follow the guide, entering a tenant name and initial admin email address.
7. Access the tenant through the link in the browser or in the invitation email sent to the initial admin email address.
8. Set a password for the cloudadmin@<tenant> account.

The steps below correspond to a walk-through demonstration of the Platform Integration Center. We recommend walking through the demonstration as you complete these tasks.

Step 1: Provision a Platform Tenant

In this step, you will create a new Delinea Platform Tenant and login. This step is required before proceeding to the next step.

During this process, you will provide a tenant name that is typically the same as your Secret Server Cloud tenant name. For example, if Secret Server Cloud is named Alpha1.secretservercloud.com, then your Platform tenant would be named Alpha1.delinea.app.

The default region will match your Secret Server Cloud Region. If it is the United States (US), then platform will also be hosted on the US Cloud.

Once the Tenant setup is complete, click Launch Platform. The process will automatically log you on to the Delinea Platform where you will be asked to update the account password for the cloudadmin account. Please remember the password you have set.

Launch the Platform Integration Center from the platform this time:

  1. Navigate to Platform Integration Center, where you can begin Step 2: Secure Access.

The initial platform administrator is named cloudadmin@[tenantname] and all processes described in this document must be completed by that cloudadmin user. The cloudadmin will get the same secret server permissions as the user provisioning the platform tenant. On the Delinea Platform they will get additional permissions as a Platform Administrator.

Step 2: Secure Access

On the Platform, user security and log-in configurations are managed by Identity Policies. If you configure one or more Active Directories using the Delinea Connector, we strongly recommend implementing an Allow List identity policy. Although a default policy provides baseline configuration, you should tailor it to your organizational requirements.

In Step 2: Secure Access, you will configure the platform for allow-list authentication, similar to existing Secret Server behavior.

The steps below configure an Allow List identity policy that mirrors the default policy but is scoped to a specific group membership so that only the specified users can meet the profile. They then set the default policy to deny access to any users who do not meet the new profile that is configured.

For more details about these settings, see Identity Policies.

If this policy is not created automatically during this step, you can manually create a new Identity Policy by following the steps below.

  1. Navigate to the Groups page.

  2. Create a new group.

  3. Name the group to indicate that it defines all users who can authenticate to the platform, such as Acme Platform Users.

  4. Add the cloudadmin user to the group

  5. Add any other users that are currently using the platform to the group, either directly or by a group that they are a member of.

  6. Navigate to the Identity Policies page.

  7. Add a new policy.

  8. Name the policy to indicate that it will control how most users authenticate to the platform, such as Acme Default Authentication Policy.

  9. Leave the policy disabled.

  10. Add a description if desired.

  11. Target specific groups, and select the group that was configured above.

  12. In the new policy, click the Authentication tab.

  13. Edit the Services section.

    1. Enable authentication policy controls.

    2. Set the Default Authentication Profile to Default Other Login Profile.

    3. Save the section.

  14. Edit the Authentication Rules section.

    1. Add a rule named, Identity cookie is not present.

    2. Select the Default New Device Login Profile.

    3. Add a filter by selecting Identity Cookie and setting Is not present for the condition.

    4. Save the filter, rule and section.

      If saving any of these settings causes an error:

      • Ensure that all steps above have been completed correctly,

      • Ensure that the cloudadmin user can meet the requirements of the two authentication profiles configured above.

  15. Open the Overview tab and enable the policy.

  16. Navigate back to Identity Policies.

  17. Edit the default policy.

  18. Open the Authentication tab and edit the Authentication rules section.

  19. Select the row and delete any authentication rules.

  20. Save the section.

  21. Edit the Services section.

  22. Set the Default Authentication Profile to Deny platform authentication.

  23. Save the section.

Step 3: Customize Branding

In this step you will configure the platform’s look and feel and to comply with organizational expectations.

If your current Secret Server Cloud tenant has branding customizations, this step will copy those branding customizations to your Delinea Platform tenant.

If you have any branding customizations already in the Delinea Platform, there are no actions needed for this step and it will be marked as such.

If you do not have any branding customizations and none are detected, you can skip this step.

Step 4: Connect Domains

In this step, you will Install a Delinea Connector in each forest containing any Active Directory domain(s) currently synchronized with Secret Server.

Basic Requirements for Installing the Delinea Connector:

  • Windows Server 2019 or newer

  • No outbound SSL inspection

  • Domain-joined to a domain in the forest

Please Note:

  • Provision an appropriate server to run the connector. The same server that is running the Distributed Engine can be used, but the minimum requirements will differ.

  • Directory integration on the platform works slightly differently than in Secret Server and creates a connection to the directory for live querying on demand.

  • The connector must be configured to migrate Active Directory users or groups for each forest from which Secret Server users are synchronized.

  • If you do not have any AD Domains configured in Secret Server, this step will automatically be completed and show the message, No Active Directory Domains configured in Secret Server and no connectors are required.

Step 5: Connect Entra ID Tenants

Configure Entra ID on the Delinea Platform for any Entra ID Directory Services integration in Secret Server.

In this step you are setting up an Entra ID API integration on the Delinea Platform. This step ensures the platform is configured to handle Entra ID tenants that Secret Server is currently using for directory synchronization. It ensures that for each Entra ID directory synchronization configured within Secret Server, there is an appropriate configuration on the Delinea Platform.

An application registration manages OAuth/OIDC integrations with other platforms. It enables the Delinea Platform to securely connect with third-party integrations such as Entra ID. This registration enables the platform to authenticate and interact with external systems, ensuring secure data and identity exchanges while maintaining high security and compliance standards.

The platform provides two options for this integration. You need to choose only one of these methods:

  • Creating a Delinea-managed app. This approach is recommended if you prefer to configure the Entra ID integration entirely within the Delinea Platform and let Delinea handle the creation and management of the necessary Azure components.

  • Creating a customer-managed registered app. This approach is suitable if you prefer to maintain full control over the integration and manage the Azure resources yourself.

For details on the roles required for the following procedure, see Prerequisites.

Follow the steps below:

  1. Click the Start button. The interface is very similar interface to the previous step, Connect Domains. But this time it identifies that there is an Entra domain configured within Secret Server that is not connected to the platform.

  2. Click the Configure Entra ID button to navigate to the appropriate configuration page for Entra ID on the platform and complete the integration (see Entra ID API Integration for details).

  3. Return to the Platform Integration Center and click the Refresh button to see that the Entra ID tenant is now connected.

  4. Mark the step complete and move on to the next step.

Step 6: Set up Federation

In this step you will configure your federation providers for single sign-on.

Federation is configured much per any other application, there are guides for some popular IdPs available in SAML and OIDC Federation.

  • If Secret Server currently has Active Directory users, and this Federation source is intended for logging them in, set the mapping option to Required and ensure that Create local user if unable to map is disabled. These settings prevent a user from being logged in unless they exist in the domain, and ensure that the platform has access to all the associated data, like group membership and enabled state.

  • If this Federation source is intended for users that are not currently associated with a domain in Secret Server, set the mapping option to Required and ensure that Create local user if unable to map is enabled. These settings will create all users as Delinea Directory users, as opposed to Federated Directory users, which assists with the migration process.

  • Add any UPN suffixes or login domains to the list of domains at the bottom of the federation configuration. This determines which usernames will trigger redirection to this IdP, and which domain connectors are used for finding domain users.

Step 7: Data Pre-check

Check and synchronize Secret Server users, groups, and roles into the Delinea Platform Identity Store.

The integration center is used to move the required data for the Platform to correctly associate, map, and authenticate local users to facilitate an enhanced experience when logging into the Delinea Platform. When targeting Local Groups for migration, the following data will be copied into the Platform Identity Service:

Secret Server Roles

All roles that exist within Secret Server will be copied into the platform database, pre-pended with Secret Server. For example, the Administrator built-in role in Secret Server will be copied into the Secret Server Administrator role on the platform.

Local Users

Users will be copied from Secret Server Cloud into the Platform, including the password hash, enabling them to login to the platform directly with their existing Secret Server username and password.

Local Groups

New platform groups will be created with the same name as the existing Secret Server groups, and the membership will be updated to reflect the membership in Secret Server. These groups will be set to Managed by platform and will become read-only in Secret Server.

Associations Between Local Groups and Domain Users with the Delinea Connector

All domain users that belong to migrated groups will be looked up in the domain via the Delinea Connector, and an association will be made to the user in Secret Server such that when Secret Server needs information about the user, it can request it from the Platform. Once the user logs in, the Platform will associate them with the group.

Associations Between Local Groups and Secret Server Roles

Any Secret Server group selected for migration will become a member of the Platform role associated with the Secret Server role attached to the Secret Server group. For example, the Break-Glass Admins group that is currently a member of the Administrator role in Secret Server would become a member of the platform's Secret Server Administrator role.

Before and after migrating a group, the users and groups will remain unchanged in Secret Server, aside from the new metadata that provides information on looking those objects up in the Platform.

At this point, users can authenticate to either Secret Server or the Delinea Platform, and have equivalent access and experience aside from some UI differences between the two applications.

We recommend migrating a small number of users first and validating the process and the user functionality described above, before migrating larger batches through to completion.

Step 8: Complete the Integration

This is the final step for unifying management after all local users, groups, roles and permissions have been copied over (migrated) to the Delinea Platform.

In this step, you will transfer management of roles and permissions to the Delinea Platform as the authority.

Role and Permissions management in Secret Server will change to read only.

Users and Groups are fully orchestrated by the Platform and any updates to the platform objects (user details, membership changes etc.) will be reflected in Secret Server.

The diagram below shows the information flow once this step is completed.

After this step is implemented, we strongly recommend having all users log in via the Delinea Platform and access Secret Server. See this demonstration.

Now that you are fully integrated into the Delinea Platform you can leverage other applications such as.

Welcome to the next generation Delinea Platform.

More useful links: