Manually Integrate Secret Server Cloud

For Secret Server users to use secrets from the Delinea Platform, their Secret Server and platform accounts must share the identical login username. This is true for any administrative accounts used for setting up the Delinea Platform and Secret Server.

Delinea Platform users working with a Secret Server cloud deployment (and URL) will not see Remote Access in the top-level left navigation. The PRA engine is automatically enabled to launch remote access for secrets that are based on appropriate templates.

New customers who sign up for a platform trial are assigned full administrator privileges within both the Delinea Platform and the integrated Secret Server Cloud.

When a new Delinea Platform user account is created and that user first logs in to the platform, the platform checks for an existing corresponding account (by username, domain, and UPN) in Secret Server. If a corresponding account already exists in Secret Server, the platform account is linked to the Secret Server account automatically. If there is no corresponding account in Secret Server, Secret Server automatically creates one and links it to the platform account. The two accounts appear to the user as a single account.

Retrieve the Platform Integration Credentials

  1. Log in to the Delinea Platform with an administrative account.

  2. Click Settings from the left navigation, then select Authentication Profiles.

  3. Click the Secret Server Connection tab.

    Alt

  4. Copy the Client ID and Client Secret and save them for use in the next section.

  5. In the Secret Server URL field, add your Secret Server URL. For example, https://<tenant>.secretservercloud.com.

  6. Click Save.

If you need to regenerate the credentials (Client ID and Client Secret), please contact Delinea technical support.

To test the connection, click Test Connection. The connection status messages depend on your configuration, but could include Connection was successful, Integration was not configured, Integration URLs do not match, or Did not receive an integration response.

Enable Platform Integration in Secret Server

  1. Log in to Secret Server with an administrative account.

  2. Select Administration > Tools & Integrations.

  3. Under Tools & Integrations, click Platform Integration.

    Alt

  4. Click the Configuration tab.

  5. Fill in the fields as follows:

    • Reply URL: Pre-filled
    • Login URL: The login URL displayed on the platform under Settings > Secret Server Connection; for example, https://<hostname>.delinea.app/identity.
    • Client ID: The Client ID you copied in the previous steps
    • Client Secret: The Client Secret you copied in the previous steps
    • Profile Name: Pre-filled
    • Logout URL: The logout URL endpoint for the platform; for example, https://<hostname>.delinea.app/identity/api/Security/Logout
    • Enable audit integration: Yes. In future releases, this setting will probably not be optional.
    • Forward inventory data to Delinea Platform: Yes. In future releases, this setting will probably not be optional.
    • Synchronization Interval: Sets the interval for the Synchronize Platform function
    • Enable Platform on login page: If Yes, the platform log in option appears on the Secret Server log in page. If No, the platform log in option is still accessible but not on the Secret Server log in page.
    • Force Platform Only Login: Redirects to platform login
    • Platform Tenant's ID: The platform tenant's unique identifier (read only)
    • Vault ID: The identifier for the Secret Server instance (read only) 
    • Use Platform settingsYes enables Unified Mode which consolidates role, user, and group management in the platform. After the systems are in sync, this is the last step of the Secret Server migration to platform. Once enabled, integral areas of the product are consolidated and this option cannot be disabled.
  6. Select the Enabled checkbox.
  7. Click Save.

Verify the Integration in the Platform

  1. Log in to the Delinea Platform. If you're already logged in, log out, then log back in.
  2. From the left navigation menu, click Secret Server, then select All secrets from the secondary menu.
  3. The All Secrets page displays all of your secrets from Secret Server, now shared with the platform.

Verify the Integration in Secret Server

  1. Sign out of Secret Server Cloud and return to the Secret Server login page.

  2. When prompted for an identity provider, select Platform.

    alt

  3. The Delinea Platform authentication screen displays.

    alt

  4. Sign in with the credentials for the newly-created Delinea Platform account that maps to your Secret Server account.

  5. If you can log in successfully, your integration between Secret Server Cloud and the Delinea Platform is complete.

  6. Refresh the Delinea Platform page. The Secrets tab appears in the left navigation, and the browser launcher appears in Secret Server.

 

Because cloudadmin is not your Secret Server administrator account, while you are logged in as cloudadmin you will not be able to see your existing secrets in Secret Server or use your existing Secret Server administrator permissions. This is expected behavior and it does not indicate a failed integration. Do not change the cloudadmin username to match an existing Secret Server username, because that will break the synchronization between the Delinea Platform and Secret Server.

Link Platform and Secret Server Groups

When a platform user with administrator permissions in both platform and Secret Server identifies an existing platform group they want to link to a Secret Server group, the administrator provides Secret Server with the name of the platform group to be linked. Secret Server then retrieves the critical information about the platform group and uses it to automatically generate a new Secret Server group that is based on, linked to, and named for the original platform group.

These linked, automatically generated Secret Server groups are identified in Secret Server as Enabled Platform Groups. For Enabled Platform Groups, Secret Server manages the Secret Server permissions, and platform manages the platform permissions. Platform also manages the group memberships, so all members of Enabled Platform Groups are platform accounts.

Platform groups that can be linked to Secret Server groups this way include local as well as non-local platform groups, such as groups from external AD directories.

An Enabled Platform Group can coexist in Secret Server with a Secret Server-only group by the same name. The two groups remain distinct, and only one is identified as an Enabled Platform Group.

The group linking process moves in one direction: from the platform to Secret Server. So although you can link an existing platform group to a new Enabled Platform Group in Secret Server, you cannot link an existing Secret Server group to a platform group.

In this example, we will use Platform Test Group as the group name.

  1. Click Settings from the left navigation, then select Administration below Secret Server.

  2. On the Secrets Administration page, click Platform Integration.

  3. Click the Groups tab.
  4. Next to Enabled Platform Groups, click Edit.
  5. In the Select Groups box, enter the name of a platform group that you want to sync to a new Secret Server group. In this example, Platform Test Group is the group name. Secret Server then queries the platform identity service and when it finds the group named Platform Test Group, the group's name is displayed beneath the Search field with a check box next to it.
  6. Select the box next to Platform Test Group.
  7. Click Save.

After the platform and Secret Server groups are linked, you can find the new Secret Server group named Platform Test Group from anywhere in Secret Server where groups are referenced. When you click to open Platform Test Group, the group page opens with a banner at the top stating, The members of this group are managed by Platform.

Synchronize Platform and Secret Server Groups

After the groups are linked, they are synchronized automatically at set intervals. The first time you link a platform group to a Secret Server group, the periodic synch might not happen immediately, so you might not see the platform accounts in the Secret Server group right away. To force the groups to synch:

  1. Click Settings from the left navigation, then select Administration below Secret Server.

  2. On the Secrets Administration page, click Platform Integration.

  3. Click the Groups tab.

  4. Click Sync Now.

The group synchronization process moves in one direction: from the platform to Secret Server. Existing platform groups synch to their linked Enabled Platform Groups in Secret Server, but existing Secret Server groups do not synch to platform groups.