Thycotic One and Secret Server

Overview

Thycotic One is a legacy single-sign-on provider for Delinea applications. With Thycotic One, one user account can be granted access to multiple Delinea products, such as Secret Server, Privilege Manager, DevOps Secrets Vault, and Account Lifecycle Manager. Thycotic One enables login integration using the OpenID Connect protocol, an industry standard single-sign-on method.

This article describes the Thycotic One configuration options available in Secret Server.

Cloud versus On-Premise

For Secret Server Cloud, Thycotic One is the default identity provider. When you set up the cloud instance, it will already be configured and ready to use Thycotic One. The initial admin user will log in with their Thycotic One account, and optionally, all newly created Secret Server accounts can be synchronized with Thycotic One, so they can log in that way as well.

For the on-premise version of Secret Server, Thycotic One integration is off by default, but it is supported. You can turn on Thycotic One integration and configure it. For example you might want to share an identity provider between your on-premise instance, and one or more other cloud products.

Procedures

Logging in with Thycotic One

When Thycotic One integration is turned on, all Secret Server users can log in either with their local passwords or with Thycotic One. All Secret Server permissions and configuration will apply to that user regardless of how they logged in.

However, the local username and password and the Thycotic One username and password are not necessarily the same thing. In Thycotic One, you'll log in with your email address rather than your username, and the password you use may very well be different from the Secret Server password.

You'll see this on the login screen:

image-20200616115133898

Clicking Local Login will bypass Thycotic One and allow the user to log in with their local Secret Server password. Clicking Login with Thycotic One will redirect the user to Thycotic One to authenticate. Once that is successfully done, the user will be redirected back to Secret Server.

After clicking Login with Thycotic One, users will type their email address and password:

image-20200616121016999

And then be redirected back to their dashboard in Secret Server.

Configuring Thycotic One

Thycotic One integration is configured on the Admin > Configuration page, under the Login tab. You can view the configuration there:

image-20200616121200800

The Sync Now button provides a way for you to trigger a synchronization of your Secret Server accounts with Thycotic One. In most cases, you will not need to use this, as synchronization will happen on a schedule or whenever a relevant event happens, such as enabling a user or performing an Active Directory synchronization. Only active user accounts with email addresses will be synchronized.

Click Edit at the bottom of the page to change the configuration. The available options are slightly different between the cloud and on-premise versions of Secret Server.

Secret Server Cloud

When editing the options in Secret Server Cloud, you'll see something like this:

image-20200616121415023

Here are the available options:

  • Enable Thycotic One Integration: Turn on to enable Thycotic One functionality. Turn off to completely disable Thycotic One logins and synchronization. Make sure you have an admin account with a working local password.
  • Secret Server Redirect URI: For informational purposes, this shows the page address to which you are redirected after you have logged in with Thycotic One.
  • Thycotic One Server URL: The Thycotic One server you have connected to. There is one separate Thycotic One instance in each Secret Server Cloud region.
  • Client ID: The client ID portion of the Thycotic One server credentials.
  • Client Secret: Not shown, the client password portion of the credentials.
  • Add New Users to Thycotic One: When checked, Secret Server accounts will be synchronized with Thycotic One. Adding a user will send them a welcome email, where they can set up their Thycotic One account password and log into Secret Server. When unchecked, users will not be synchronized and no email will be sent. New users will not be able to log in with Thycotic One, unless you click Sync Now on the Admin > Configuration > Login page, which will synchronize all active users.
  • Use Thycotic One authentication as the default: When checked, Thycotic One authentication is used for the REST and SOAP APIs and mobile apps. Users who have logged in with Thycotic One use their Thycotic One account passwords for those activities, rather than their local Secret Server account passwords. When unchecked, they will use their local Secret Server account passwords for those activities.

In Cloud, the server URL, client ID, and client secret cannot be edited—they are set up for you when the instance is provisioned and cannot be changed.

Secret Server On-Premise

When editing the options in Secret Server on-premise, you'll see something like this:

image-20200616132151554

Unlike in Cloud, the server URL, client ID, and client secret can be edited in an on-premise instance. You can generate Thycotic One credentials using Delinea's cloud management portal, Cloud Manager. Otherwise, the configuration options behave the same as in Cloud.

Generating a Thycotic One Credential

To generate a credential for use in an on-premise Secret Server instance, follow the steps below:

  1. From Cloud Manager, choose a Thycotic One region under Other Login Options.

  2. Log into Thycotic One as a user that will be managing your organization's credentials. Create an account if you have not yet done so.

  3. Go to Cloud Manager at https://portal.thycotic.com/.

  4. Click Sign In. You are redirected to our tech support portal login.

  5. Click the button for the Thycotic One region you chose. Since you are already logged in to Thycotic One, this will redirect you back to Cloud Manager.

  6. Next, choose a team: In the menu, go to Manage > Teams. You may already have one if you have an existing cloud product. If not, create one. Each team can handle multiple Thycotic One credentials.

  7. Having selected your team, go to Organizations. Again, if you already have an organization, you can use it; if not, you can create one. An organization provides a way to manage the global login policies for all users.

  8. Go to Credentials. Click Add. An Organization Credential dialog box appears:

    image-20200616132242709

  9. The available fields are as follows:

    • Name: A description of the application using this credential, for informational purposes.
    • Post-Login Redirect URIs: A list of valid URIs that will be allowed to authenticate with this credential. The value of "Secret Server Redirect URI" from your on-premise instance should go here. If users access your instance with more than one URI, you may want to add all of them here by clicking the + button to create additional fields. Unless an application supplies a URI that is an exact match to one of these, Thycotic One will not complete the authentication.
    • Post-Logout Redirect URIs: Secret Server does not support this feature, so this may be left blank.
    • Credentials: The fields in this area contain the values you need to put into the Thycotic One configuration in SS. Copy and paste them into the corresponding fields.

  10. Once you capture all the values, click Save, and then save the configuration in Secret Server as well. Your instance is now fully integrated with Thycotic One. If you selected the synchronization option, Secret Server will immediately sync your active users with Thycotic One, and they'll receive welcome emails describing how to continue the process.