Authentication Strategy

Defining your authentication strategy ensures you have standardized authentication practices in line with your Secret Server RBAC scheme. Secret Server offers a wide variety of authentication options that can add flexibility and security to your business user's authentication process.

Strong Authentication

Protect the tool you are using to secure your privileged accounts by adding a second factor of authentication for users logging into Secret Server. Two-factor authentication can be added whether users are logging in with local or AD accounts. For more information about using two-factor authentication with Secret Server, see the Security Hardening Guide.

SAML

If your organization is already using SAML for SSO across your organization, it might be a good option for Secret Server authentication too. SAML uses browser-based communication, between the service provider (Secret Server) and the identity provider (SSO providers) to broker authentication. For more information on configuring SAML with Secret Server, please see the . The major benefits SAML provides are:

  • A consistent MFA strategy across all applications in your environment.
  • Simplified authentication communication: The browser handles the process. For SSC, if the authentication strategy is to authenticate against the domain, that communication must flow from Secret Server Cloud to the distribute engine and finally to the domain controller and back for authentication. SAML shortcuts this by having the browser communicate to the service provider and identity providers, reducing authentication latency.
  • Easy to configure, manage, and add new users.
  • Supports multiple MFA options based on conditional access. For example, a user may only need to verify with one factor for accessing less critical apps, but Secret Server uses two-factor authentication.

Directory Services

Secret Server provides a multitude of authentication options through directory services. It can sync users into the application from various LDAP sources. It is important to use an outside authentication source to automate user provisioning. The User Account Options setting in the directory services configuration provides these options:

  • Users are Enabled By Default (Manual)
  • Users are Disabled By Default (Manual)
  • User Status Mirrors Active Directory (Automatic)

There are benefits to each strategy, but the last one is usually best. Using a hybrid group structure prevents new users from gaining permissions before they have been reviewed, and if they are disabled in active directory, they are automatically deprovisioned from the system. This provides automatic user management and easier offboarding strategies.

If you decide to use a manual strategy, we suggest using the automatic user management feature to disable users who have been inactive for a defined period of months. This can prevent long-inactive accounts from being compromised and keep your list of active users current.