Single Sign-On (Version 10.4 and Later, Cloud)

As of version 10.4.000000, Verify Privilege Vault can act as an identity provider for VP-VA.

  • Any user with the View Security Analytics role permission in Verify Privilege Vault may log into VP-VA.
  • Additionally, any user with Administer Security Analytics role permission is able to perform administrative actions once logged into VP-VA through Single Sign-On (SSO).
  • Local VP-VA users (the initial users prior to integrating VP-VA into Verify Privilege Vault) still have administrative rights as well.

Typically, Single Sign On will start working without additional configuration.

Verify Single Sign On

Verify that on both of these pages—<SECRET SERVER>/AdminAnalyticsView.aspx and <VP-VA>/system_settings—the VP-VA and Verify Privilege Vault key pairs both show a status of Confirmed. This key exchange is used for verification of Verify Privilege Vault as an identity provider.

alt

In order to verify that the SSO claim was signed by Verify Privilege Vault, VP-VA must have a copy of Verify Privilege Vault’s public key.Verify Privilege Vault versions 10.4.000000 or later have infrastructure for key exchange and rotation between Verify Privilege Vault and VP-VA.

  • When the integration key is first copied from VP-VA and saved to Verify Privilege Vault, it contains VP-VA’s initial public key.
  • Verify Privilege Vault then generates its own key pair and sends its public key to VP-VA.
  • VP-VA registers Verify Privilege Vault’s public key and sends confirmation back to Verify Privilege Vault.

When a key rotation is initiated, VP-VA generates a new key pair and sends a signed request to Verify Privilege Vault. The rest of the process is the same as the initial key exchange, except that each message is signed and verified during the rotation.

Troubleshooting

If Verify Privilege Vault or VP-VA shows that its Key Pair status is Pending Confirmation, try the Resend Confirmation button in either application.

  • For example, if in Verify Privilege Vaultits key pair is Pending, then you would click the Resend Confirmation button in VP-VA, so that VP-VA will retry communicating to Verify Privilege Vault that VP-VA did register Verify Privilege Vault’s latest public key.